The Chief Information Security Officer is no longer just a defender. Instead, modern CISOs must be part IT function, part enterprise strategist, and wholly responsible for transforming security into a success driver. Because in a world where digital threats have physical and reputational consequences, the role demands nothing less.

One expert on this evolution is Lester Godsey, the CISO at Arizona State University. With a career that includes CISO roles at Maricopa County, the fourth-largest county in the U.S., and the City of Mesa, the third-largest city in Arizona, Godsey’s experience in complex public sector environments has shaped his entire philosophy.

In his current role, his playbook for the modern security leader faces its ultimate test. As a Research One institution, ASU is a prime target for nation-state actors, he says. But the university's mission of broad inclusion also creates a direct conflict with traditional security measures.

"The standard security playbook says to reduce your attack surface. But the ASU charter dictates that we are measured not by who we exclude, but by who we include. Our DNA is to be open. My job is to walk that tightrope. I must enable our mission of openness while protecting the institution from the significant risks that come with it," Godsey says.

• Beyond 'no': The first principle is for CISOs to abandon the role of gatekeeper, Godsey explains. "Our primary job is to enable the organization to be successful, not to be gatekeepers. Instead of just saying no, we help the business understand the risks of an idea. Then we work with them to find creative ways, like mitigating controls, to reduce that risk to an acceptable level. The final decision is theirs, but our job is to make sure it is an informed one." But a successful partnership also demands a specific skillset.

• Speaking their language: Effective CISOs are translators, too, converting technical jargon into the universal language of business. "I speak in terms of enterprise risk because everyone in the organization understands that language. Not everyone needs to know what a firewall rule is or how zero-trust architecture works. My job is to translate technical complexity into clear business impact. An informed, risk-based decision from leadership depends on it."

• Plan to pivot: The final required skill is strategic agility, says Godsey. "If you set a security strategy and expect to follow it for years, you are already behind the curve. The threat landscape changes far too quickly. Your security program must also reflect the organization's own shifting priorities. Our strategy is a living document for this reason. We update our entire program and roadmap at least twice a year." A static, multi-year plan is a direct path to failure in an era of rapid change, he cautions.

As an example, Godsey recalls how a recent state-wide ban on the AI tool DeepSeek put his philosophy to the test. At the time, ASU had already demonstrated a deep commitment to AI, empowering 30,000 faculty and staff with its internal "CreateAI" toolkit and rolling out ChatGPT EDU. The proactive investment in its own secure platform gave the university enough flexibility to find an alternative path.

• From 'no' to 'yes, and': Instead of a blanket ban, Godsey's team offered a governed alternative. "We turned a potential 'no' into a 'yes, and here's how. The state made a decision based on the tools at its disposal. We had better options because of our proactive investment in CreateAI. Our internal environment has the necessary security, privacy, and ethics controls to manage risk effectively. We could therefore tell our researchers that, for legitimate purposes, with approval, they could run an internal instance of DeepSeek securely. We enabled their work without exposing the university to significant risk."

For Godsey, the ability to turn a "no" into a "yes" is the pinnacle of a security program designed to enable and defend. Ultimately, it's what lets the university pursue its core mission without incurring unacceptable risk, he concludes. "That gives us a level of flexibility that not everybody else has. It allows us to do the kind of research that ASU is known for."