There are many things we repeat in security that are just not true. “Security is a department of “No” (if anything, security gets told ‘No’). “There is a talent shortage in cyber” (yes, there is a huge gap of senior specialized talent, but an oversaturation of entry-level talent). “Security is the most crowded market” (not even close; there are 5-10 times more marketing tech tools, fintechs, and many others). “Attackers only need to get it right once, defenders have to get it right every single time” (the opposite is true - attackers need to stay undetected, and a single mistake can fail them). “Sixty percent of small businesses close within 6 months of being hacked” (my friend Adrian Sanabria did a USENIX talk about this one and a few other myths).

We know that there is a lot of nonsense being repeated, and in the past decade, we have started to challenge it. There is now even a dedicated book titled “Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls that Derail Us” by Eugene Spafford, Leigh Metcalf, and Josiah Dykstra…The point is, we are moving in the right direction.

There are, however, several myths that are just too persistent, and many years later, they are still widely accepted as truth. In a previous article, I tackled two: that “we aren’t getting any more secure than before” (not true) and that “there are simply too many security tools and we need fewer of them” (also not true). This week, I am taking a stab at another egregious lie - that “most CISOs are really bad at understanding the business, can’t translate risk into business language”, etc.

This issue is brought to you by… Tines.

Everyone’s using AI - So why are workloads still growing?

99% of SOCs are already using AI, yet 81% say workloads increased in the past year.

To find out why teams have yet to unlock AI’s full impact, Tines surveyed 1,800+ security leaders and practitioners worldwide for their biggest Voice of Security report yet.

A few standout stats:

• AI literacy and prompt engineering are the top skills security professionals need

• 44% of security work is still manual

• 87% report board-level attention to cybersecurity has increased in the last year

Get access to the full report here.

Get access to the full report here

Two decades ago, there were few CISOs with a strong track record as business leaders

“CISOs aren’t business leaders”, “CISOs can’t translate risk into business language”, “CISOs talk gibberish, and the board doesn’t understand what they are trying to say.”... All these statements are a part of the same narrative that CISOs are too much into the weeds, which prevents them from being great leaders.

Thirty years ago, in 1995, Steve Katz (1942 - 2023) was named to the newly created CISO role by Citicorp. This was the first time a company hired a dedicated CISO. Over time, many other businesses delegated the responsibility for security to dedicated leaders, elevating them to the role of a C-level executive (at least on paper). Despite what many would assume, this transition journey hasn’t been an easy one. When Steve Katz was invited to step into the CISO role, it wasn’t because Citicorp realized that technology needs to be secured. Instead, around 1994, there were rumors that Citicorp had been hacked, and no one knew whether it was true or not. It turned out that Citicorp’s systems were indeed compromised, and Russian hackers stole more than $10 million from the bank. All this makes it obvious that from the very first day, the CISO role has been designed to take responsibility for some of the hardest problems.

When more companies started hiring CISOs, there obviously wasn’t much of a talent pool of astute business execs with expertise in cybersecurity. On one hand, since the role was new, there were no people who had done it before. On the other hand, since companies had no experience hiring or working with CISOs, they couldn’t clearly frame what was expected of them, and how they could succeed after joining. It ended up being a lot of on-the-job learning experiences on everybody’s part: CISOs had to figure out P&L ownership, strategy, and working with boards, while companies hiring CISOs needed to learn where to draw the line between other roles and that of a CISO.

It didn’t help that different companies had vastly different motivations for hiring a CISO. Some wanted a partner who could advise them on risk and help the business become more resilient, and others just needed someone who could take the blame when things inevitably went wrong. The unfortunate part has been that many of the CISOs hired to act as scapegoats if something fails were given no resources and no executive support to actually make a difference. To put it differently, they were set up to fail. I don’t know how many of the roles at the time fit this description, but I do know well that many security leaders got pretty disillusioned by their early CISO gigs.

People who took CISO roles early on were often getting great promotions, at least in terms of a title (not so much in terms of compensation or responsibility, but that’s a whole separate story). Since most of the newly minted CISOs were experienced managers or directors, getting that “C” in their title was surely a great thing. Were they ready to do these jobs effectively? It’s a rhetorical question, but also, is anyone ever ready? Is a senior engineering manager ever ready to become a CTO? Is a senior finance leader ever fully ready to become a CFO?

The answer in most cases is not, but CISOs indeed had some real work to do. Most had no MBA and no background in business, so there were a lot of gaps to close. If you were to come twenty-five years ago and say, “CISOs aren’t business leaders”, “CISOs can’t translate risk into business language”, “CISOs talk gibberish, and the board doesn’t understand what they are trying to say,” I think most CISOs themselves would agree with you.

Fast forward to 2026, and the world looks very different.

Present-day CISOs are expected to be well-rounded business and technical leaders

It may come as a surprise to some, but a lot has changed since 1994, both in the world at large, and in security in particular. I’ll skip over the internet adoption, social media, smartphones, IoT, cloud, and AI because talking about that would make me sound condescending. However, I do have to point out a few security-related changes:

• Most people who took CISO roles before the year 2000 have either retired or found new careers as risk and strategy consultants, board members, etc.

• Many people who are looking for entry-level security roles today were born after Steve Katz became a CISO

• The infrastructure today looks completely different from what it did back then, the way businesses operate today is completely different from how they did back then, the way people work today is completely different from the way they did back then, and this list can go on forever.

The point is, the world has changed, and the CISO role has undergone a complete transformation.

CISOs today aren’t trying to figure out how to do their jobs - they have all the ingredients to be good at it. CISOs have formal education programs like the one at Carnegie Mellon, they have associations like the Professional Association of CISOs, they have resource hubs like The CISO Tradecraft, podcasts like CISO Series, and a virtually limitless number of other things. I’ve seen plenty of security leaders with an MBA, and many more with masters degrees in security leadership. There are also plenty of incredible books, covering anything from risk frameworks, leadership advice, and management skills (Assaf Keren, for example, recently published Lessons from the Frontlines, and Ross Yong’s book Why Most Budgets Go to Waste was released last year). If two decades ago, there was barely any information about what a CISO role entails, today, security leaders have more advice and resources than they probably need.

CISOs, on their part, are hungry to grow. I see more and more CISOs pursuing certifications like NACD.DC and DDN QTE to prepare for board roles, taking advisory roles with startups and getting involved with nonprofits. Take a look at the number of great CISO events, panels, podcasts, and you’ll see people who are eager to do more.

Then, there is executive and board support, a critical ingredient for any CISO to do their job. Obviously, it would be an overstatement to say that every security leader has what they need to be successful; in practice, things are pretty far from that. There are still plenty of organizations out there that view the CISO role as a liability shield, and there are still many companies that don’t want to truly invest in security, or don’t have any desire to do the hard work that maturing defenses actually is. All that said, a growing number of companies recognize the importance of security and dedicate the resources to do it well. In addition, in many organizations, CISOs have earned the ability to work directly with the board, which further elevates their impact.

When I am talking about all these changes, I don’t mean that business majors are doing MBA to become CISOs; I am talking about seasoned technologists looking to grow as leaders. Present-day CISOs are expected to be well-rounded business and technical leaders; just being good at either business or technology is no longer enough.

Most of the present-day CISOs are already well-rounded business and technical leaders

The reason why I get so frustrated when I hear that CISOs are “too technical, too much into the weeds” or “unable to talk to the board” is the fact that these statements are rooted in the past that is long gone. The overwhelming majority of the present-day CISOs are pretty well-rounded business and technical leaders.

Think about security budgets for a second. We live in a world where every dollar invested in security competes with growth initiatives like sales, marketing, and engineering, all the while security continues to be viewed as a cost center with an asymmetric downside. Yet despite all this, many CISOs still get budgets approved for new tools, hiring more people (though this one is trickier), and making sure that critical areas like endpoint, cloud, identity, and network have solid coverage. Do you really think that when the CFO & CEO are deciding where to allocate budget, and the CISO ends up getting the money, it happens because the CISO just bamboozles them with technical jargon and some CVE-2024-XXXX speak? If you actually think that, I think you need to think twice. Every dollar invested in cyber is a dollar not invested in growth, expansion, and other strategic, revenue-generating activities. I would argue that any CISO who can get their executive team bought-in to fund new security initiatives, when everything is about cost-cutting and top-line growth, is a master communicator, negotiator, and evangelist.

Then there is the whole topic of working with the board. Everyone walking into the boardroom for the first time, be they CEO, CTO, CRO, or CISO, will have a lot to learn about what boards care about and what they don’t care about. Are there no CTOs who walk into the room expecting that they’ll be asked about their roadmap, only to instead end up having to talk about how the upcoming product is going to impact the company’s margins? Of course there are. Are CISOs making the mistake of assuming that the board wants to hear more about the work of security teams than it does? I am sure some are. And yet, contrary to popular beliefs, CISOs do not walk into boardrooms to discuss CVE-2024-XXXX (not the CISOs I’ve met anyway, and I have met plenty of them). Instead, they talk about business impact, regulatory exposure, operational resilience, brand and customer trust, and other areas relevant to the board. The idea that CISOs are “too technical” for the board ignores the reality that getting to the CISO role in 2026 requires mastering far more than technical triage.

It’s hard to expect that individual CISOs are going to fix systemic problems of security

It would be an overstatement that all the problems have been solved because they haven’t. Security continues to be hard, and while we had three decades to evolve both the role of the CISO and the mechanics of the industry at large, some problems remain. These are typically systemic issues, and not something we can expect CISOs to solve.

First, there is the fact that many companies truly just want to have a CISO to absolve them of the problems with regulators if something bad happens. I am not suggesting that this happens often, but I have personally met CISOs stuck in roles without any resources or executive support. While I am sure that there’s some 1% of the people who get stuck in these situations because “they are too deep into the weeds” and “they can’t explain the value of security”, the vast majority just get unlucky. Sometimes, convincing language and a strategic mindset are simply not enough (if you’ve been in this situation, you know what I am talking about).

Second, the value of security is objectively hard to communicate because it’s hard to measure. How do we measure risk reduction? How do we explain the ROI and quantify the savings of the attacks that didn’t happen because we had security controls in place? These are rhetorical questions, but when a CISO is working to get the budget for critical initiatives, they are forced to think about this. To be completely fair, it’s not just CISOs that struggle to connect their spend to outcomes. Take heads of people and culture (HR), or marketers who have a hard time attributing any sales activity to the specific initiatives they are driving. How do you quantify “good company culture” or “value of the brand”?

Third, too many organizations hold security leaders to unrealistic standards. Boards want certainty, and executives still measure security success by “no breaches” instead of resilience. Despite the fact that security teams can usually only advise on risk and rarely own the implementation of most controls, CISOs are expected to own the outcomes when those risks materialize. It’s also why posture management tools took off: while CISOs like to say that they are tired of getting more visibility tools, the reality is that oftentimes, all security teams are empowered to do is to get visibility into all the badness (nobody gives security the ability to fix anything directly).

Closing thoughts

While the CISO role has existed for 30 years, and while a lot has changed, some problems remain. We most definitely need to debate these problems and continue maturing our practices. At the same time, it’s really time to retire the lazy idea that CISOs are “bad communicators who don’t understand the business”. We are talking about people who have spent their careers getting to where they are, and they must have mastered some skills beyond triaging vulns and alerts.

The reality is more complicated and much less convenient: security is difficult to measure, difficult to justify, and impossible to “win” in absolute terms. CISOs who survive, and especially those who succeed, do so precisely because they’ve learned how to navigate that complexity. That is what being a business leader in security is all about.

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If your company is interested in sponsoring Venture in Security, check out Sponsorships.

Lastly, check out the Inside the Network podcast where we bring you the best founders, operators, and investors building the future of cybersecurity.