Why It’s Time to Split the Job Before It Breaks the Business

 

This interesting piece by Tyler Farrar made me think (“The CISO code of conduct: Ditch the ego, lead for real”, CSOonline, 22 July 2025).

While I agree with most of the content and the code of conduct it suggests, I think there are a few points around the roles and profiles of the CISOs that need to be explored and analyzed further.

The code of conduct in the article rightly insists on leadership and execution skills but ends up structuring a profile that cannot be built up overnight and can only be the result of long-term front-line management and delivery roles, and that’s at the heart of the matter in my view.

Most CISOs I come across are technologists by trade and background. Nothing wrong with that: It is simply the consequence of the origins of the role in IT security and its evolution over the last three decades.

Over its three decades of existence, the cybersecurity industry has never built lateral talent management pipelines. Security analysts become security engineers; security engineers become CISOs; very little talent at senior level comes from outside in my experience.

Many CISOs have been hopping from job to job over the best part of that period. When I started going to information security conferences 25 years ago, most people in the room were coming from the financial sector, big phama and oil and gas firms. Over the period, all firms have woken up to the reality of cyber threats and many of my colleagues from that period moved to other industry sectors.

But tenures have remained low. Several articles every year place the average CISO tenure in the region to 2 to 3 years, and that matches my own field experience.

You do not achieve much in terms of transformative impact in any large firm in 2 to 3 years.

In fact, many CISOs have spent the last decade firefighting endless incidents, incapable of building any kind of longer-term vision in any job, let alone delivering it. As a prominent CISO once told me, “my first 100 days ended on day 3”…

That’s not a context where you can realistically develop the management finesse, the personal gravitas, the political acumen you are now expected to have to succeed in the role, given the visibility it has acquired at corporate level.

That’s why many CISOs are struggling. No doubt there are “ego” issues with some (it’s hard not to feel important when you are being paid a fortune) but beyond that, the role has simply become impossible for many and that’s where the “bad behaviour” comes from, in my view.

Nobody can be expected to be credible one day in front of the Board, the next in front of regulators, the next in front of pen testers, the next in front of developers, the next in front of suppliers, and so on…

It’s time to stop pretending: Those profiles don’t exist. Many CISOs are just acting up most of the time. They leave after a few years out of frustration, having achieved very little in practice.

The situation is compounded by chronic long-term execution failure in many large firms around cybersecurity.

That’s not necessarily the CISO’s fault in itself. Large firms are by essence siloed, political and territorial in my experience. The inherently complex and cross-silo nature of cybersecurity issues comes in conflict with those dynamics, and if corporate governance structures are not in place to cut across, very little gets delivered over time in terms of transformative cybersecurity efforts, beyond low-hanging fruits or alleged quick-wins.

Nevertheless, it creates a climate in many firms between senior executives and their security team that has the potential of becoming quite toxic.

The type of bottom-up communication towards senior executives CISOs and their consultants have tried to build over the years have simply failed.

The narratives developed around “cybersecurity as an enabler” or “return on security investments” were simply trying to address by rational means a situation which is not rational in essence but driven by cognitive biases and deeply rooted corporate governance practices or dysfunctions.

Seeing it from the other side of the table, many senior leaders would have seen CISO after CISO coming in asking for millions before leaving a few years later leaving things half done. And that breeds distrust.

Distrust breeds reluctance from business leaders to invest further until something happens; the lack of resources (real or perceived) feeds the CISOs frustration and their short tenure, which is one of the main cornerstone of this “spiral of failure” around cybersecurity.

Two things need to be done, in my opinion, in firms trying to break out of those dynamics.

First, the CISO role needs to be split. It is pointless to carry on pretending the role is functioning well. It has simply become too complex to carry for the people it attracts.

A formal CSO role needs to emerge at Leadership team level, encompassing all business protection aspects at large, including cybersecurity governance, but also regulatory reporting, compliance management and business resilience.

The challenge here is to make the portfolio broad enough to attract the right calibre of business leader and present a genuine career opportunity. I think those topics are complex and deep enough to justify the approach and the role.

From a corporate governance perspective, this is a move any Board should support, but it should also help any Leadership team to have one single individual across the table acting as a stakeholder on all those matters.

Accountabilities and personal liabilities may come into play in some industries or geographies, but the challenge is worth considering, as it would cement unequivocally the importance of business protection values at the heart of the firm’s management structure.

The role of the CISO itself can then be returned to its native technical remit, stripped of the managerial and governance layers it has accumulated organically over the years, and for which the current generation of CISOs is poorly prepared.

The role should also be refocused strongly on execution. There, I strongly agree with the last point in the code of conduct where we started from.

The time has come for CISOs to stop complaining and get things done with the resources they have.

Showcasing execution ability, without constantly asking for more, will build or rebuild trust with senior executives.

In turn, trust will bring more resources, in particular if coupled with the unequivocal support of a CSO role, embodying business protection values at the top of the firm and able to support cybersecurity initiatives top down as well as sideways across corporate silos and geographies.

This is the type of new dynamics that will help businesses move forward where genuine and lasting transformation is required around cybersecurity.

It will also help frustrated CISOs get more from their job and hopefully lead to longer tenures.

It may also help with recruitment into those roles by making role descriptions more realistic, as opposed to many current ones that are frankly looking for profiles that don’t exist.

Firms cannot simply carry on with cybersecurity as they used to do ten or twenty years ago. Threats morph all the time and will continue to do so, but organizations have to reflect on their journey across the cybersecurity landscape over the last decades and understand where the roadblocks have been that have prevented progress. Many should be at much better cybersecurity maturity levels given the amounts invested over the years.

Making the role of the CISO work better is part of that. It is a key step, but we must leave no stone unturned, even if it means acknowledging that, in its current form, the role has run its course and needs evolving drastically.

 

JC Gaillard

Founder & CEO

Corix Partners

---

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.

An edited version of this article was published on CSOonline on 8th September 2025 and can be found here.