Afonso Infante's AI & Cybersecurity Blog

Demystifying AI and Cybersecurity: Insights from an Industry Expert

Dear CEO: The Case for Rethinking Security Leadership and Empowering Your CISO

In today’s fast-paced, hyperconnected business environment, it’s nearly impossible to pick up a newspaper or scroll through a news feed without reading about another major cybersecurity breach. The reality is stark and unrelenting: the stakes for enterprise security have never been higher. Organizations are increasingly vulnerable to threats that can disrupt operations, compromise customer trust, and inflict reputational damage. It’s a time of uncertainty, and every CEO feels the weight of these risks.

Yet, there’s a fundamental disconnect at play within many organizations. Business leaders demand world-class security outcomes and hold their Chief Information Security Officers (CISOs) accountable for safeguarding critical assets. At the same time, these CISOs often lack the authority, autonomy, and resources they need to succeed. In many cases, security leaders are asked to secure the enterprise like a fortress, but are given only a handful of tools and a seat in the back row.

The Result? A professional landscape where some of the most skilled CISOs are reconsidering their career choices, stepping back from their roles, or becoming mere figureheads who tick a compliance box rather than truly guiding strategic security decisions. If this trend continues, the risk for businesses is enormous: a talent drain that leaves security leadership in disarray and makes organizations less resilient.

Below, I present an expanded perspective on veteran CISO Tyler Farrar’s open letter to CEOs. It’s a call to action for leaders who genuinely want to harness the potential of their security chiefs. It outlines why empowerment, genuine leadership roles, and strategic integration for the CISO aren’t just idealistic goals — they are imperatives for thriving in a landscape dominated by cyber risk.

The Quiet Exodus of Top CISOs

Veteran CISO Tyler Farrar recently penned a piece titled “The CISO Paradox,” touching on a frustration that resonates deeply in the cybersecurity community. Upon its publication, many CISOs reached out, sharing their own stories, each narrative highlighting the same systemic issue: The role comes with enormous accountability but little decision-making power.

This prompted a conversation between Farrar and Den Jones, founder and CEO of 909Cyber. Jones made a critical observation:

“We’ve never seen a time like this where so many quality CISOs are considering stepping back from the role. The next few years will be interesting to watch the evolution of the CISO.”

When skilled, battle-tested leaders contemplate exiting their roles, it’s time for CEOs to ask why. Is it because these CISOs are ill-equipped? Unwilling to step up? Unlikely. More commonly, it’s because their roles have become unfulfilling and ineffective. Organizations say they prioritize security, yet fail to provide the CISO with a genuine mandate. As a result, leaders who could have made a transformational impact are left hamstrung, frustrated, and, ultimately, ready to leave.

The Core of the Problem: Accountability Without Authority

Imagine asking your CFO to manage the company’s finances without the ability to approve budgets or allocate resources. Picture your COO being tasked with overseeing operations without influence over logistics, hiring, or process improvement. Such scenarios would be absurd. Yet, that’s precisely the predicament many CISOs find themselves in today.

CISOs bear the ultimate responsibility if a breach occurs, and the C-suite expects them to own the consequences. But what happens when a CISO isn’t looped into product development discussions, isn’t allowed to integrate security earlier in the software development lifecycle, or doesn’t have the budgetary discretion to invest in the right controls? Such a security leader is being asked to fight a war without ammunition, and failure becomes all but inevitable.

This misalignment doesn’t just undermine cybersecurity; it undermines the business itself. Security should be a strategic enabler, not a roadblock. Organizations that fail to empower their CISO are essentially navigating the digital economy with a blindfold. They risk costly breaches and lose the ability to make informed, confidence-backed moves into new markets, products, and partnerships.

Security as a Strategic Partner, Not an Afterthought

Too often, major strategic moves — from market expansions to mergers and acquisitions — are decided before the CISO is brought into the conversation. The CISO’s participation occurs late, reacting to decisions rather than informing them from the start. The result is a patchwork approach to security: reactive, costly, and frequently less effective than a proactive, integrated strategy would be.

Security must be woven into the organizational fabric. The CISO should sit alongside the CEO, CFO, COO, and other senior leaders, shaping strategy, identifying risks early, and ensuring that the company’s growth is supported by a robust security posture. When integrated properly, a CISO can help the organization pursue opportunities with confidence, knowing potential threats are being managed, not ignored until they become crises.

Rethinking the Role of the CISO: Leadership First

In Farrar’s open letter, he challenges CEOs to consider the nature of their current CISO. Are they seen as a glorified IT manager, responsible only for ticking compliance boxes? Or are they genuinely a business leader — someone with the soft skills and vision to align security efforts with the broader corporate mission?

The number-one competency a CISO should possess is leadership. Technical expertise is crucial, yes. Understanding governance, risk, compliance, and application security is mandatory. But these skill sets alone won’t bridge the gap between cybersecurity and corporate strategy. What organizations need are CISOs who can:

  1. Communicate Effectively Across the Business: A leader who can explain complex security concepts in business terms, helping non-technical stakeholders understand risks and opportunities.
  2. Inspire and Align Teams: Someone who can rally the organization around a shared vision of security, from the engineering teams to the executive committee.
  3. Make Tough Decisions Under Pressure: Whether responding to an active threat or guiding long-term investments in security infrastructure, the CISO must have the authority — and the courage — to take decisive action.
  4. Drive Strategic Integration: A CISO who is embedded in strategic discussions can ensure security is not an afterthought, but a fundamental aspect of growth initiatives.

If your current CISO cannot embody these leadership qualities, the fault may lie not just with that individual but also with the hiring, onboarding, and support framework your company provides. Perhaps the role was under-leveled from the start, or the position was filled by someone content to simply hold the title without challenging the status quo. In a landscape as dynamic and perilous as cybersecurity, that won’t cut it.

Empowerment Begins at the Top

Empowering a CISO is not about inflating budgets unnecessarily or handing them unchecked power. It’s about setting clear expectations, granting appropriate authority, and fostering an environment where security is seen as a partner in success rather than a hindrance.

As a CEO, you set the cultural tone. If you marginalize security, everyone else in the organization will follow suit. Conversely, if you treat your CISO as a true executive peer, integrate them into strategic conversations, and measure their success not just by the absence of breaches but by how effectively they enable the business to thrive in a secure manner, you can transform the role — and your entire organization’s trajectory.

Key Steps for CEOs to Empower Their CISO:

  1. Include Them at the Decision-Making Table: Don’t wait to bring your CISO in at the eleventh hour. From R&D initiatives to market expansion plans, their insights can save you from costly missteps.
  2. Grant Authority in Tandem with Accountability: If the CISO is responsible for security outcomes, they must have the ability to influence policies, guide investments, and veto risky endeavors that could lead to large-scale breaches.
  3. Invest in the Right Leader: The best CISOs come with a price tag. Leaders who bring strategic thinking, communication finesse, and a track record of building secure yet agile infrastructures are worth the investment. Remember: you get what you pay for.
  4. Foster Cross-Functional Collaboration: Encourage your CISO to form close partnerships with the CFO, the COO, the head of marketing, and other leaders. Security touches every function in the modern enterprise, and collaboration builds resilience.

The Payoff of an Empowered CISO

What happens when you empower your CISO and treat security as a core business function rather than a bolt-on? The benefits are profound:

  • Strategic Alignment: Security no longer operates in a silo. Instead, it aligns with and supports the company’s strategic goals, enabling the organization to enter new markets, launch new products, and embrace digital transformation with greater confidence.
  • Early Risk Identification: When the CISO is involved from the outset, potential threats are identified, assessed, and mitigated before they escalate. This proactive stance saves time, resources, and, most importantly, the trust of your customers and partners.
  • Cultural Shift: Over time, empowering your CISO fosters a security-centric culture. Employees become more aware of their roles in maintaining a secure environment, adopting best practices that help safeguard data and infrastructure.
  • Talent Retention and Attraction: An environment where the CISO is respected and supported attracts top-tier cybersecurity talent. Skilled professionals want to work where they can make a difference, and that starts with strong, visible leadership at the top.

A Final Appeal to CEOs

As Farrar’s letter concludes, it implores CEOs to ask themselves tough questions: Is the CISO regularly included in key strategic decisions? Are they empowered to align security initiatives with broader business objectives? Have you hired a truly capable CISO, and have you nurtured their ability to lead?

If any of these answers is “no,” it’s time to rethink your approach. The digital economy is unforgiving to organizations that treat cybersecurity as a mere afterthought. The potential cost of ignoring this shift in mindset is enormous: from crippling breaches to wasted resources, to a stunted ability to grow with confidence.

The solution lies in leadership. It’s about recognizing that your CISO is not merely a technical expert or a cost center but a strategic partner who can guide the organization through the treacherous terrain of modern cybersecurity threats. By empowering your CISO, you set the stage for sustainable resilience, unlocking not only better security outcomes but also greater business success.

In the words of Tyler Farrar:

“I urge you to think differently about the role of security leadership in your organization and consider how an empowered CISO could transform not just your defenses, but your entire business strategy.”

The path forward is clear. Will you take it?

— Afonso Infante

Leave a Reply

Your email address will not be published. Required fields are marked *