web analytics

Dear CEO: It’s time to rethink security leadership and empower your CISO – Source: www.csoonline.com

dear-ceo:-it’s-time-to-rethink-security-leadership-and-empower-your-ciso-–-source:-wwwcsoonline.com
Rate this post

Source: www.csoonline.com – Author:

Tyler Farrar

Opinion

05 Dec 20246 mins

Business IT AlignmentCEOCSO and CISO

Veteran CISO Tyler Farrar offers an open letter to CEOs whose business strategies expect security chiefs to be accountable without authority — or who hire CISOs incapable of fulfilling a true leadership role.

As a CISO, I’ve spent years navigating the delicate balance of responsibility and authority, accountability, and autonomy. After writing “The CISO Paradox,” I was struck by how deeply the article resonated with others in the cybersecurity field.

Many reached out to share their own stories and frustrations, all pointing to the same glaring misalignment: CISOs are tasked with protecting the organization’s most critical assets but often lack the authority and support to do so effectively.

Part of what inspired this follow-up was a conversation I had with Den Jones, founder and CEO of 909Cyber. Shortly after the article was published, we discussed the challenges faced by CISOs on his podcast, and his observations were striking.

“At 909Cyber we speak with boards, CEOs, CISOs, and even CROs about the importance of enabling the CISO, as well as the future of the industry,” Jones said. “We’ve never seen a time like this where so many quality CISOs are considering stepping back from the role. The next few years will be interesting to watch the evolution of the CISO.”

This sentiment is not only timely but deeply concerning. If some of the most qualified CISOs are stepping back, what does that say about the state of leadership and support for this critical role?

This letter reflects both those insights and my own experiences and is a direct appeal to CEOs to create environments in which CISOs can thrive and drive meaningful change.

An open letter from the CISO to the CEO

Dear CEO,

The stakes have never been higher. Every week, another breach makes headlines, costing millions in losses, irreparable damage to reputations, and a wave of uncertainty that ripples through customers and stakeholders alike. But consider this: Who is truly liable when things go wrong?

You might assume the CISO holds the liability, but if they aren’t empowered with the authority, resources, and support to act effectively, can we honestly place the blame there?

This sentiment captures the deeper issue at play: CISOs are already prepared to tackle the challenges they face. The issue isn’t that we lack strategies, tools, or insights — it’s that the current organizational structure doesn’t give us the autonomy to act decisively.

Imagine asking your CFO to manage financial risks without access to budgets or your COO to oversee operations without control over processes. That’s the reality for many CISOs today: accountability without authority, responsibility without autonomy.

This disconnect doesn’t just hinder cybersecurity efforts; it prevents the CISO from being the strategic partner your organization needs. Too often, CISOs are excluded from the discussions that shape the company’s direction.

Whether it’s launching a new product, entering a new market, or considering a merger or acquisition, security considerations should be part of the decision-making process from the start. When CISOs are brought in only after major decisions are made, the result is reactive, piecemeal solutions that cost more and deliver less.

Your CISO wants and needs a seat at the table

Giving the CISO a seat at the table isn’t a symbolic gesture — it’s a practical necessity. It allows us to align security strategies with business goals, identify risks before they become roadblocks, and ensure that opportunities are pursued without unnecessary exposure. When CISOs are integrated into the executive team, they’re not just protecting the business; they’re enabling it to grow with confidence.

That said, some CEOs reading this may not have this type of CISO in their organization today. If that’s the case, it’s worth asking why. Is the person in the CISO seat there to simply tick a box? If so, that’s a recipe for disaster. The No. 1 core competency a CISO should possess is leadership — the ability to inspire, align, and drive a security strategy that supports and advances the business.

This is the same expectation you should have for any C-level role. It’s not about their technical expertise in governance, risk, and compliance strategy. It’s not about how well they know application security or how proficient they are in configuring technical controls. A true CISO must be a leader who can align security strategy with business objectives, communicate effectively with stakeholders, and make tough decisions under pressure.

If your current CISO isn’t equipped to do this, it’s time to reflect. Have you empowered them with the resources and command they need to lead effectively? Or have you settled for someone who was willing to take the title at half the cost?

Empowering a CISO means making them integral to business

In this role, as in any other, you get what you pay for. There are exceptional CISOs out there — leaders who can deliver both security and strategic value — but they’re often overshadowed by those who are willing to take the title without the capability. If your CISO can’t rise to this challenge, it’s not just their failure — it’s a failure of hiring and leadership priorities.

Empowering your CISO means more than approving budgets or signing off on tools. It means creating an environment where security is treated as a business enabler, not a barrier. When CISOs are trusted to lead, they can align their initiatives with your organization’s objectives, anticipate risks before they materialize, and build a foundation of resilience that supports growth.

As a CEO, you set the tone for how security is viewed within your organization. If you see the CISO as a technical advisor or a necessary expense, that perception will trickle down. But if you treat the CISO as an integral part of your executive team, you send a powerful message: Security isn’t just about avoiding problems; it’s about enabling success.

Ask yourself: Is your CISO in the room when key decisions are made? Do they have the authority to act decisively within their domain? Are they empowered to align security initiatives with your organization’s broader goals? If the answer to any of these questions is no, it’s time to rethink your approach.

This isn’t about spending more or creating unnecessary roles. It’s about recognizing the value your CISO brings and giving them the platform they need to deliver that value. The risks of not doing so are clear, but the rewards of a strong, empowered CISO are even greater. I urge you to think differently about the role of security leadership in your organization and consider how an empowered CISO could transform not just your defenses, but your entire business strategy.

Sincerely,
Tyler Farrar
Chief Information Security Officer

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3617367/dear-ceo-an-open-letter-from-your-ciso.html

Category & Tags: Business IT Alignment, CEO, CSO and CISO, IT Leadership – Business IT Alignment, CEO, CSO and CISO, IT Leadership

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Practical DevSecOps
API Security Fundamentals – Your Handy Guide to Building an Unhackable System by practical-devsecops.com
API Security Fundamentals – Your...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos