[int0x2e]

That's insightful, but I still think the assumption that the CISO has to go when the company gets compromised is a bit issue. Instead of security being a team effort, with the goal being making the hard choices together, finding the correct compromises to let the business thrive while being secure - it usually makes the CISO take an adversarial position to anything in their company - since it's always their head if something bad happens....

Amazing CISOs lead security by enabling others to make secure choices that still let them move quickly and deliver value. To do that - they shouldn't always be one hack away from losing their job.

[ownagefool]

The CISO is an odd role because it mostly has to help protect against tech risk without owning tech, and because it's a bit of a crap role, you end up with all sorts of the wrong people and behaviours in the role.

Common Pitfalls:

- Act as a gate that slows everything down, i.e. it must be secure, which in turn makes things less secure, as there's less time on the board to fix things.

- Chase massive budget. Eventually get massive budget. Buy silver bullets that don't fit in techs guns.

- Focus on the non-tech parts. We'll train people not to open cat.jpeg.exe instead if you know, auditing their usage and turning off their kit / login when they're pwned.

With anything, it's all about the people you put in place, but my experience is the average large company CISO sits on a pile of paperwork and IT security whilst their servers aren't patched.

[dangero]

The CISO gets blamed and fired because it’s a language that shareholders understand. You think shareholders are going to understand that the CISO enabled others to make secure choices?