For decades, the Chief Information Security Officer was the leader of “Department No," a technical gatekeeper tasked only with preventing risk. But as boards demand greater accountability, that job description is being rewritten. Now, the modern CISO is a strategic partner, and risk management has become a core business discipline.

Instilling this discipline requires a new mindset, says seasoned cybersecurity executive Ian Schneller. As a Strategic Advisor at Health Care Service Corporation and a former CISO for three separate organizations, Schneller's 30-year career has consistently positioned him at the center of this transformation. Today, his expertise is backed by his service as a Cyber Warfare Officer in the US Air Force and senior leadership roles at Fortune 500 companies, including JPMorgan Chase and Bank of America. For Schneller, the change begins with one principle.

• A shared burden: For Schneller, the change begins with one principle: "Risk is company risk. It's not the CISO's, it's not the CIO's, and it's not the business owner's. Ultimately, it is the company's risk." Instead of seeing risk as a problem for one department to solve, he reframes it as a collective, board-level concern.

The problem is that accountability often gets delegated without authority, Schneller explains. Eventually, he learned to resolve this gap by enforcing a simple rule.

• The meeting's over: Forcing the business team to re-evaluate a request through the eyes of their leadership creates internal accountability, he says. "If a high-stakes risk came to me for approval and the business owner at the table was an analyst or a director, I'd tell them, 'You're the wrong person to accept this risk. Your senior vice president needs to be here.' Almost 99% of the time, the risk gets solved before that next meeting ever happens, because they know their leadership won't accept it."

Such a stance isn't about creating conflict, Schneller clarifies. Instead, it's about building the foundation for a true partnership. A formal risk framework makes the approach possible by connecting a technical issue to a direct business impact.

• Triage and tolerance: To make risk tolerance tangible, he recommends a triage system that turns abstract concepts into practical, quantifiable decisions. "You have to match the authority to the risk. A low-level risk, like a minor compliance issue with a $10-per-day penalty, can be accepted at a lower level. But a high-level risk, like the significant likelihood of a ransomware breach, has to be a C-suite decision."

With the right people in the room, the CISO’s role evolves into a collaborative one. However, a credible partnership emerges only when accountability flows in all directions, Schneller says.

• Partner, not blocker: The goal is to enable an informed decision by ensuring the business proceeds with greater awareness of the consequences, Schneller explains. "The CISO should come to the table as a partner. The conversation needs to be: 'We understand the business objective you're trying to achieve. If you approach it this way, here's the risk and why it's problematic. We want you to go in with your eyes wide open. Now, let's figure out what we can do together to mitigate that risk so you can proceed safely.'"

• Skin in the game: But true accountability requires connecting the ownership of an initiative to the financial responsibility for its risks, he continues. "The business owner needs to have skin in the game. That means they help remediate the risk, and often, that means they help pay for it."

• A two-way street: Acknowledging cybersecurity's own faults builds the credibility needed for a balanced and reasonable partnership, Schneller says. "This has to be a two-way street. Sometimes, the responsibility is on the CISO. You have to be able to say, 'We're missing a control, or our control isn't set right. I have to fix that. That's on me.'"

Now, the rapid adoption of AI is putting Schneller's disciplined framework to the test. When confronting the rise of shadow AI, for instance, principles like clear ownership and thorough education are becoming more important.

• Beyond the CBT: Superficial training is insufficient for a novel challenge like AI, Schneller says. "AI is a brand new learning area, so the key is deep education. Not just a check-the-box annual training, but a real, foundational understanding of how events could lead to consequences we don't like."

• Code 'hallucinations': Unpredictable risks like hallucination prove that even experts are still discovering the "unknown unknowns," he continues. "We're already seeing AI tools that generate code 'hallucinate' and insert code that should never be there. It just shows we still have a long way to go in understanding and controlling this technology."

Leaders now face a tricky balancing act between two distinct dangers: the "significant risk if we do it irresponsibly" and the "significant risk of not understanding how we use AI to make ourselves better." For Schneller, the answer is to reframe the goal from the unrealistic task of risk elimination to the strategic work of defining risk tolerance. "The elimination of risk will never happen. I can never say we've reduced the risk of anything to zero. You just can't. The real goal is to reduce risk to a level that is within your organization's tolerance."

Now, the central challenge for leaders is to weigh the potential for a "bad day" against the certainty of being left behind, Schneller concludes. "With something as new as AI, the natural tendency is to try to get risk to zero, but if you do that, you won't move forward at all. The real work is to improve your ability to define your tolerance. You have to ask: how bad of a bad day are we willing to live with, versus the opportunity cost of being left behind?"