There are many misconceptions about the CISO role, which may be due in part to it being a relatively new position at many organizations with most security leaders coming up through the ranks of the technology function.
This leads to the belief that CISOs are not savvy enough about the business and “shouldn’t have a seat at the table when we’re talking about how to move the business forward,” says Gregory Touhill, director of the CERT Division of the Software Engineering Institute at Carnegie Mellon University. “A lot of that goes back to the misperception that CISOs don’t understand the business and only need to know the technology.”
On the contrary, CISOs are the “bridge of the business leadership and the technologists,’’ stresses Touhill, who was the first US government CISO, appointed in 2016.
The CISO role “is often misunderstood by executives, board members, and even their own teams,’’ and this can hinder security effectiveness, notes John Allen, managing director of technology, media, and telecommunications (TMT) at cybersecurity consultancy MorganFranklin Cyber.
Here are seven misconceptions about CISOs and how they can change them.
1. CISOs are just ‘the security person’
One thing security leaders want you to know loud and clear is that they aren’t just there to change passwords, apply patches, and set up firewalls. Today’s CISOs typically don’t have a lot to do with day-to-day operations. They focus more on big picture issues, such as securing workloads and apps in the cloud, and AI tools.
Further, they sometimes participate in M&A strategy, assessing the security posture of a potential acquisition target to identify any risks that could impact valuation, regulatory compliance, or integration into the existing company.
“There is a misconception that a CISO’s day is consumed by responding to incidents and being briefed on emerging threats,’’ notes Katie Jenkins, executive vice president and CISO of Liberty Mutual Insurance. “While of course there is some amount of both, my time is also spent on proactive planning, connecting with stakeholders to understand their priorities, educating others — and educating myself, for that matter.”
Katie Jenkins, EVP and CISO, Liberty Mutual Insurance
Liberty Mutual Insurance
The field is changing so rapidly, Jenkins adds, she needs to commit time to keeping up on research and connecting with other CISOs for knowledge exchange.
In addition to securing infrastructure, an effective CISO focuses on securing the business, experts say. This requires understanding how security fits into the business; not just concentrating on risk management, but ensuring security helps the company move forward without creating other problems.
Instead of viewing them as “tech enforcers,” it’s time to view CISOs as strategic business leaders, industry experts say.
2. Security is purely a technical function
Similarly, you can have the best tools and the best security stack in the world, but if your employees are still clicking phishing links or reusing weak passwords, that all falls by the wayside. The CISO role is evolving and today they must wear many hats, serving as psychologists, educators, and diplomats, in order to convince people that security is everyone’s job.
This is because often, no one thinks much about security — until there is an issue. Additionally, leadership may not view security as part of the corporate culture. Experts say a strong CISO spends as much time working with people as they do with tools.
“I’ve lost count of how many times someone assumed my day revolves around configuring firewalls or patching vulnerabilities,” says Sam Taylor, CISO of security resources firm LLC.org, adding that she runs into this all the time.
“In reality, about 70% of my job is risk management, communication, and making sure security gets taken seriously at the executive level. I spend more time in boardrooms than I do in security operations centers,’’ she says. “Leadership teams don’t care about technical jargon; they care about risk in financial terms.”
Sam Taylor, CISO, LLC.org
LLC.org
However, when Taylor explains that a weak security posture could cost them millions in lost revenue, legal fees, and regulatory fines, then they listen.
“The role has changed, and the CISOs who don’t evolve struggle to make a real impact,’’ she says. “A company can have the best security tools on the market, but if security isn’t part of the culture, breaches still happen.”
It starts at the top, and yet, “There are still quite a few boards as well as business leaders who still view cybersecurity as an IT function rather than a business risk issue,’’ says MorganFranklin Cyber’s Allen. “A colleague of mine in the financial sector noted that their board expected security threats to be resolved through tools and software without recognizing the importance of governance, employee training, and cultural change.”
Many people consider cybersecurity to be a technical issue, agrees Flavio Villanustre, senior vice president of technology and global CISO of LexisNexis Risk Solutions. “This is far from the truth. Modern CISOs are responsible for all aspects of cybersecurity, far beyond its technical components and implications,’’ he says.
Misconceptions about the CISO role are glaring in particular industries. For example, in media and telecom, security is often viewed as a compliance checkbox or an IT function rather than a fundamental enabler of business resilience, Allen says. He recounts a conversation he had with a digital media security executive who shared that leadership focused on regulatory compliance but neglected proactive security investments — until a high-profile breach compromised subscriber data.
“In tech companies, security is sometimes treated as an engineering problem, with executives assuming that DevOps teams can handle security without dedicated governance,’’ Allen notes. “The reality is that security needs to be integrated into business strategy, from intellectual property protection in media to safeguarding telecom networks against nation-state threats.”
3. CISOs have full control over cybersecurity
Many executives and boards believe that hiring a CISO means security is controlled. In truth, cybersecurity is a business-wide responsibility, says Allen. “Without cross-functional collaboration, the CISO’s impact is limited. Many CISOs frequently share stories of advocating for security initiatives, only to encounter resistance from leadership prioritizing convenience or short-term financial gains over long-term risk reduction.”
For example, a former client of Allen’s from a Fortune 500 company told him that budget constraints and business risk tolerance often override security recommendations. “Security leaders must navigate tough compromises, and when incidents occur, they can be unfairly blamed — even if their recommendations weren’t fully implemented due to business trade-offs,’’ Allen says.
A related misconception is that many executives assume that CISOs have full autonomy over security strategy. However, security leaders often work within the constraints of aggressive product roadmaps, tight budgets, and executive risk tolerance, he says.
“In talking with a former CISO at a fast-scaling SaaS company, she described the difficulty of enforcing stricter security measures when leadership prioritized speed-to-market over secure coding practices,’’ Allen recounts. “Similarly, in telecom, security teams may advise on protecting critical infrastructure, but final decisions are influenced by business priorities, regulatory pressures, and customer demands.”
When incidents occur, CISOs are frequently held accountable, even when security recommendations were deprioritized by the business, he says.
4. The C in the title means they are an officer of the company
That leads to another scary misconception for CISOs and CISO candidates: Because the word “chief” is in the title, that means they will be an officer of the company, says SEI’s Touhill. In fact, “the vast number of CISOs are not named officers of companies — and the impact of that is profound.”
Officers and directors are covered under a company’s director and officer insurance policy, he says. If a major cybersecurity breach occurs and the CISO isn’t covered, there can be personal liability. Touhill says it is critical for CISOs and CISO candidates to ask the company whether they will be covered under a separate policy to indemnify themselves when they are acting in the best interests of the company, so they are not personally sued.
People don’t think of CISOs as being at risk of personal liability as part of their job, echoesVillanustre. “The CISO role is not exempt from challenges arising from the continuous changing cybersecurity landscape, as risks and threat actors evolve. In fact, CISOs are becoming personally liable to civil and criminal charges.”
This is likely driving the short average tenure for CISOs, which ranges from 18 to 26 months, Villanustre observes. “This is far lower than the five-year average tenure of the C-suite.”
5. CISOs can eliminate risk
There is an unrealistic expectation that a security leader should be able to stop every breach before it happens. Breaches will happen. Their real job, security experts say, is minimizing impact, keeping systems resilient, and ensuring the company bounces back fast afterwards.
“People often believe CISOs can stop all attacks, but this could not be farther from the truth,’’ says Rafay Baloch, CEO and founder of cybersecurity consultancy RedSecLabs. “Breaches happen based on timing rather than likelihood, which challenges this perspective.”
This stems from a big misconception that “cybersecurity is only done by people with a cybersecurity job title, when in fact, an entire organization serves as the first line of defense,’’ says Liberty Mutual’s Jenkins. “It takes every employee to ‘don their cape.’” Liberty Mutual’s Responsible Defender program requires the company’s 40,000 global employees “to use their training and instincts to help us identify and defend our company against cyberattacks,” she says.
6. CISOs are a barrier to innovation
Business leaders often view security as a roadblock and believe CISOs slow innovation with extreme risk assessments and compliance requirements. On the other hand, many CISOs maintain they actually help their businesses move faster by ensuring innovation happens securely.
Security should be viewed as a company-wide function that requires buy-in from every department and CISOs not be treated as the lone defenders against cyber threats.
Security leaders can often be perceived as slowing down innovation, according to Allen. Startups, for example, may resist security controls that introduce friction in user experience, while media companies may push back on digital rights management (DRM) enforcement because it complicates content distribution, he says.
“A colleague of mine at a global streaming platform explained how they struggled to implement stronger API security because it was seen as an ‘unnecessary delay’ to feature releases — until API vulnerabilities were exploited, impacting millions of users,’’ Allen says. “In reality, CISOs are not anti-innovation; they are there to ensure sustainable growth by embedding security into digital transformation efforts rather than bolting it on later.”
In many industries, CISOs must balance risk with business agility, regulatory demands with user experience, and cybersecurity with corporate innovation goals, Allen says. “Their role extends beyond technical oversight — they must be strategic partners who bridge the gap between security, product development, and business operations.”
7. CISOs don’t have mental health issues
There is a mistaken impression that CISOs can handle the stress of the job. Even though organizations are under attack 24/7/365, the thought is that by the time you get to the level of CISO you don’t have to worry about your mental health, Touhill says, calling this “a vicious myth.”
He strongly encourages CISOs to not only have a plan in place to take care of the mental health of their security teams, but also have a “really, really good deputy ready to step in so you can take a vacation.” He adds, “You cannot win a marathon if it never ends. You have to take care of yourself and be constantly aware of your own mental health, not just the people you’re taking care of and leading.”
