The CISO role has evolved from a technical firewall and patch management function into a strategic leadership position accountable for revenue protection, brand trust, and business continuity.
Kleber Souza Pinto, Cybersecurity Consultant at GNL Granite Design, identifies four converging pressure points driving this shift: budget constraints, AI-accelerated risk, supply chain exposure, and a talent shortage that compounds burnout.
He argues CISOs must translate cyber exposure into financial terms the board can act on and position themselves as resilience leaders guiding strategy-level decisions.
The CISO title carried a "C" for years before the role actually earned a seat in the executive conversation. For most of its history, the position has sat squarely inside IT, focused on firewalls, patches, and compliance checklists. Today, boards face mounting regulatory scrutiny and a threat environment expanding faster than traditional defenses can adapt. The security leaders still operating under the old mandate are already exposed.
We spoke with Kleber Souza Pinto, a strategic cybersecurity leader with over 20 years of experience protecting Fortune 500 clients currently serving as a Cybersecurity Consultant at GNL Granite Design. Holding key industry certifications including CISSP, CISM, and PMP, he has architected hundreds of enterprise solutions at companies like Equinix and founded his own IT consulting firm. His career spans the full arc of the CISO's evolution.
"The role started as a technical firewall and patch manager position. Today, it's a true leadership role in enterprise risk management," Pinto says. "It's not only about preventing breaches, but ensuring the organization can withstand and recover from unavoidable incidents while protecting revenue, brand trust, and growth." That shift is being driven by four converging pressures that are forcing security out of the server room and into the boardroom.
Budget follows the breach: In many mid-market companies, meaningful security funding only materializes after something goes wrong. "We don't have the appropriate budget to make the company move at the speed everyone wants," Pinto says. "In many cases, real investment only comes after an incident that brings real losses to the company."
AI as accelerant and liability: The threat AI poses extends beyond attacker capabilities. Pinto points to the recent incident where a senior CISA executive uploaded sensitive government documents into a public AI tool as a warning sign for the entire industry. "If they do that, imagine what is happening inside companies right now," he says. "AI also expedites vulnerabilities. Hackers can turn a vulnerability into a real problem in minutes."
Supply chain as attack surface: A weak supplier can cascade risk across the entire enterprise. "This is maybe the main barrier to cyber resilience," Pinto says. "It happens often, including with big cybersecurity companies. They're exposed because they trusted a partner, and that partner had problems."
Talent scarcity and burnout: The cybersecurity workforce gap shows hundreds of thousands of open positions across the United States alone. "Many teams are overworked, and in the short term, there's no way to replace them with AI. We need people with real skills to understand how things are going," Pinto says. Overstretched teams are not just less efficient. They become an operational resilience risk when fatigue degrades the decisions that matter most.
The common thread is that none of these pressures can be resolved with a technical fix. They demand a CISO who speaks the language of the business and owns the risk narrative at the executive level.
Revenue, not vulnerability counts: Pinto's approach is to bypass the technical jargon entirely. "Instead of presenting the number of vulnerabilities found, I can quantify how this exposure could lead to a revenue loss of millions of dollars due to downtime and regulatory penalties," he says. "That's how the CFO and the board understand what we're really talking about." He recommends establishing a regular cadence with the CEO and CFO to keep security tied to business outcomes rather than buried in operational reports.
On the defensive side, Pinto urges CISOs to resist the pressure to be early adopters. "Staying ahead on the AI adventure can bring risk to the business just as easily as it can bring innovation," he says. "It's a minefield. Understand what it can bring, both good and bad, before you move." The right approach is to adopt AI with intent, ensuring governance and security are addressed before deployment scales.
The trajectory Pinto sees is one where the CISO evolves into something closer to a Chief Resilience Officer, quantifying risk in board-level terms and guiding strategic decisions under pressure. That future, he believes, is not far off. "After this AI era stabilizes, CISOs are going to be in a much stronger position," he says. "The opportunity is real, and it's coming soon."
