How the banking sector, led by the crypto frontier, is quietly dismantling one of cybersecurity’s most powerful titles, and what that silence says about who really controls digital risk.
A Title Is Never Just a Title
In the long history of institutional power, few instruments have been more telling than the job title. When Napoleon reorganised the French state after 1799, he did not simply rename ministries for administrative clarity. He understood that titles carry jurisdiction, that the name of a role defines the boundary of its authority, and that changing a name is sometimes the most elegant way to move a border without firing a shot. The Roman Empire knew this too, of course. The transition from “Dictator” to “Princeps” under Augustus was not semantic housekeeping. It was a restructuring of legitimacy, dressed in the language of modesty.
Something of that same quiet logic is now playing out inside the governance structures of banks, asset managers, and digital finance institutions across Europe and the wider world. Almost without announcement, and with none of the ceremony one might expect from a shift of such significance, the title of Chief Information Security Officer, the CISO, is disappearing from organisational charts. In its place, with increasing frequency, sits a new designation: Head of ICT Risk and Security. The change looks cosmetic. It is not.
Titles carry jurisdiction. Changing a name is sometimes the most elegant way to move a border without firing a shot.
The phenomenon is most visible, and most telling, in the world of crypto banking and digital asset infrastructure, where regulatory pressure and operational experimentation coexist in an uneasy, perpetually shifting equilibrium. But it is not confined there. Traditional banks operating under the European Central Bank’s supervisory umbrella, payment institutions navigating the labyrinthine obligations of DORA, and hybrid financial intermediaries sitting at the intersection of TradFi and DeFi are all, each in their own way and at their own pace, making the same move. The CISO is becoming something else. The question worth asking, seriously and without the reflexive defensiveness that tends to surround this topic in cybersecurity circles, is what that something else actually is, and why it is happening now.
The Architect of a Different Age
The CISO role itself is, by the standards of corporate governance, extraordinarily young. Its origins are generally traced to the early 1990s, with Citibank often cited as the institution that first formalised the position in response to a hacking incident that exposed fundamental vulnerabilities in its international wire transfer systems. Steve Katz, appointed in 1995, is frequently described as the first true CISO in history, and the parallels with our current moment are not trivial. Citibank’s problem in 1994 was not merely technical. A Russian hacker named Vladimir Levin had exploited the seams between systems, jurisdictions, and organisational silos to extract approximately ten million dollars. The response was the creation of a role whose mandate was explicitly cross-functional, someone who could sit above the technology team and speak the language of risk to the business.
For two decades, the CISO model held. It held because the threat landscape was dominated by external adversaries whose methods were technical, and whose motivations were either financial or ideological in ways that mapped cleanly onto the security paradigm. Firewalls, intrusion detection systems, patch management, and incident response were the grammar of the discipline, and the CISO was its chief grammarian. The role gained legitimacy, then prestige, then finally a seat at the table that for years it had been denied.
But something changed. The change did not happen suddenly, and it did not have a single cause. It was the cumulative effect of three converging pressures, each arriving at roughly the same time, each pushing in the same direction.
The first was regulatory. The European Union’s Digital Operational Resilience Act, DORA, which became applicable across financial institutions in January 2025, introduced a framework that explicitly refuses to treat cybersecurity as a technical discipline sitting in a technical silo. DORA requires that ICT risk be governed at the management body level, that third-party concentration risk be mapped and reported with the same rigour as credit or market risk, and that resilience testing be embedded in ongoing operational governance rather than treated as a periodic compliance exercise. The regulation does not mention the CISO by name. Its silence on that point is the most eloquent thing about it.
The second pressure was structural. The explosion of cloud-native architecture, the proliferation of API ecosystems, and the migration of core banking functions onto distributed ledger infrastructure had made the traditional perimeter, that clean imaginary line between inside and outside that the classic security model defended, not merely porous but conceptually obsolete. In a world where your core banking system runs on AWS, your payment rails are shared infrastructure, and your customer data flows through seventeen third-party processors before it reaches your own environment, the idea of a Chief Security Officer guarding a perimeter makes as much sense as appointing a drawbridge keeper for a building that has no walls.
The third, and perhaps most philosophically interesting, was the rise of crypto. The digital asset sector did not inherit the governance traditions of conventional finance. It built its own, improvising under regulatory pressure, absorbing talent from technology companies rather than banks, and bringing with it a fundamentally different conception of what risk means when your asset lives on a blockchain and your custody arrangement is a smart contract. In that context, the CISO model, with its emphasis on confidentiality, integrity, and availability as the three pillars of security thinking, felt not merely insufficient but misaligned.
The Crypto Laboratories
If you want to understand a governance trend before it becomes mainstream, watch the crypto banks. Not the exchanges, which operate in a different regulatory universe and have their own peculiar governance pathologies, but the institutions that have obtained banking licences and are operating digital asset services under the supervision of national competent authorities in the EU and the UK. These organisations are, in governance terms, the most interesting laboratories of the current moment.
Institutions such as Sygnum Bank in Switzerland, Anchorage Digital in the United States, and the various MiCA-licensed entities currently establishing themselves in Luxembourg, Ireland, and Germany have all, in different ways, confronted the same question: how do you govern information risk in an institution where the asset itself is a cryptographic artefact, where the private key is simultaneously the security object and the operational instrument, and where the boundary between a security failure and a financial loss is not a boundary at all but a single event?
The answer that several of them have arrived at is the one that gives this article its premise. The Head of ICT Risk and Security is a title that does something the CISO title never could. It explicitly names risk as the governing concept, placing security within that frame rather than allowing security to stand as an autonomous discipline. The difference is not merely semantic. It represents a fundamental realignment of the organisational logic behind the function.
In crypto banking, the private key is simultaneously the security object and the operational instrument. The CISO model was built for a different kind of threat.
In a traditional bank, security and risk are parallel functions that communicate, collaborate, and occasionally compete for budget and influence. The CISO owns security. The Chief Risk Officer owns risk. The two meet in committees, in audit findings, in regulatory submissions. The system works reasonably well as long as the threats are external and the assets are conventional. But in a digital asset institution, this separation is not merely inefficient. It is dangerous. A key management failure is simultaneously a security incident, an operational risk event, a financial loss, and a regulatory breach. It cannot be routed to the CISO’s queue on Monday and the CRO’s risk register on Tuesday. It is all of those things at once, and the governance response must be equally integrated.
This is the insight that is driving the title change, and it is an insight that is now beginning to migrate from the crypto frontier into conventional banking, propelled by DORA’s integrated ICT risk framework and accelerated by the increasingly hybrid nature of financial services infrastructure.
What Regulators Actually Want
It is worth reading the regulatory text carefully, because the shift in language at the regulatory level preceded and to some extent precipitated the shift in titling at the institutional level. The European Banking Authority’s guidelines on ICT and security risk management, which preceded DORA and were incorporated into its framework, speak consistently of ICT risk rather than cybersecurity. The distinction is deliberate. ICT risk, in the regulatory lexicon, is a category that includes cybersecurity threats but also encompasses system availability, data integrity, third-party dependency, change management failures, and the whole spectrum of operational disruptions that can arise from technology without any adversarial actor being involved.
DORA Article 5, which establishes the governance requirements for ICT risk management, places responsibility explicitly with the management body. It requires that the management body define, approve, and oversee the ICT risk management framework. It requires that the management body remain informed of major ICT-related incidents. It requires that the management body allocate adequate budget for ICT resilience. At no point does the text create a governance role called CISO or suggest that such a role is required or even particularly relevant. What it creates, in effect, is the organisational demand for a figure who can translate ICT risk into the language of management governance, and that figure, in the institutions that are responding most thoughtfully to DORA’s demands, is the Head of ICT Risk and Security.
The parallel with what happened to the Chief Compliance Officer role in the years after the 2008 financial crisis is instructive. Before the crisis, compliance in many banks was a legal function dressed up with a C-suite title. After the crisis, under the pressure of Basel III, the SREP process, and the broader expansion of regulatory expectations, compliance transformed into a genuine second-line-of-defence discipline with real analytical capacity and genuine management influence. The CCO stopped being a lawyer who read regulations and became a risk professional who governed behaviour. Something analogous is now happening to the security function, and the title change is the visible surface of that deeper transformation.
The Power Geometry of the New Role
There is a political dimension to this that deserves acknowledgment, even if it tends to make practitioners uncomfortable. The CISO title, for all its prestige in the cybersecurity community, has a structural weakness that has been visible for years to anyone paying attention. In the majority of financial institutions, the CISO reports to the CTO or the CIO. In some more enlightened organisations, there is a dotted line to the CEO or the Board. But in practice, the CISO’s authority is technology authority, which means it is bounded by the same structural limitations that bound every other technology function: the tendency to be called in after the business decision has been made, the difficulty of exercising veto power over commercial priorities, and the fundamental challenge of translating technical risk into a language that resonates at board level.
The Head of ICT Risk and Security, when properly constituted, is a second-line-of-defence function. This is not a trivial distinction. In the three-lines-of-defence model that governs risk management in regulated financial institutions, the second line does not manage risk directly. It defines the framework, monitors compliance, and provides independent challenge to the first line. This means the Head of ICT Risk and Security, unlike the CISO, has a governance mandate that is explicitly independent of the technology function. The reporting line typically runs to the Chief Risk Officer or, in some configurations, directly to the CEO or the Board’s Risk Committee. The authority that comes with that positioning is qualitatively different from anything the CISO model ever offered.
There is a precedent for this kind of governance evolution in the history of credit risk. Before the 1990s, credit decisions in most banks were made by bankers who both originated and approved loans. The concept of an independent credit risk function, with the authority to challenge and override commercial lending decisions, was genuinely controversial when it was introduced. It is now considered foundational. The same logic is now being applied to ICT risk, with the same implication: that the people who build and operate technology systems cannot be the same people who assess and govern the risks those systems generate.
The Human Cost of Rebranding
None of this is without cost, and the human dimension of the transition should not be elided in the interest of theoretical tidiness. The cybersecurity profession has spent three decades building the CISO as a credible governance construct. Thousands of professionals have invested in certifications, career paths, and professional identities built around that title. The CISSP, the CISM, the various ISO 27001 lead auditor credentials, all of them were designed for a world in which the CISO model was the destination. The suggestion that the destination has moved is not received with enthusiasm in professional communities where the CISO title represents, for many practitioners, the summit of a long career.
There is also a legitimate concern about deskilling, or more precisely about what happens to deep technical expertise when the function that housed it is reframed as a risk governance discipline. The CISO role, at its best, combined genuine technical depth with governance capability. The Head of ICT Risk and Security, if not carefully designed, can become a risk management role that has lost touch with the technical realities it is supposed to govern. This is not a hypothetical risk. It is already visible in some of the institutions that have made the transition hastily, under regulatory pressure, without adequately thinking through the competency requirements of the new role.
The most thoughtful institutions are addressing this by defining the Head of ICT Risk and Security as a dual-competency role, requiring both deep technical understanding of ICT systems and demonstrated capability in risk framework governance. That combination is rare, and the market for professionals who genuinely possess it is considerably tighter than the market for either pure technologists or pure risk managers. The salary implications of that scarcity are beginning to make themselves visible in the compensation surveys, something that the technical comparison tables at the end of this article will attempt to quantify.
MiCA, NIS2, and the Convergence of Regulatory Architecture
The regulatory environment that is accelerating this governance shift is not limited to DORA. The Markets in Crypto-Assets Regulation, MiCA, which became fully applicable in December 2024, introduced governance requirements for crypto-asset service providers and crypto-asset issuers that are explicitly modelled on the DORA framework. Article 69 of MiCA requires that CASPs establish and maintain effective systems and procedures for ICT risk management. The competent authority guidelines that have been issued under MiCA by the European Securities and Markets Authority mirror the DORA language almost exactly, including the emphasis on management body responsibility and the integration of ICT risk with operational risk.
NIS2, the revised Network and Information Security Directive, adds another layer. Its implementation across EU member states throughout 2024 and 2025 has brought a new set of obligations for entities in the financial sector and critical infrastructure more broadly. NIS2 explicitly holds management bodies personally accountable for cybersecurity risk governance failures. This personal accountability dimension, which was largely absent from previous regulatory frameworks, is perhaps the single strongest driver of the governance redesign that the CISO-to-Head-of-ICT-Risk transition represents. When a board member can be personally fined for a cybersecurity governance failure, the appetite for a clear, risk-framework-based governance structure for the function increases dramatically.
What is emerging, across DORA, MiCA, NIS2, and the EBA guidelines, is a coherent regulatory architecture that treats ICT risk as a first-class risk category, equivalent in governance status to credit risk, market risk, and liquidity risk. In that architecture, the logical governance figure is not a security officer but a risk officer. The title change is, in this light, not a corporate whim but a regulatory inevitability.
The American Exception
It is worth pausing on the transatlantic dimension, because the United States presents a genuinely different picture, and the contrast is illuminating. American financial institutions have not, in general, made this governance transition. The CISO remains the dominant model in US banking, and the regulatory framework, built around OCC guidance, FFIEC handbooks, and the NIST Cybersecurity Framework, continues to treat security as the primary conceptual lens rather than the integrated ICT risk approach favoured by European regulation.
This is not accidental. American regulatory philosophy has historically been more comfortable with sector-specific, technology-centric security standards than with the integrated risk governance approach that the EU has been developing since Basel II. The SEC’s cybersecurity disclosure rules, adopted in 2023, have pushed in the direction of governance accountability, requiring public companies to disclose material cybersecurity incidents and to describe their cybersecurity risk management processes. But they stop well short of the integrated ICT risk framework that DORA mandates.
The result is a transatlantic divergence in governance architecture that is increasingly visible in the structures of global banks operating in both jurisdictions. JPMorgan, Goldman Sachs, and their peers maintain CISO structures in their US entities while adapting to ICT risk governance frameworks in their European subsidiaries. The overhead of managing two governance philosophies simultaneously is not trivial, and there are signs that some institutions are beginning to think about whether the European model might ultimately offer advantages even outside the regulatory context in which it was born.
A Philosophical Coda: Risk as a Way of Knowing
There is a deeper question beneath all of this, one that sits at the intersection of governance philosophy and epistemology, and that is worth surfacing even if it cannot be fully resolved in a single article. The CISO model is, at its root, a model built on the concept of threat. It organises knowledge and response around adversaries, vulnerabilities, and attacks. Its vocabulary is borrowed from military and intelligence culture, and that borrowing is not incidental. The CISO thinks in terms of defenders and attackers, of perimeters and breaches, of detection and response.
The ICT risk model, by contrast, is built on a different epistemological foundation. Risk, in the technical sense used by risk managers in financial institutions, is a distribution of possible outcomes with associated probabilities and severities. The question is not “who is attacking us?” but “what is the probability that our technology systems will fail to deliver the outcomes that our business model and our regulatory obligations require, and what is the financial and reputational magnitude of that failure?” It is a more abstract frame, and in some ways a less viscerally satisfying one. But it is more complete, and it is more honest about the actual nature of the threats that institutions now face, in which the most consequential risks are often not adversarial at all but arise from complexity, interdependency, and the emergent properties of systems that no individual actor fully understands.
The most consequential risks are often not adversarial at all. They arise from complexity, interdependency, and the emergent properties of systems that no one fully understands.
The philosopher of science Karl Popper once observed that the growth of knowledge consists essentially in the correction of mistakes. The transition from CISO to Head of ICT Risk and Security is, in that sense, a correction, not a rejection of what the CISO model achieved, but a recognition that the frame it provided was too narrow for the risk environment that has emerged. It is the kind of correction that institutions find difficult to make because it requires acknowledging, implicitly at least, that the previous architecture was inadequate. The path of least resistance is always to add a new layer rather than to rethink the foundation. The institutions that are making this transition are, to their credit, choosing the harder path.
Technical Appendix: Comparative Governance Architecture, Competencies, and Compensation
The following section moves from analysis to data. It draws on publicly available regulatory guidance, compensation surveys published by Robert Half, Hays Financial Services, and the Information Systems Security Association, organisational disclosures in annual reports and regulatory filings, and the author’s own professional observation of governance structures across European financial institutions.
Table 1. CISO vs Head of ICT Risk & Security: Governance Architecture Comparison
| Dimension | CISO Model | Head of ICT Risk & Security |
| Line of Defence | 1st line (embedded in technology function) | 2nd line (independent risk function) |
| Typical Reporting Line | CTO / CIO, with dotted line to CEO | CRO or directly to CEO / Board Risk Committee |
| Primary Mandate | Protect systems and data from threats | Govern ICT risk within enterprise risk appetite |
| Regulatory Anchor | ISO 27001, NIST CSF, sector-specific guidelines | DORA Art. 5-16, EBA ICT Guidelines, NIS2, MiCA Art. 69 |
| Budget Authority | Typically limited; business case required | Direct allocation from risk appetite framework |
| Challenge Authority over 1st Line | Informal; relationship-dependent | Formal; embedded in governance mandate |
| Board Interaction | Periodic reporting; incident escalation | Regular; member of or adviser to Risk Committee |
| Prevalence in EU Crypto Banks (2025) | Declining: approx. 34% of sampled institutions | Rising: approx. 61% of sampled institutions |
| Prevalence in EU Traditional Banks (2025) | Still dominant: approx. 58% | Growing: approx. 38% |
Sources: EBA organisational surveys 2024, ISACA State of Cybersecurity Report 2025, author’s professional survey, public LinkedIn data analysis.
Table 2. Core Competency Matrix: Required vs Nice-to-Have
| Competency Domain | CISO (Required = R) | Head ICT Risk & Security (Required = R) |
| Network & endpoint security architecture | R | Nice to have |
| Threat intelligence & incident response | R | R |
| ICT risk framework design (DORA, EBA) | Nice to have | R |
| Operational resilience testing (TLPT, TIBER-EU) | R (technical delivery) | R (governance oversight) |
| Third-party / TPICR risk management | Partial | R |
| Board-level risk communication | Beneficial | R |
| Cryptographic asset custody protocols | Sector-specific | R (in crypto banks) |
| ISO 27001 / 22301 Lead Auditor | R or strongly preferred | Beneficial |
| CISSP / CISM certification | R or strongly preferred | Recognised but not decisive |
| GRC tooling & regulatory reporting | Beneficial | R |
Competency mapping synthesised from DORA regulatory technical standards, EBA ICT Guidelines 2023, and ISACA Competency Framework 2024.
Table 3. Compensation Benchmarks, European Financial Sector (2025, EUR)
| Role / Context | Median Base (EUR) | Max Reported | Bonus Range | Total Comp Est. |
| CISO, traditional bank (>10bn AUM) | 195,000 | 260,000 | 15–30% | 224,000–338,000 |
| CISO, fintech / scale-up | 150,000 | 210,000 | 10–25% + equity | 165,000–262,500 |
| Head of ICT Risk & Security, regulated bank | 215,000 | 310,000 | 20–40% | 258,000–434,000 |
| Head of ICT Risk & Security, crypto bank (MiCA-licensed) | 230,000 | 340,000 | 20–40% + token | 276,000–476,000 |
| Deputy CISO / ICT Risk Manager (sr.), EU bank | 130,000 | 175,000 | 10–20% | 143,000–210,000 |
Sources: Hays Financial Services Salary Guide 2025, Robert Half Technology Salary Guide 2025, LinkedIn Salary Insights EU Financial Sector Q4 2025. Figures are indicative. Token/equity components excluded from total comp for comparability.
Table 4. Regulatory Mapping: Where Each Title Is Anchored
| Regulation | Mentions CISO | Requires ICT Risk Function | Management Body Accountability |
| DORA (EU 2022/2554) | No | Yes (Arts. 5–16) | Yes (Art. 5.2) |
| MiCA (EU 2023/1114) | No | Yes (Art. 69) | Yes (Art. 69.3) |
| NIS2 (EU 2022/2555) | No | Yes (Art. 21) | Yes, personal liability (Art. 20) |
| EBA ICT & Security Guidelines (EBA/GL/2019/04) | Implicit reference only | Yes | Yes |
| NIST CSF 2.0 (US) | Referenced | Partial (Govern function) | Recommended, not mandated |
| SEC Cybersecurity Disclosure Rules (2023) | Referenced in guidance | Implicit | Yes (disclosure of oversight) |
| ISO 27001:2022 | No formal reference | Clause 6 (risk planning) | Clause 5 (leadership) |
Regulatory analysis based on official EU legislative texts, EBA and ESMA technical standards, and SEC final rules. Verified against public official sources as of Q1 2026.
The Map Is Not the Territory
Augustus kept the Roman Senate. He knew better than to abolish it. What he did was change what the Senate’s authority actually meant, redirecting power while preserving the form that gave power its legitimacy. The CISO is not being abolished. In many institutions it is being kept, often with the same person in the role, sometimes with a slight change in title, sometimes with a dual-hat arrangement. But the authority structure around it is changing, and the frame through which digital risk is governed is being rebuilt on different foundations.
The financial sector’s quiet migration from CISO to Head of ICT Risk and Security is one of the most significant governance shifts of the current decade, and it has received a fraction of the attention it deserves, partly because it is happening gradually, partly because the institutions driving it prefer not to draw attention to the implicit acknowledgment of previous inadequacy that it represents, and partly because the cybersecurity press is, understandably, reluctant to report on the diminishment of a title it has spent years celebrating.
But the map is changing. And in geopolitical terms, as much as in corporate governance terms, understanding a change in the map is the prerequisite for understanding the territory that the map describes. The institutions that grasp this shift first, that build governance structures genuinely fitted to the integrated risk environment that DORA, MiCA, and NIS2 have collectively created, will not merely be compliant. They will be better governed, better protected, and, in the end, better equipped to survive the next crisis that no one has yet thought to name.
Raffaele Di Marzio
Executive Cybersecurity Consultant
raffaele.dimarzio@cyberium.limited
About the author:
🇮🇹 https://www.amazon.it/stores/Raffaele-DI-MARZIO/author/B0FB47T6Q4
🇫🇷 https://www.amazon.fr/stores/Raffaele-DI-MARZIO/author/B0FB47T6Q4
🇬🇧 https://www.amazon.com/stores/Raffaele-DI-MARZIO/author/B0FB47T6Q4
🇪🇸 https://www.amazon.es/stores/Raffaele-DI-MARZIO/author/B0FB47T6Q4