We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

URL has been copied successfully!
7 misconceptions about the CISO role
URL has been copied successfully!

Collecting Cyber-News from over 60 sources

7 misconceptions about the CISO role

by

Andy Stern
in

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Katie Jenkins, EVP and CISO, Liberty Mutual Insurance

Liberty Mutual InsuranceThe field is changing so rapidly, Jenkins adds, she needs to commit time to keeping up on research and connecting with other CISOs for knowledge exchange.In addition to securing infrastructure, an effective CISO focuses on securing the business, experts say. This requires understanding how security fits into the business; not just concentrating on risk management, but ensuring security helps the company move forward without creating other problems.Instead of viewing them as “tech enforcers,” it’s time to view CISOs as strategic business leaders, industry experts say. 2. Security is purely a technical function: Similarly, you can have the best tools and the best security stack in the world, but if your employees are still clicking phishing links or reusing weak passwords, that all falls by the wayside. The CISO role is evolving and today they must wear many hats, serving as psychologists, educators, and diplomats, in order to convince people that security is everyone’s job.This is because often, no one thinks much about security, until there is an issue. Additionally, leadership may not view security as part of the corporate culture. Experts say a strong CISO spends as much time working with people as they do with tools.”I’ve lost count of how many times someone assumed my day revolves around configuring firewalls or patching vulnerabilities,” says Sam Taylor, CISO of security resources firm LLC.org, adding that she runs into this all the time.”In reality, about 70% of my job is risk management, communication, and making sure security gets taken seriously at the executive level. I spend more time in boardrooms than I do in security operations centers,” she says. “Leadership teams don’t care about technical jargon; they care about risk in financial terms.”

Sam Taylor, CISO, LLC.orgb2b-contenthub.com/wp-content/uploads/2025/03/sam-taylor-1729703205804.jpg?resize=150%2C150&quality=50&strip=all 150w, b2b-contenthub.com/wp-content/uploads/2025/03/sam-taylor-1729703205804.jpg?resize=300%2C300&quality=50&strip=all 300w, b2b-contenthub.com/wp-content/uploads/2025/03/sam-taylor-1729703205804.jpg?resize=768%2C768&quality=50&strip=all 768w, b2b-contenthub.com/wp-content/uploads/2025/03/sam-taylor-1729703205804.jpg?resize=697%2C697&quality=50&strip=all 697w, b2b-contenthub.com/wp-content/uploads/2025/03/sam-taylor-1729703205804.jpg?resize=168%2C168&quality=50&strip=all 168w, b2b-contenthub.com/wp-content/uploads/2025/03/sam-taylor-1729703205804.jpg?resize=84%2C84&quality=50&strip=all 84w, b2b-contenthub.com/wp-content/uploads/2025/03/sam-taylor-1729703205804.jpg?resize=480%2C480&quality=50&strip=all 480w, b2b-contenthub.com/wp-content/uploads/2025/03/sam-taylor-1729703205804.jpg?resize=360%2C360&quality=50&strip=all 360w, b2b-contenthub.com/wp-content/uploads/2025/03/sam-taylor-1729703205804.jpg?resize=250%2C250&quality=50&strip=all 250w” width=”800″ height=”800″ sizes=”(max-width: 800px) 100vw, 800px” />
4. The C in the title means they are an officer of the company: That leads to another scary misconception for CISOs and CISO candidates: Because the word “chief” is in the title, that means they will be an officer of the company, says SEI’s Touhill. In fact, “the vast number of CISOs are not named officers of companies, and the impact of that is profound.”Officers and directors are covered under a company’s director and officer insurance policy, he says. If a major cybersecurity breach occurs and the CISO isn’t covered, there can be personal liability. Touhill says it is critical for CISOs and CISO candidates to ask the company whether they will be covered under a separate policy to indemnify themselves when they are acting in the best interests of the company, so they are not personally sued.People don’t think of CISOs as being at risk of personal liability as part of their job, echoesVillanustre. “The CISO role is not exempt from challenges arising from the continuous changing cybersecurity landscape, as risks and threat actors evolve. In fact, CISOs are becoming personally liable to civil and criminal charges.”This is likely driving the short average tenure for CISOs, which ranges from 18 to 26 months, Villanustre observes. “This is far lower than the five-year average tenure of the C-suite.”

5. CISOs can eliminate risk: There is an unrealistic expectation that a security leader should be able to stop every breach before it happens. Breaches will happen. Their real job, security experts say, is minimizing impact, keeping systems resilient, and ensuring the company bounces back fast afterwards.”People often believe CISOs can stop all attacks, but this could not be farther from the truth,” says Rafay Baloch, CEO and founder of cybersecurity consultancy RedSecLabs. “Breaches happen based on timing rather than likelihood, which challenges this perspective.”This stems from a big misconception that “cybersecurity is only done by people with a cybersecurity job title, when in fact, an entire organization serves as the first line of defense,” says Liberty Mutual’s Jenkins. “It takes every employee to ‘don their cape.’” Liberty Mutual’s Responsible Defender program requires the company’s 40,000 global employees “to use their training and instincts to help us identify and defend our company against cyberattacks,” she says.

6. CISOs are a barrier to innovation: Business leaders often view security as a roadblock and believe CISOs slow innovation with extreme risk assessments and compliance requirements. On the other hand, many CISOs maintain they actually help their businesses move faster by ensuring innovation happens securely.Security should be viewed as a company-wide function that requires buy-in from every department and CISOs not be treated as the lone defenders against cyber threats.Security leaders can often be perceived as slowing down innovation, according to Allen. Startups, for example, may resist security controls that introduce friction in user experience, while media companies may push back on digital rights management (DRM) enforcement because it complicates content distribution, he says.”A colleague of mine at a global streaming platform explained how they struggled to implement stronger API security because it was seen as an ‘unnecessary delay’ to feature releases, until API vulnerabilities were exploited, impacting millions of users,” Allen says. “In reality, CISOs are not anti-innovation; they are there to ensure sustainable growth by embedding security into digital transformation efforts rather than bolting it on later.”In many industries, CISOs must balance risk with business agility, regulatory demands with user experience, and cybersecurity with corporate innovation goals, Allen says. “Their role extends beyond technical oversight, they must be strategic partners who bridge the gap between security, product development, and business operations.”

7. CISOs don’t have mental health issues: There is a mistaken impression that CISOs can handle the stress of the job. Even though organizations are under attack 24/7/365, the thought is that by the time you get to the level of CISO you don’t have to worry about your mental health, Touhill says, calling this “a vicious myth.”He strongly encourages CISOs to not only have a plan in place to take care of the mental health of their security teams, but also have a “really, really good deputy ready to step in so you can take a vacation.” He adds, “You cannot win a marathon if it never ends. You have to take care of yourself and be constantly aware of your own mental health, not just the people you’re taking care of and leading.”

First seen on csoonline.com

Jump to article: www.csoonline.com/article/3846288/7-misconceptions-about-the-ciso-role.html

Loading

Share via Email
Share on Facebook
Tweet on X (Twitter)
Share on Whatsapp
Share on LinkedIn
Share on Xing
Copy link

also interesting:

  1. The 7 most in-demand cybersecurity skills today
  2. 25 on 2025: APAC security thought leaders share their predictions and aspirations
  3. Cybersecurity Snapshot: Study Raises Open Source Security Red Flags, as Cyber Agencies Offer Prevention Tips Against Telecom Spying Attacks
  4. 12 cybersecurity resolutions for 2025