As a CISO, I’ve spent years navigating the delicate balance of responsibility and authority, accountability, and autonomy. After writing “The CISO Paradox,” I was struck by how deeply the article resonated with others in the cybersecurity field.Many reached out to share their own stories and frustrations, all pointing to the same glaring misalignment: CISOs are tasked with protecting the organization’s most critical assets but often lack the authority and support to do so effectively.Part of what inspired this follow-up was a conversation I had with Den Jones, founder and CEO of 909Cyber. Shortly after the article was published, we discussed the challenges faced by CISOs on his podcast, and his observations were striking.”At 909Cyber we speak with boards, CEOs, CISOs, and even CROs about the importance of enabling the CISO, as well as the future of the industry,” Jones said. “We’ve never seen a time like this where so many quality CISOs are considering stepping back from the role. The next few years will be interesting to watch the evolution of the CISO.”This sentiment is not only timely but deeply concerning. If some of the most qualified CISOs are stepping back, what does that say about the state of leadership and support for this critical role?This letter reflects both those insights and my own experiences and is a direct appeal to CEOs to create environments in which CISOs can thrive and drive meaningful change. Dear CEO,The stakes have never been higher. Every week, another breach makes headlines, costing millions in losses, irreparable damage to reputations, and a wave of uncertainty that ripples through customers and stakeholders alike. But consider this: Who is truly liable when things go wrong?You might assume the CISO holds the liability, but if they aren’t empowered with the authority, resources, and support to act effectively, can we honestly place the blame there?This sentiment captures the deeper issue at play: CISOs are already prepared to tackle the challenges they face. The issue isn’t that we lack strategies, tools, or insights, it’s that the current organizational structure doesn’t give us the autonomy to act decisively.Imagine asking your CFO to manage financial risks without access to budgets or your COO to oversee operations without control over processes. That’s the reality for many CISOs today: accountability without authority, responsibility without autonomy.This disconnect doesn’t just hinder cybersecurity efforts; it prevents the CISO from being the strategic partner your organization needs. Too often, CISOs are excluded from the discussions that shape the company’s direction.Whether it’s launching a new product, entering a new market, or considering a merger or acquisition, security considerations should be part of the decision-making process from the start. When CISOs are brought in only after major decisions are made, the result is reactive, piecemeal solutions that cost more and deliver less.
Your CISO wants and needs a seat at the table
Giving the CISO a seat at the table isn’t a symbolic gesture, it’s a practical necessity. It allows us to align security strategies with business goals, identify risks before they become roadblocks, and ensure that opportunities are pursued without unnecessary exposure. When CISOs are integrated into the executive team, they’re not just protecting the business; they’re enabling it to grow with confidence.That said, some CEOs reading this may not have this type of CISO in their organization today. If that’s the case, it’s worth asking why. Is the person in the CISO seat there to simply tick a box? If so, that’s a recipe for disaster. The No. 1 core competency a CISO should possess is leadership, the ability to inspire, align, and drive a security strategy that supports and advances the business.This is the same expectation you should have for any C-level role. It’s not about their technical expertise in governance, risk, and compliance strategy. It’s not about how well they know application security or how proficient they are in configuring technical controls. A true CISO must be a leader who can align security strategy with business objectives, communicate effectively with stakeholders, and make tough decisions under pressure.If your current CISO isn’t equipped to do this, it’s time to reflect. Have you empowered them with the resources and command they need to lead effectively? Or have you settled for someone who was willing to take the title at half the cost?
Empowering a CISO means making them integral to business
In this role, as in any other, you get what you pay for. There are exceptional CISOs out there, leaders who can deliver both security and strategic value, but they’re often overshadowed by those who are willing to take the title without the capability. If your CISO can’t rise to this challenge, it’s not just their failure, it’s a failure of hiring and leadership priorities.Empowering your CISO means more than approving budgets or signing off on tools. It means creating an environment where security is treated as a business enabler, not a barrier. When CISOs are trusted to lead, they can align their initiatives with your organization’s objectives, anticipate risks before they materialize, and build a foundation of resilience that supports growth.As a CEO, you set the tone for how security is viewed within your organization. If you see the CISO as a technical advisor or a necessary expense, that perception will trickle down. But if you treat the CISO as an integral part of your executive team, you send a powerful message: Security isn’t just about avoiding problems; it’s about enabling success.Ask yourself: Is your CISO in the room when key decisions are made? Do they have the authority to act decisively within their domain? Are they empowered to align security initiatives with your organization’s broader goals? If the answer to any of these questions is no, it’s time to rethink your approach.This isn’t about spending more or creating unnecessary roles. It’s about recognizing the value your CISO brings and giving them the platform they need to deliver that value. The risks of not doing so are clear, but the rewards of a strong, empowered CISO are even greater. I urge you to think differently about the role of security leadership in your organization and consider how an empowered CISO could transform not just your defenses, but your entire business strategy.Sincerely,
Tyler Farrar
Chief Information Security Officer
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3617367/dear-ceo-an-open-letter-from-your-ciso.html