Three decades ago, when Steve Katz became the world’s first CISO at Citicorp/Citigroup, he quickly realized that his role was more than solving problems with tech. Katz had to communicate well, meet with C-level executives, and do anything in his power to reduce risk.
“The basic philosophy that I’ve had is data security, information security, information risk is a business risk issue, not a technology issue,” he said in an interview.
Katz realized that effective CISOs need a blend of technical and soft skills: they have to understand emerging technologies as well as business strategy. And in 2026, the story gets even more complicated, as CISOs operate in a difficult context, marked by tight budgets and geopolitical tensions.
As the role evolved, some skills that once served CISOs are no longer differentiators. In their place, new capabilities are taking the spotlight, especially those tied to emerging tech. Today’s CISOs are navigating a world built on cloud-native infrastructure, facing AI-generated attacks, and shifting regulatory rules.
In this context, the CISO needs to be an enabler of growth, not a blocker.
“In 2026, the CISO who thrives will look much more like a business value and resilience executive than a technical gatekeeper,” says Darren Argyle, co-founder of Cyber Resilience and former group chief information security risk officer at Standard Chartered Bank.
CISOs today are expected to influence strategy, secure investment, and guide transformation, not just protect the perimeter. And without the right mix of skills, doing all of that simply isn’t possible.
Must-have skills for CISOs in 2026
Ask security professionals what makes a strong CISO in 2026, and three qualities come up time and again: a deep understanding of the business and the wider world, strong knowledge of AI, and the ability to shape and influence culture.
That first one — understanding the business and the world it operates in — is foundational. CISOs who grasp the broader context are better equipped to spot emerging threats, align security with business goals, and make smarter decisions that build resilience and support growth.
This knowledge also puts them in a position to shape key decisions before risks even surface, which is exactly where modern CISOs need to be. “CISOs must deliberately cultivate the ability to influence strategy, not just enforce controls,” says Richard Bird, CSO at Singulr AI.
If CISOs operate as a “business translator,” framing security as a driver of value rather than just a cost, they can earn a comfortable seat at the leadership table. “A CISO who is seen to understand the business is accepted into the fold, rather than positioned as just a guardian at the gate,” says Christine Bejerasco, CISO at WithSecure.
This collaboration is often useful to both sides. “As security becomes more deeply integrated into strategic decision-making, the ability to articulate value in both directions is essential,” adds Blake Entrekin, deputy CISO at HackerOne.
But having social power and influence within an organization isn’t solely about access to the boardroom. It also comes from building trust and security awareness at all levels, which can be achieved by showing genuine interest in people’s day-to-day work.
“Think about how you can embed security into different areas of the organization by leveraging the work of the people already there, and how you can train them just enough to weave security into their existing processes,” Bejerasco says.
The second essential pillar of skills centers on artificial intelligence. CISOs need to understand the current state of AI and be up to date on the latest threats and misuse cases. This knowledge helps them “bring some sanity into an organization that’s often in a mad rush to incorporate AI into everything,” says Bejerasco. “You are no longer the detractor preventing the adoption of new technology. You become the saner voice in the room.”
Understanding where AI systems excel and where they fall short allows CISOs to guide adoption. But technical knowledge isn’t enough. They also need to communicate it clearly, translating complex risks into business language that the board can understand.
They can say something along the lines of: “Here’s the risk in financial, operational, and reputational terms, and here’s the investment trade-off,” Argyle says. “The irreplaceable CISOs will use AI as a force multiplier for business cost–benefit analysis but keep the judgment and storytelling firmly human. If you can’t credibly challenge the way your organization is using AI and data, you’re flying blind.”
When it comes to training, Argyle recommends that CISOs take “reputable courses in AI governance, secure use of LLMs, data protection, and model risk,” ideally from universities or industry-recognized providers.
A mistake CISOs can make is assuming they already know enough about AI to make informed decisions, when the field is evolving too quickly for static knowledge to suffice. “AI will continue to compress the time between reconnaissance and exploitation, requiring CISOs to anticipate how adversaries may use AI and how defenders can leverage the same tools to stay ahead,” Entrekin says.
Lastly, in 2026, the third must-have is building a strong security culture across every level of the organization, because, as Argyle puts it, “cyber is 20% technology and 80% behaviour.”
“The standout CISOs will be those who can shift the boardroom narrative to one of active support for culture change,” he says. “You know culture is taking hold when teams across the business apply secure-by-design principles as second nature.”
Top technical skills
In addition to strong knowledge of AI systems, today’s CISOs need a solid foundation in the technologies that define modern enterprise environments. The (ISC)² CISSP is still widely regarded as the gold standard for broad expertise in security architecture, risk management, and governance. “Regulators will expect this, and it still appears in pretty much all CISO jobs,” Argyle says.
The Cyber Leadership Program from the Cyber Leadership Institute is also highly valued. This program focuses on the leadership and influence skills CISOs need to shape strategy and secure investment.
Other useful certifications are those connected to cloud security architecture, such as CCSP. “If you don’t have an understanding of cloud security, these courses can help you understand shared responsibility models, identity-driven security, and how modern infrastructure operates at scale,” says Bejerasco.
Finally, Bird emphasizes the growing importance of financial fluency in cybersecurity leadership. “A modern risk quantification or cyber economics course is critical, since boards increasingly expect CISOs to express risk in financial terms rather than technical scores,” he says.
Top soft skills
Apart from technical skills, CISOs are also judged on how they strategize, communicate and lead. In 2026, they are expected to face pressure from all sides, including boards, regulators and vendors, not just attackers.
“Strategic judgment is foundational,” says Bird. “Especially knowing when not to act as much as when to intervene.”
Sharpening strategic judgment starts with pattern recognition — connecting the dots between incidents, threat intelligence, and the company’s broader business context. Then, CISOs need to distil that complexity into a few clear, actionable choices, each with defined risks, benefits and costs. “That’s how you move from doom report to strategic advisor,” says Argyle.
Strategic thinking will have a growing ethical dimension in 2026. One of the clearest tests, Bird says, will come in AI-driven environments, where CISOs must navigate complex decisions in the absence of clear legal guardrails. It’s the kind of area, he argues, that can “separate leaders from operators, notably when legal guidance lags behind technological reality.”
Critical decisions sometimes have to be made in the heat of the moment if disaster strikes. In those situations, the ability to stay calm under pressure is essential. “The CISO’s job in the first 72 hours is to lower the temperature, create clarity from ambiguity, and protect trust with the boardroom, authorities, regulators, customers and staff,” says Argyle.
Another soft skill to master in 2026 is the ability to build coalitions and negotiate well with product, data, legal, HR, finance, procurement and external partners. This means CISOs need to learn how to influence without having direct authority. “Security cannot operate in isolation,” says Entrekin. “Influence and collaboration are key.”
Closely linked to this is the ability to communicate well, to speak regulatory language and move fluently between technical, legal and business worlds. “Being able to talk to the board in business terms reduced my required three times a year board reporting to two times a year,” Bejerasco says. “They understood and got confident that they understood that I had it covered. That was helpful for both me and for them as well.”
All these skills have to be passed on to others in the team. A key part of the CISO’s role is to mentor, create opportunities for growth, and help team members gradually step into leadership themselves. “Investing in people ensures continuity, resilience, and long-term organizational capability,” says Entrekin.
Low-cost strategies for gaining top skills
Many CISOs and fractional CISOs want to keep learning, but there isn’t always a budget to match that ambition. Formal courses and certifications can run into the thousands of dollars, plus time away from the job. Yet the experts argue that there are low-cost solutions to this.
One of these is tapping into regional CISO communities. This can mean joining peer groups and roundtables where professionals compare playbooks and swap incident stories. CISOs can also find mentors or mentor younger professionals in turn, strengthening their skills while giving back to the community. “Regional CISOs communities can offer shared knowledge, peer support, and access to collective expertise at little or no cost,” Entrekin says.
Vendors, cloud providers, and partners also tend to have free training, as well as reference architectures and playbooks. “A smart CISO will negotiate learning access and workshops as part of contracts,” Argyle says.
Another low-cost strategy is to use large language models to explore emerging topics. These tools can summarize papers or threat intelligence reports, generate practice scenarios and act as a “sparring partner” for strategies. AI subscriptions are relatively affordable, and executives can repurpose decommissioned hardware from within the organization. This kind of setup allows CISOs to explore AI capabilities, limitations, and risks firsthand, without needing a large budget or a formal program.
Bejerasco also recommends reading books: “Books on negotiation, leadership, decision-making, and strategy are especially helpful and directly applicable to the CISO role, often more so than formal training.”
But another overlooked resource is the CISO’s own team. Argyle suggests creating internal “learning loops”: short, low-cost brown-bag sessions where risk experts, engineers, architects and product owners teach each other. “Lack of budget is a constraint, but it’s not an excuse,” he says. “The best CISOs I know have always been self-directed learners.
Less relevant courses
Not all courses and certifications add value to a CISO’s résumé. Credentials that are useful early in a cybersecurity career can become far less relevant by the time a security professional reaches an executive role. Examples include generic, entry-level security certifications, as well as tool-specific credentials that focus on button-clicking rather than system architecture.
“They are not useless, but they should no longer be treated as signals of senior security leadership,” Bird says.
Other credentials that are less useful as differentiators for CISOs in 2026 include single-vendor, product-specific certifications. Deep expertise in one specific firewall or endpoint solution might have been valuable in the past, but for someone in a CISO role, it just doesn’t carry a lot of weight.
“At the CISO level, it’s rarely decisive now, architectures are heterogeneous, and we’re increasingly buying platform outcomes, not hero products,” Argyle says. “These certs are fine for specialists, but they don’t move the needle much for an executive.”
Courses that focus purely on memorizing standards and passing exams — without requiring participants to grapple with real-world trade-offs — are also of diminishing value at the executive level. “As a CISO you’re expected to turn compliance into outcomes, not just recite clauses from a standard,” Argyle says.
For CISOs, though, certifications are necessary but not sufficient. They need to be backed by experience. Employers are looking for leaders who can run security programmes end-to-end, make tough trade-offs under pressure, manage incidents with confidence, and engage with the board with confidence. In a competitive job market, a long list of certifications won’t get anyone far unless it’s backed by real-world experience.