*The views and opinions expressed by Simon Goldsmith are their own and do not necessarily represent those of any former or current employers.

The role of the Chief Information Security Officer is changing. Now, instead of a technical advisor, the CISO must become a guardian of trust and resilience who partners with the business to manage their risks. Still, many organizations cling to an outdated script, asking security leaders to own enterprise-wide risks without granting them authority over the budgets or strategies that create them.

For an expert's take, we spoke with Simon Goldsmith, Chief Information Security Officer at one of the UK’s largest independent energy retailers. As co-author of the ISO/IEC/IEEE 32675-2021 International Standard for DevOps, Goldsmith helps define the global framework for building reliable and secure sociotechnical systems. Both architect and defender, his dual perspective gives him a sharp view of why old risk models are failing.

Some regulated sectors force clarity on risk ownership, Goldsmith explains. But most security leaders find themselves challenging the status quo proactively.

• The adviser fantasy: For Goldsmith, the first step is to stop a dangerous oversimplification that ignores the CISO’s direct line of command. "The 'adviser' label is a fantasy. It completely ignores the immense operational responsibility we carry for frontline detection and response, reducing the role to that of a consultant who just walks away. That tag is wholly inadequate for what a CISO actually does."

But the gap between perception and reality isn't just a debate over governance, Goldsmith says. It comes at a human cost.

• The human cost: The mismatch between responsibility and authority is a direct driver of CISO burnout, he continues. "From a human perspective, this is incredibly important. In CISOs, we have a group of earnest, well-meaning, ethical people who are suffering because they are being blamed for things they ultimately couldn't change. They're being assigned ownership of a risk, but their hands aren't even on the steering wheel."

• The accountability advantage: Get accountability right, however, and the business gets a competitive edge, Goldsmith says. When the CISO’s role becomes that of an expert resource, other leaders can make more informed decisions, too. "When you put risk ownership in the right place, the organization can move faster and be higher performing. The people with the best view of the risks they’re creating, and the ability to mitigate them, are the ones making the decisions. With the right insights and tools from the CISO’s team they will inevitably do a better job and build more resilient systems."

Goldsmith’s solution is a two-part mission for the modern CISO. First, the CISO must own the risks of the security function itself. Second, they must become a partner who helps business units own the risks they create.

• Communication for change: The key is to reframe the conversation, Goldsmith says. Instead of acting as a gatekeeper, the CISO should affirm business leaders as "risk-takers" who are pursuing a strategic upside. "Here are some contributions from me, who understands the downside elements of that risk, to help you limit the downside," he explains. By meeting leaders in their own language, security becomes a partner in helping the business realize its full potential.

Ultimately, Goldsmith’s vision is built on correcting a fundamental "moral hazard" throughout the industry: decision-makers can be insulated from the consequences.

• Lost in translation: The dynamic stems from a failure of language, he explains. "As a profession, we still haven't refined our language enough to be clear about what we're discussing. Are we talking about the risk to a specific 'sociotechnical system,' the mix of people and technology for one project? Or are we talking about the company's overall 'organizational risk position'? Those are two completely different conversations, and confusing them is where accountability gets lost."

In closing, Goldsmith offers a powerful parallel in banking history. For years, the anti-money laundering (AML) officer was an adviser whose warnings were ignored because the pain of money laundering was felt by society, not the banks. Eventually, the role gained significant power. But only after regulators introduced massive fines that internalized the pain of non-compliance, he concludes. "Now, the goal for CISOs is similar: drive clarity on risk management responsibilities and evolve business trust and resilience into more of a competitive advantage."