The CEO of Cybersecurity (and why Most Companies Still Get it Wrong)

The CISO Problem No One Wants to Admit

One of the first steps in building a resilient cybersecurity program is appointing a Chief Information Security Officer.

The second, and arguably more important, step is having that person report directly to the CEO.

Yet major organizations still skip this. Garmin, for example, did not have a CISO at the time of its massive ransomware attack just a few years ago. This isn't an isolated incident; instead, it reflects a troubling trend.

When cybersecurity leadership is buried under IT, risk becomes invisible until it explodes.

A CFO Before Accounting Existed

Imagine asking a CFO to protect the company financially before the Generally Accepted Accounting Principles (GAAP) existed.

No standard rules. No universal measurements. No agreement on what "good" looks like.

That's the CISO reality.

Despite frameworks, compliance guidelines, and standards, cybersecurity still lacks universally enforced rules of the road. CISOs are forced to make judgement calls that can end careers, often with incomplete data and competing business priorities.

The Short, Brutal Life of a CISO

The life expectancy of a CISO is closer to a UFC fighter than a traditional executive.

It's stressful. It's public. And when things go wrong, you're often the first to go, even if the root cause was years of underinvestment or ignored warnings.

Cybersecurity is one of the few executive roles where success looks like nothing happened.

The CISO is Already Acting Like a CEO

During my time as a CISO for a major stock exchange, the role looked less like "security" and more like executive leadership.

I was responsible for:

• Protecting internal systems
• Shaping marketing messaging around security
• Giving SOC tours to prospective customers
• Speaking with board members and investors
• Supporting sales conversations

At this point, the question isn't whether the CISO is a CEO, it's why they aren't treated like one.

Cybersecurity Touches Every Department

Cybersecurity isn't an IT function. It's a business function.

As a CISO, you're embedded in:

• Finance & Accounting: SOX reporting, fraud prevention
• HR: Insider threat, hiring, terminations
• Marketing: Metadata exposure, fraud prevention
• Sales: Cyber assurance, customer trust
• Compliance & Risk: Cyber insurance, audits
• Facilities: Physical access, environmental controls

You see everything, which is exactly why CISOs need authority, not just responsibility.

Compensation Should Match the Risk

You can't ask someone to carry existential business risk and pay them like middle management.

CEOs, CFOs, and COOs are compensated for financial performance, operational efficiency, and growth. CISOs, however, are responsible for preventing events that can shut down operations, destroy brand trust, trigger regulatory action, and permanently damage company value.

Despite this, cybersecurity leadership is often compensated like a supporting function.

If organizations expect CISOs to protect the business, they must be compensated accordingly.

Compensation Should Include

• Salary comparable to CEO/COO peers
• Golden parachutes aligned with executive leadership
• Restricted stock or options

If a breach can erase billions in value, compensation should reflect that reality.

The Invisible Success Problem

The hardest part of being a CISO?

Proving you're doing a good job when nothing bad happens.

Cybersecurity success is quiet. There are no victory laps for attacks that never occur, no headlines for breaches that were prevented, and no dashboards that fully capture the chaos that didn't happen. When things are working, the work itself becomes invisible.

I was once told:

"We've been extraordinarily lucky we haven't had a breach in over a decade."

That mindset is more common than many leaders realize. Prevention is often mistaken for luck, and preparation is discounted until failure forces attention. The paradox is brutal: the better a CISO does their job, the harder it becomes to prove they're doing it at all.

If you advertise success, you become a target. Both for attackers and Murphy's Law. Yet if you stay quiet, leadership questions your value.

It's a no-win narrative unless organizations redefine how cybersecurity success is measured.

Final Thoughts

CISOs aren't failed IT managers or compliance officers.

They are CEOs of cybersecurity.

Until organizations treat them that way (structurally, financially, and culturally) breaches won't be a question of if, but when.

And when that happens, the cost won't just be technical.

It will be existential.