Defense in Depth
The CISO's Job Is Impossible

Over the past decade, the CISO role has evolved into a seemingly impossible job. But someone still has to do it. How must CISOs accept this Sisyphean role?

Check out this post for the discussion that is the basis of our conversation on this week’s episode, co-hosted by David Spark, producer of CISO Series, and Yaron Levi, CISO, Dolby. Joining them is Joey Rachid, CISO, Xerox.

Listen to the full episode here.

It's a balancing act

The CISO role is often defined by contradiction—accountable for cybersecurity outcomes, yet limited in their influence, authority, or resources to drive meaningful change. “The main problem is with how top management in many organizations defines the role,” said Peter Granlund of If Insurance. “The CISO role is that of a sidekick… with a responsibility matching the mandate of the role,” not the final decision-maker on enterprise risk. Glenn Axelrod of Emissary.io echoes this challenge, describing it as “the ultimate balancing act—stressful yet demanding expertise in all trades,” where success hinges not just on technical skill, but on the ability to build strong teams and share the burden across the organization. “No single leader can shoulder the entire weight of security alone; it’s a collective effort,” said Axelrod.

Choose to leave the kids' table

The communication gap between CISOs and the rest of the executive team is more than a messaging issue—it’s a cultural and strategic misalignment, often perpetuated from within. “I have a hypothesis that a lot of the problem is our own darn fault,” admitted John Overbaugh, CISO at Alpine Investors. “We don't explain things so the rest of our 'first team' (execs) understand it.” Erik Bloch of Illumio pushes that idea further, arguing that some CISOs have grown comfortable in a position that lacks true business accountability: “They don’t want to leave the kids' table and join the adults and become an actual business unit.” The disconnect will persist until security leaders fully integrate into business leadership and speak in terms their peers can act on.

Your team is essential

The demands placed on today’s CISOs have far outgrown the capacity of any one individual. “Cybersecurity spans technical operations, risk management, compliance, and strategy—expecting one individual to excel in all these areas is unrealistic,” said Alen Mustafić of CyberSec4People. He suggests it may be time to move toward a team-based CISO model that shares responsibility across departments and leverages domain-specific expertise. Geoff Airey of Evotix agrees, noting that “you’re boiling down a whole team’s responsibilities to one person.” For him, the mark of a good CISO isn’t mastering every domain, but knowing when to delegate: “They don’t need to be an expert in every area of security—they need to have team members or contracted third parties who are.”

Don't change CISOs midstream

The impulse to fire a CISO after a major security incident may feel like accountability, but it often misses the bigger picture. “The greatest shift in thinking in the past decade has been that some organizations are beginning to see that firing a CISO after a major security incident is a major mistake,” said Mark Fuentes of Appdome. He reminded that “there are no breach-proof, cyberattack-proof CISOs,” and no perfect cybersecurity strategy. “Cybersecurity is a war against breaches. Some battles will be won, and some will be lost. Changing generals too often may not be a winning strategy.”

Please listen to the full episode on your favorite podcast app or over on our blog, where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, Blackslash Security

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Super Cyber Fridays!
Join us Friday, 05-30-25, for "Hacking Provable Security"

Join us Friday, May 30, 2025, for “Hacking Provable Security: An hour of critical thinking on how to go beyond security ratings and questionnaires.”

It all begins at 1 PM ET/10 AM PT on Friday, May 30, 2025, with guest Sravish Sridhar, founder and CEO, TrustCloud. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT), we'll do our meetup.

Register 

Thanks to our Super Cyber Friday sponsor, TrustCloud

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Nick Espinosa, host, The Deep Dive Radio Show.

Thanks to our Cyber Security Headlines sponsor, Vanta

Cyber chatter from around the web...
Jump in on these conversations

What's one tool you hope you never use again? (More here)

Anyone here sold/bought GCP Security? Debating a jump and need the real story (More here)

Easy Tool For Website Security? (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [05-30-2025] [Hacking Provable Security]

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.