I\u2019ve spent a good amount of time speaking with CISOs over the past month and plan to write up a report about what I\u2019m learning sometime after the RSA Security Conference.In the meantime, it\u2019s become crystal clear to me that CISOs are becoming more and more proactive in their jobs in a few areas, including the following:1. Threat intelligenceIn the distant past, most organizations really didn\u2019t believe they were potential targets for cyber attacks. Yes, CISOs were responsible for building adequate defenses, but this job was seen as a purely technical endeavor. At that time, hackers were hackers \u2014 outside of Ft. Mead, few cybersecurity pros distinguished between cyber criminals and state-sponsored actors.This attitude changed over the past few years as executives witnessed an increasing number of publicly-disclosed data breaches. When data breaches occurred, CEOs quickly phoned up the CISO to ask what happened and whether their organization was at risk.More recently, CISOs have taken risk oversight to the next level by actively monitoring threat intelligence to better understand cyber adversaries and their tactics, techniques, and procedures (TTPs).A CISO I spoke with stated, \u201cI\u2019ve really embraced the Sun Tzu quote, \u2018If you know your enemy and know yourself, you need not fear the results of a hundred battles.\u2019 My day begins by studying threat intelligence to better understand who is attacking us and why. I use this knowledge to educate the board and get them more involved in risk mitigation.\u201d\u00a02. Privacy\u00a0While privacy is closely related to security, it\u2019s been little more than a side project for many CISOs in the past. Given the focus on GDPR (and other regulations) this is changing, however. Now, data privacy is evolving from a legal matter to an applied initiative.\u00a0As one CISO put it, \u201cWith GDPR, the legal team needed help to operationalize privacy.\u00a0 This brought more and more responsibility to CISOs since we specialize in operationalizing policy.\u201d\u00a0This means CISOs are spending more time working with business units to discover, classified, safeguard, and monitor sensitive data.3. Business initiativesAs my colleague Doug Cahill likes to say, "Security is moving to the left." In other words, organizations are building security into applications and infrastructure rather than bolting it on afterward. CISOs are at the tip of the spear here, becoming more involved in business planning and strategy.\u00a0One CISO talked about this change as it applied to cloud computing: \u201cOnce the organization decided to move aggressively toward cloud computing, I tasked the security team with designing, testing, and building a cloud security platform that could support any future decisions on hybrid cloud technologies. Our goal was to align with and enable the business for the long-term.\u201d\u00a0CISOs are taking similar active roles with IoT applications, digital transformation initiatives, etc.\u00a0Most important qualities of a CISOAs part of the annual research project conducted by ESG and the information systems security association (ISSA), 343 cybersecurity professionals were asked to identify the most important qualities of a successful CISO. (Note: I am an ESG analyst.) More than half (52 percent) said leadership skills, 43 percent said communications skills, and 35 percent said a strong relationship with business executives. Clearly, they will need these types of skills as they address changing job responsibilities and evolve from reactive to proactive CISOs.More on my CISO research soon!