JC's Column /

CISOs Must Evolve or Be Sidelined

JC Gaillard's column on cybersecurity

Authority isn’t handed out in the boardroom. It’s earned by those who understand the business and lead from within.

 

There is a narrative around the role of the CISO that has been developing for a while, and with which I am growing increasingly uncomfortable.

It started a few years ago around scapegoating theories and has morphed into the “accountability without authority” paradigm that seems to be plaguing the role, according to many analysts, consultants and journalists.

Organisations must redefine accountability and empower CISOs with real decision-making authority and invest in resilience” according to some.

I am not disputing the fact that the role has become more complex over the past decades and that many CISOs are struggling, but this type of statement is disputable at least on three fronts:

 

Chronic Underinvestment Isn’t the Core Issue — Strategic Execution Is

First, in my view, the idea that the problems many CISOs are facing are rooted in chronic underinvestment around cybersecurity is misguided.

Most large organisations have spent significant amounts in that space over the past two to three decades. What they have struggled with is strategic execution due to their own endemic short-termism and their box-checking culture around compliance. Deprioritising cyber projects as soon as quick wins are delivered or boxes are checked against audit reports has never developed any kind of long-term maturity.

That type of culture breeds frustration with CISOs and has engineered a chronic problem of short-tenures, which in turn has aggravated the long-term stagnation of cybersecurity protection levels: You cannot achieve much of transformative substance in two to three years in any large firm due to their inherent latency and complexity.

That’s one of the engines at the heart of what I have been calling “the cybersecurity spiral of failure”, and those dynamics dominate the last two decades in many organisations. They frame the real issues CISOs have to contend with.

 

It’s the Ability to Influence that Drives Authority in Large Firms— Nothing Else

My second point revolves around the idea that CISOs need to be given “real” decision-making authority for things to start changing.

To me, it reflects a fairly simplistic view around the way large firms operate at C-level (assuming you treat the role of the CISO as being at that level – something highly disputable in itself in many organisations).

Most large-scale decisions at that level are in fact driven by influence, because the modern enterprise is – almost by essence – siloed, political, territorial and dominated by personalities in many cases. That’s simply the harsh reality on the field.

Very often, nobody – at that level – has any “real” decision-making authority; decisions are made collectively and through internal influence networks. CISOs have to learn to operate in that way.

For many, this is indeed a real challenge, because they have spent the best part of the last two decades firefighting technical crisis and have not developed the type of management finesse and political gravitas that would be required to build genuine influence at C-level. Expecting governance structures alone to “give” them authority is short-sighted.

 

Don’t Wait for the Organisation to Change — CISOs Must Evolve or Be Sidelined

Finally, the idea that it is down to “organisations” to change and empower the CISOs is also something I find misleading.

In my experience, corporate structures do not evolve in that way. It is down to CISOs to change to become true leaders, win those rights, and be accepted as such at C-level.

This is not something that will come out of technical competence, but out of a genuine ability to listen to the business, its priorities, its challenges, its culture and its governance practices, and to embed the cybersecurity strategy in a context the business does recognise and endorse.

Co-constructing the cybersecurity strategic framework with business stakeholders from the start is absolutely key in building those types of dynamics.

And that has to start in the first 100 days of the incoming CISO, a crucial period during which relationships with senior stakeholders are forged and solidify.

CISOs who start their tenure looking for technical quick wins to “prove themselves” often end up trapped in tactical games, from which they never escape.

Accountability and authority are not governance parameters that anybody really allocates in large firms: They are won (authority) or accepted (accountability) through a bond of trust between stakeholders.

CISOs have to accept that their role now belongs to that type of corporate complexity, and that it is down to them to learn to navigate it.

Ultimately, the future of the CISO role won’t be defined by board charters or revised governance models — it will be defined by the CISOs themselves and it is down to them to evolve to make this happen. Otherwise a CSO type of role is bound to emerge over time that will push them down.

Authority isn’t handed out in the corporate world; it’s earned through credibility, influence, and a deep understanding of the business you’re trying to protect.

Those who keep waiting for the organisation to change will keep waiting. Those who adapt, listen, and lead will shape the change.

 

JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.

An edited version of this article was published on Forbes on 2nd February 2026and can be found here.