[ownagefool]

The CISO is an odd role because it mostly has to help protect against tech risk without owning tech, and because it's a bit of a crap role, you end up with all sorts of the wrong people and behaviours in the role.

Common Pitfalls:

- Act as a gate that slows everything down, i.e. it must be secure, which in turn makes things less secure, as there's less time on the board to fix things.

- Chase massive budget. Eventually get massive budget. Buy silver bullets that don't fit in techs guns.

- Focus on the non-tech parts. We'll train people not to open cat.jpeg.exe instead if you know, auditing their usage and turning off their kit / login when they're pwned.

With anything, it's all about the people you put in place, but my experience is the average large company CISO sits on a pile of paperwork and IT security whilst their servers aren't patched.