Why Most CISOs Still Miss the Point—and What Needs to Change
The CISO Report 2025 from Splunk has received widespread comments from online cybersecurity media. Broadly speaking, they have emphasized the CISO gaining more boardroom influence, but in the background, issues remain: Many CISOs still struggle with budgets; they appear to lack softer skills; many suffer in their day-to-day job.
None of this is really new: Most current CISOs are technologists by trade and background. The complex, political environment of the boardroom is not their natural habitat.
I have been involved with cybersecurity matters for over 25 years and writing consistently about cybersecurity management, leadership and governance for the last 10. I have had countless discussions with security professionals going along the same lines: Even if they acknowledge that cybersecurity needs to be primarily treated as a business concept, many tend to default back to their technology roots at the first available opportunity, simply because it is their comfort zone.
When it comes to interacting with senior executives and board members, this disconnect makes it difficult for trust to develop, and that’s the real cornerstone of the whole situation. Cybersecurity – i.e. the protection of the business from cyber threats – remains seen as a technical discipline, which it has never been and cannot be.
This is also compounded by the fact that most CISOs see their interaction with business leaders at large as some form of argument that has to be won through logic, reasoning and numbers.
They regard “fear, uncertainty and doubt” as an inferior way to communicate around security, an easier and less noble path.
They prefer trying to quantify return on investment or risk reduction in business or monetary terms but fail to understand that, in doing that, they are simply fighting the wrong battle.
The adverse prioritisation they are trying to fight is not rooted in logic or numbers. It is rooted in endemic business short-termism and deep cognitive biases.
It is not by explaining or demonstrating to business leaders what needs to be done around cybersecurity (or why) that you will win them over.
In fact, “fear, uncertainty and doubt”, which appeal to high human emotions, might have been more useful and effective vectors in the past, but in today’s world, they are probably too weak to generate a response.
“Doubt” and “fear” have probably become irrelevant in this context: Senior executives know cyberattacks are simply a matter of “when”, not “if”, and can take the business down if not properly managed. Most would have seen it elsewhere; many would have lived through similar crisis.
And when it comes to “uncertainty”, it has simply become a normal business parameter, alongside volatility, complexity and ambiguity.
In short, for many business leaders, cyber-attacks are just part of a long list of situations that may adversely affect the business at any time.
Business leaders don’t want to be told what needs to be done to protect the firm from cyber threats. They want it done. And they are well aware of how much has been already committed financially to cybersecurity over the last two decades.
They are tired of seeing one CISO after another coming in with grandiose plans asking for millions before quitting after a few years leaving everything half done.
To break such deadlock, CISOs must focus on execution excellence and build trust over time by showcasing their ability to deliver with the resources they have, instead of constantly asking for more.
Successful delivery will build trust with senior stakeholders. Trust will bring more resources.
That’s the engine CISOs should concentrate on building.
JC Gaillard
Founder & CEO
Corix Partners
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.
An edited version of this article was published on Forbes on 5th March 2025 and can be found here.