Leadership Development /

Why Most CISOs Never Make It to the Strategy Table

cyber strategy table

Cybersecurity leadership is earned through influence, not expertise—and most leaders get it wrong from day one

 

I have had a very interesting discussion with Ros Cardinal on her podcast for Shaping Change, and that’s prompting me to re-iterate a number of points I have been making over the past few years, and in particular since the launch of “The First 100 Days of the New CISO” in November 2025.

One of the most persistent misconceptions I still encounter in cybersecurity is the belief that the CISO role is primarily technical. In my view, that misunderstanding continues to hold too many leaders—and organisations—back.

Cybersecurity as a profession is still relatively young. The first recognised CISO role only appeared in 1995, and most of us in the field come from technical backgrounds. That history matters. It explains why many CISOs still default to thinking and acting as technologists.

But the reality has changed.

Cybersecurity is no longer just a technical discipline; it is a matter of enterprise-wide risk. It touches strategy, operations, reputation, and ultimately the viability of the business. As a result, the role of the CISO has evolved. Technical competence is assumed. What differentiates successful leaders today is their ability to operate across silos, navigate organisational politics, and build trust at the executive level.

This is something I have been writing about since 2015, and I have consistently observed the same patterns. Too many CISOs repeat the same early mistakes, and those mistakes set the tone for everything that follows.

If you fail, as a CISO, to establish yourself as a true leader from the start, you may be limiting your ability to influence and deliver results down the line, and over time, frustration tends to follow. That frustration often leads to short tenures, and short tenures, in turn, contribute to stagnating cybersecurity maturity across many large firms. That is one of the main dimensions of what I have been describing as the “cybersecurity spiral of failure”.

Breaking those dynamics requires a different approach—one rooted in sequencing, not speed.

When leaders step into a new role, there is often an instinct to prove themselves through action. They look for quick wins, they immerse themselves in activity, they try to demonstrate value immediately. But this is misguided. What you really need to demonstrate is leadership.

And even if it sounds counter-intuitive, leadership, particularly in the early days, begins with humility and listening.

I cannot emphasise this enough: Listening, listening, and listening.

In your first weeks, your priority should be to understand how the organisation truly works. Not just the formal structures, but the unwritten rules—the networks of power, the real decision-making processes, the cultural dynamics. Large organisations are complex, political, and often siloed. Cybersecurity challenges rarely exist in isolation; they are embedded in that complexity.

You need to understand where the pain points are, what has worked in the past, and what has not. Many organisations have invested heavily in cybersecurity over decades yet still struggle with maturity. That should prompt a simple question: why?

The answers often lie beyond technology—in governance, culture, or even personalities. Ignoring those dimensions is a mistake.

The credibility you will build through true listening will in turn become your most valuable asset. And credibility must come before attempting change.

I often advise incoming CISOs to ask a very simple question when meeting stakeholders: “How can I help you?” It may sound basic, but it is incredibly powerful.

When you listen to the answers and embed those expectations into your strategic narrative, something important happens: The strategy becomes theirs, not yours.

That is when alignment begins.

On the other hand, credibility can be destroyed very quickly. I see it happen all too often when leaders arrive with ready-made solutions—pet initiatives, preferred vendors, or approaches that “have worked before.” Every organisation is different. Failing to recognise that signals a lack of awareness and, frankly, a lack of humility or even experience.

To bring structure to this critical period, I often describe the first 100 days as a rhythm rather than a checklist:

  • Six days to map the landscape.
  • Six weeks to co-construct the strategic narrative.
  • Six months to build the operating model and governance.

This sequencing matters. If you try to accelerate too quickly—if you jump straight into execution without alignment—you are building on fragile foundations.

Another trap I frequently observe is what I call the “illusion of precision.” Some leaders believe that complexity signals depth, so they produce overly detailed, highly technical strategies early on.

In reality, effective cybersecurity strategy is simple. It is aligned with business objectives and stakeholder expectations. You will know you are on the right track when stakeholders start articulating that strategy themselves—when they play it back to you in their own words.

Communication, in this phase, also requires discipline. There is a tendency to speak too much, too soon. I would argue the opposite: Say less, observe more.

Authority is not something that is handed out in the boardroom. It is earned in the field, through trust and credibility. And trust is built by demonstrating that you understand the organisation and respect its dynamics.

This is also how you build political capital. By aligning your agenda with the needs and constraints of your stakeholders, you show that you are there to be part of the business, not impose an external vision. That alignment creates momentum. Conversely, pushing a personal or artificial agenda—no matter how well-intentioned—often creates friction and resistance.

Culture, ultimately, is the defining factor. One of the clearest signs of progress is when senior leaders begin to adopt and repeat the cybersecurity narrative themselves. At that point, it is no longer “your” strategy—it has become part of the organisation’s fabric.

If you get the first 100 days right, the impact is profound. You are no longer seen as a technical specialist, but as a trusted peer. You gain a seat at the table where broader business strategy is shaped, and you can embed cybersecurity within it.

If you do not, the outcome is equally clear. You may become a highly effective firefighter—valuable, certainly—but confined to a technical silo, rarely invited into strategic conversations.

And that, in my experience, is the most common mistake of all.

 

JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.