Posts categorized: Leadership

Why the Traditional Role of the CISO is Failing and How to Fix It

 

Recent surveys paint a stark picture of the CISO community—disillusioned, job-hopping, and locked in an endless struggle to justify cybersecurity needs to senior executives. Many find themselves trapped in a cycle of failed bottom-up initiatives, unable to drive real change in protecting their organizations from cyber threats.

This predicament is often seen as unavoidable, yet few analysts question how the cybersecurity industry ended up here—or how to break free from this ineffective model.

The Core Issue: Cybersecurity as a Technical Silo

For over two decades, businesses have treated cybersecurity as a purely technical discipline. Most CISOs today come from technical backgrounds, and their approach reflects this bias. They have long championed technology-driven, tool-based strategies that, for the most part, have failed to deliver meaningful results. Meanwhile, the pace of cyber threats continues to accelerate, fuelled by rapid technological and business evolution.

This reactive, firefighting approach has left many CISOs stuck in an operational loop, unable to develop the leadership and strategic skills necessary to engage effectively with the broader business community.

The Shifting Business Mindset

In contrast, business leaders have evolved. They now recognize the inevitability of cyberattacks and understand their devastating impact. The days of denial are over. What they expect now is effective execution—cybersecurity strategies that align with business priorities, not just technical solutions.

Yet, many CISOs fail to adapt to this shift. They focus their communication on “what” needs to be done but neglect the “how“—reducing execution to a matter of headcount and investment. This narrow perspective weakens their influence and fuels their growing frustration.

Cybersecurity as a Business Imperative

To break this cycle, cybersecurity must move beyond its technical confines. It must integrate across corporate silos—engaging not just IT but also business units, support functions, and an increasingly digital supply chain. For many organizations, this requires a cultural transformation, not just new tools.

Achieving this in large enterprises demands governance structures that foster collaboration, leadership gravitas, and, above all, trust from other executives. Unfortunately, too few CISOs have built these capabilities over the years, leaving them disconnected from broader business objectives.

A New Model for Cyber Leadership

The perpetual dissatisfaction among CISOs stems from their inability to drive meaningful transformation. They move from one job to another, yet the fundamental challenges remain unchanged. Organizations, in turn, replace outgoing CISOs with candidates from the same mold—replicating the problem rather than solving it.

A more effective approach is to restructure the role itself by splitting its responsibilities:

• Chief Security Officer (CSO): A senior, business-facing executive who is a visible part of the leadership team. This role should own and drive the cybersecurity agenda, regulatory compliance, business continuity, and resilience—ensuring security is embedded into the organization’s broader strategy.
• Chief Information Security Officer (CISO): A technical expert reporting to the CSO (or possibly the CIO), responsible for the IT and technical execution of the cybersecurity framework.

While regulatory challenges and personal liability concerns may complicate this shift in some regions, it remains a strategy worth exploring to break the current cycle of failure in cybersecurity leadership.

The bottom line? If businesses want real cybersecurity progress, they need to rethink the CISO role—and if CISOs want to thrive, they must evolve beyond their technical roots.

---

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

---

Read more on our Security Transformation Leadership publication here on Medium

Executives don’t need another cybersecurity pitch. They need results.

The CISO Report 2025 from Splunk has sparked widespread discussion across cybersecurity media. The dominant narrative? CISOs are gaining more influence in the boardroom.

But beneath the headlines, familiar struggles persist. Many CISOs still face budget constraints, lack essential soft skills, and experience daily job dissatisfaction.

None of this is new. Most CISOs come from technical backgrounds, and the corporate boardroom—full of politics, strategy, and business priorities—isn’t their natural environment.

The Comfort Zone Trap

Having spent over 25 years in cybersecurity and a decade writing about leadership and governance, I’ve had countless conversations with security professionals about this challenge.

Even those who acknowledge cybersecurity as a business issue often retreat to their technical roots when faced with uncertainty. It’s their comfort zone. But in high-stakes executive discussions, this creates a disconnect. Without trust, CISOs struggle to influence decision-makers.

The fundamental issue? Cybersecurity is still seen as a technical discipline—when in reality, it never has been and never can be.

Logic vs. Business Reality

Many CISOs approach interactions with senior executives as a debate to be won through logic, data, and ROI calculations. They dismiss “fear, uncertainty, and doubt” as outdated and prefer a rational, numbers-driven approach.

But this is the wrong battle. The resistance they face isn’t rooted in a lack of understanding or logic—it’s driven by corporate short-termism and deep-seated cognitive biases.

Executives don’t need another PowerPoint explaining the risks. They already know cyberattacks are inevitable and can be catastrophic. They’ve seen it happen to competitors. Many have lived through crises themselves.

To them, cybersecurity isn’t an isolated concern—it’s just one of many threats to the business, alongside economic downturns, regulatory changes, and supply chain disruptions.

Breaking the Deadlock

Business leaders aren’t looking for CISOs to tell them what needs to be done. They want it done. And after two decades of rising cybersecurity budgets, they’re tired of hearing the same requests for more funding and grand transformation plans that never fully materialize.

CISOs must shift their focus from justifying security needs to proving they can deliver with the resources they have. Consistent, effective execution builds trust. And trust—not spreadsheets or scare tactics—is what unlocks greater influence, better budgets, and long-term success.

That’s the real engine CISOs should be building.

---

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

---

Read more on our Security Transformation Leadership publication here on Medium

Cybersecurity ROI is a flawed metric—here’s what truly matters to business leaders.

The cost of data breaches is a recurring topic in the cybersecurity industry. But here’s the challenge: no two breaches are exactly alike. The impact varies based on factors such as the industry sector, the attack’s target, and the victim’s level of preparedness.

Some costs are easy to quantify—such as forensic investigations, legal and PR expenses, and customer support for affected users. However, many researchers take this analysis further, attempting to estimate business losses and reputational damage. That’s where the exercise turns into a guessing game.

Take the 2024 Cost of a Data Breach report by IBM and the Ponemon Institute. While it provides a detailed methodology, its fine print exposes significant flaws:

1. Inconsistent Comparisons: Year-on-year analysis is unreliable because sample groups change annually. Additionally, reported costs are estimated in local currencies and then converted to USD at fluctuating exchange rates.
2. Unverified Respondents: The survey relies on “security and C-suite business leaders with first-hand knowledge of data breaches” at their organizations. But their experience levels vary, and their estimates—especially for factors like “business disruption, lost customers, and reputational damage”—are highly subjective.

This doesn’t mean the data is useless. But drowning in pages of decimal-point calculations often leads to misleading conclusions.

So why do these reports keep resurfacing? They reflect a long-standing belief among some industry leaders and security vendors: that cybersecurity investments must be justified with ROI calculations.

The logic goes like this:

• Data breaches are inevitable.
• A breach could cost X.
• My product prevents breaches and costs Y (which is much less).
• Therefore, investing in my solution delivers a return of Z.

While compelling on paper, this argument has been used for over two decades—and it simply doesn’t work. The numbers are often arbitrary, no single solution can stop all cyber threats, and executives are bombarded with similar justifications across every department.

At this point, senior leaders don’t need to be convinced that cyber threats are serious. They already know breaches can be costly, even catastrophic. They also understand the potential legal and personal liabilities.

What they need is confidence in their organization’s ability to execute a strong cybersecurity strategy. They need assurance that the right leadership is in place.

Ultimately, the most valuable currency in cybersecurity isn’t money—it’s trust. That’s where CISOs should be focusing their efforts.

---

JC Gaillard is the Founder and CEO of Corix Partners, a London-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.

He is a leading strategic advisor and a globally-recognised cyber security thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the Security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of transformation.

French and British national permanently established in the UK since 1993, he holds an Engineering Degree from Telecom Paris and has been co-president of the Cyber Security group of the Telecom Paris alumni association since May 2016.

---

Read more on our Security Transformation Leadership publication here on Medium