The CISO-to-CIO Pipeline: Leadership Skills that Scale

As higher education information security leaders take on broader responsibilities—and increasingly step into chief information officer (CIO) or other executive roles—it's worth asking: What makes a chief information security officer (CISO) ready to lead across an institution?

Previous EDUCAUSE research outlines competency models for both CIOs and CISOs, and what's striking is the degree of overlap.^Footnote1 Today, effective CISOs aren't just cybersecurity experts with technical skills serving in a reactive enforcer role. Modern CISOs are trusted partners, collaborators, and proactive change agents who fluently speak the languages of business, risk, technology, operations, governance, and strategy.^Footnote2 These are many of the same qualities expected of other campus leaders, such as CIOs, chief risk officers (CROs), chief data officers (CDOs), and chief privacy officers (CPOs). The progression of CISOs into CIO roles reflects a growing recognition that the best information security leaders are already engaging in institutional strategy, cross-collaboration, business enablement, and enterprise risk management. This shift is particularly relevant in higher education, where leaders must align technology with mission, manage scarce resources, and enable research and teaching, all while keeping data secure.

The Evolution of the CISO Role

Gone are the days when CISOs were the folks you only heard from after a phishing incident or an audit finding. Since the early 2000s, when the CISO role was first widely recognized in higher education, CISOs tended to be reactive, with their efforts focused on antivirus protection, firewall maintenance, and compliance checklists. Over the past two decades, however, the role has evolved into a vital institutional presence.

Today's CISOs are established campus fixtures who also contribute to shared community resources and mentor the next generation of security professionals. Their responsibilities now extend beyond technical defenses, positioning security as a strategic concern. CISOs participate in cabinet-level conversations with CIOs and other campus leaders on topics such as data governance, risk tolerance, institutional resilience, the ethical use of artificial intelligence (AI), and other institution-wide priorities.

Skills That Scale

Many leadership skills apply across CISO, CIO, CRO, and CDO roles. Successful CISOs build a leadership toolkit that positions them well for broader roles. These competencies are relationship-driven, strategic, and human-centered, moving beyond the technical or risk-focused strengths that once defined the role.

Here are the essential skills that not only define modern CISOs but also translate seamlessly into other executive roles across higher education (see figure 1).

• Trusted advisor. CISOs earn trust by helping institutional leaders balance risk with strategic goals. They translate uncertainty into actionable insights that support mission-aligned, risk-informed decisions.
• Visionary change driver. Modern CISOs see across silos and prioritize collaboration. With a deep understanding of the academic, operational, and financial dynamics of higher education institutions, they make informed decisions that support the entire institution, not just the IT or security functions.
• Strategic communicator and storyteller. CISOs build influence and shift mindsets by translating technical topics into relevant, relatable stories that resonate with diverse stakeholders (from board members and researchers to students and faculty). They gain buy-in through empathy, clarity, and connection rather than fear, uncertainty, and doubt.
• Team builder and collaborator. Security leaders intentionally cultivate resilient, high-performing teams through inclusive leadership and continuous improvement. They enable staff, empower collaborators, and reposition security as a strategic business enabler rather than as an operational obstacle.
• Policy maker and relationship-builder. CISOs help institutional leaders focus on what matters most by connecting security, risk, and strategy to long-term goals. They strengthen governance structures by building trusted relationships across campus, helping to shape policies, guiding investment decisions, and aligning priorities beyond the cybersecurity function. With their ability to influence both people and processes, CISOs are well-positioned to lead complex, cross-institutional initiatives.

What's at Stake

Some of the most impactful higher education leaders today didn't set out to be CIOs or executive strategists. They started by solving complicated problems, building trust, and helping people navigate uncertainty. That sounds a lot like the work of a modern CISO.

The evolution of the CISO role is not just a story of professional growth, but a reflection of what higher education institutions need: leaders who understand complexity, communicate clearly, align decisions with mission, and inspire confidence through action. These are no longer skills that are secondary to technical knowledge. They are essential for guiding institutions through change, especially during times of constrained resources, employee burnout, new and emerging technological threats, and growing scrutiny.

For example, Ed Hudson was recently named CIO at the University of Kansas, transitioning to the role after several years as CISO of the institution. His move wasn't about abandoning security but about building on it. Years of guiding risk conversations, building trust, and enabling change made him a natural fit for broader institutional leadership.

"Today's CIO is a coalition builder, understanding the strategic drivers and guiding rather than deciding," he said. "After spending years understanding the environment of my constituents as a CISO, it was a natural progression to leverage that experience to help guide efforts and take advantage of the coalitions I had built as a CISO. Our own recently developed strategic plan is based on empowering users, transforming the institution, and innovating solutions for the future. This requires all hands rowing together."

Leo Howell's career at Georgia Tech further illustrates how today's IT leaders evolve within their institutions. After several years as the CISO, he stepped into the role of vice president of technology and CIO, a move that highlights how a strong foundation in risk, data protection, and information security can help position a leader to guide broader technology strategy in support of the institutional mission.

"CIOs must see IT as a strategic driver of the mission, but that starts with understanding risk," he said. "My time as a CISO built that foundation: the connections across systems, the weight of compliance, and the power of data to lead. The shift to CIO wasn't a leap—it was a natural next step.”

Time to Lead

If you're a CISO ready to lead more broadly across the institution, now is the time. What are you waiting for? ^Footnote3

Author's Note

Thank you to Josh Beeman, associate vice president of IT and associate CIO at the University of Pennsylvania, for conversations that sparked the idea for this article, as well as your feedback as content was refined.

Notes

1. Jisc and EDUCAUSE, Technology in Higher Education: Defining the Strategic Leader (EDUCAUSE, March 2015); Cathy Bates et al., Technology in Higher Education: Information Security Leadership (EDUCAUSE, March 2016).Jump back to footnote 1 in the text.↩
2. Joanna Lyn Grama and Valerie Vogel, "Empowering the Modern CISO – Part II: The CISO as an Influential Leader,"Vantage Technology Consulting Group (blog), May 30, 2025. Jump back to footnote 2 in the text.↩
3. Want to explore this shift with peers? Check out the Leadership Lounge,a free mentoring program for higher education IT leaders looking to grow their campus influence and networks. Jump back to footnote 3 in the text.↩

Valerie Vogel is Senior Strategic Consultant at Vantage Technology Consulting Group.