Tech vs Business in the CISO Role

Author: Joe Head, Director

This debate has been going on since I became part of the cyber security industry nearly 6 years ago.

And we are still having the same discussion…

We are caught in a paradox.

On one hand, we need people who can navigate the intricate web of technical challenges. On the other, there’s a need for leaders who can steer the ship from a business standpoint.

The problem is exacerbated by the industry’s infancy, we have a blurry blueprint for ‘success’, vast pay scales, and job titles that seem to be out of sync with the responsibilities they should match.

The mismatch between job titles, their respective duties and compensation is a fundamental problem that undermines the effectiveness of cyber security leadership.

And to be clear this isn’t just about pay and prestige; it’s about clarity and the capacity to deliver security while also driving business value.

So, where do we start?

I very much hold the opinion that the further you climb the CISO career ladder the less your job is about cyber security. Nothing will change my mind on that. I have spent 1000s of hours with Fortune 500, FTSE 100, & Cyber Security Execs. Who are all very much business leaders before security leaders.

Yes, technical know-how is indispensable, but it’s the tip of the iceberg. The true measure of a CISO’s worth is their ability to translate complex cyber security lingo into the vernacular of the C-suite.

I used this analogy before – A pilot doesn’t know how the fuselage of a plane is built. And even if they did, it probably doesn’t help them be a better pilot.

I know it depends.

The CISO role isn’t binary and different businesses have different needs. But this doesn’t mean giving people job titles, responsibility, and control that don’t match up. And I think this is where the industry has a big problem.

How can we have CISO job titles, with engineering responsibility & analyst pay? It just doesn’t make sense.

There will always be smaller businesses that can’t afford a CISO, which is fine, in fact if a company were hiring a CISO, and they had a proper CISO job description, but the pay was awful at least they were going in the right direction.

That then just becomes a financial constraint, not an issue with understanding the role.

Now when I say “non-technical” I don’t mean someone who has no idea what cyber security is, of course you need a high-level understanding of the fundamentals. Should you be able to roll up your sleeves and start coding. No. Would it help if you could? Sure, it might but this is not what a CISO is.

Ultimately, we need people who can communicate with C-Suite and elevate cyber security. It’s not a question of tech vs non-tech—it’s about how you help the business move forward. We need to cultivate CISOs who can appreciate the nuance of technology but have their sights firmly set on the horizon of business impact.

There is room for everyone. One thing we do not have enough of is strong security leaders who are changing the way businesses think about cyber security. We need more thought-leaders and influencers who are inspiring our industry to do better.

My final thoughts.

In the end, we need our industry to move forward, be it technical or not, you need to support sustainable business growth. You must be able to communicate to both the people in charge and the rest of the business.

I think in time we will see a shift in the way companies see cyber security, my hope is that as the threat landscape continues to grow, businesses will be forced to acknowledge that cyber security leadership is a fundamental pillar of success.

There is so much more I could say, but I will save some for another blog.