What Being a CISO Taught Me About Security Leadership

A four-point framework to succeeding as a CISO, based on my experiences of building and leading a security program at a high-growth company. It shows how to focus on the defender's advantage and escape the unending cycle of reacting to vulnerabilities, investigating incidents, and responding to attackers' advances.

Six years as CISO at a high-growth company taught me that the best programs are built by focusing on sustainable advantages that attackers can’t easily overcome. As security leaders, we have a way of escaping the cycle of reacting to vulnerabilities, investigating incidents, and responding to attackers’ advances.

Here’s a four-point approach to achieving this, based on my experiences of leading a security program from early stage to enterprise scale. We should:

• Understand our technology and business;
• Reduce the attack surface;
• Support colleagues to build trust; and
• Stay long enough for those investments to compound.

This way, we can develop a program that allows just the right amount of insecurity into the organization and turns us into enablers of business velocity.

Understand Our Technology and Business

Instead of being preoccupied with attackers’ tactics, we can use our inherent advantages as defenders. Our strength, the defender’s advantage, is our ability to develop a security architecture based on a solid understanding of our environment. This begins with maintaining an up-to-date inventory of all assets, including devices, applications, SaaS platforms, cloud workloads, AI services, and user accounts.

Understanding the tech environment allows us to create bottlenecks for attackers and focus areas for defenders. Zero trust access principles and Single Sign-On are examples of this approach. For example, SSO funnels authentication through a single point where we can enforce MFA and detect anomalies.

Tech alone is insufficient, though. At a tactical level, we also need to understand the role that IT resources play in the organization. Strategically, we must know the business priorities to align security projects with the company’s objectives. If we do this, we can better justify security budgets and lower security expenses while reducing risk. This requires asking good questions and listening to the answers.

Exploring, asking, and listening is important when we’re new to the role. But as the company’s business changes from year to year and sometimes quarter to quarter, we must adjust our understanding of the organization’s goals and expectations. Maintaining situational awareness is a continuous effort.

Reduce the Attack Surface

Our attention is constantly pulled toward urgent work: the latest vulnerability, the compliance deadline, the security investigation. But if we spend all our time on immediate concerns without investing in longer-term attack surface reduction, the urgent work will never decrease.

Reducing the attack surface includes decommissioning unnecessary SaaS products, deactivating unneeded user accounts, turning off unused systems, and otherwise reducing the IT components that require security oversight. Such efforts not only narrow the window of opportunity attackers can exploit, but also lower the costs of security and IT operations. This creates a virtuous cycle: Reduced operational overhead frees up budget and attention for strategic improvements, which further reduce both risk and cost.

Attack surface reduction also means adjusting how systems are designed and deployed. A security issue on an internet-exposed system demands a faster response than the same vulnerability on an isolated one. Network isolation and access restrictions decrease exposure and reduce the urgency of patching. This approach offers a way to escape the vulnerability management hamster wheel.

This isn’t a one-time cleanup. As the organization adopts new tools and services, the attack surface expands and requires ongoing oversight.

Support Colleagues to Build Trust

Helping colleagues succeed is a powerful way to influence security practices and mature the program. People route around burdens they find unreasonable, and gravitate toward teams and individuals that make projects happen. Security sits at the intersection of multiple disciplines, positioning us as such enablers.

We can build trust with other teams by collaborating on projects with shared interests. These early wins lay the foundation for the more challenging conversations that will inevitably come. For example:

• We can work with engineering to define expectations that let teams ship on time while assigning realistic risk rankings to vulnerabilities. Knowing when to require urgency and when to pull back builds trust.

• Legal and Privacy teams face shared challenges around security monitoring and data retention that create natural collaboration points. When an incident occurs, security leads the investigation while the Legal team determines notification obligations. General Counsel can also help when security policies need legal backing or the CISO needs independent authority to push back.

• We can support efforts to embrace infrastructure-as-code practices, so infrastructure teams can move more swiftly while ensuring the configuration is secure and verifiable. Preapproved modules with built-in security requirements give engineers flexibility while maintaining guardrails.

These collaborations succeed because they start from the other team’s objectives, not ours. Those relationships allow us to shift from merely saying that “security is everyone’s responsibility” to embedding security into key processes throughout the company.

Stay Long Enough for Investments to Compound

Research shows the average CISO tenure runs for 3 years. Many change jobs before experiencing more than one phase of the builder, fixer, and scale operator arc: Building from scratch, then fixing what breaks, then optimizing at scale. Staying through multiple phases compounds the impact in ways that switching jobs cannot.

With several years in the role, we accumulate influence and trust that are unavailable at a new organization.

Some foundational changes simply take time. Attack surface reduction, identity architecture, and product security are multi-year investments. A CISO who leaves after two years may plant the seed but not see the harvest. Tenure also lets us assemble a team we trust, develop its members, and earn their trust in return. A team that can operate independently compounds the leader’s impact in ways no new hire replicates in year one.

The defender’s advantage pays its highest dividend here. Tenure deepens our understanding of the environment in ways no onboarding replicates. That accumulated terrain knowledge is exactly the edge that makes the defender’s position stronger than the attacker’s. After several years, we know which systems are truly critical, which vendors operate as true partners, and which risks the organization has consciously accepted.

But tenure without direction succumbs to the gentle pull of mediocrity. Staying demands intentional goals and action.

Act, Not Just Advise

Organizations expect CISOs to deliver outcomes aligned with business objectives, not risk-oriented opinions. Yet, we often operate as chief opinion officers rather than action takers: we track metrics, assess gaps, express concerns, and rely on others to act. All this activity suggests progress; but if we merely advise, we don’t change anything.

Action takers drive change by having uncomfortable conversations, negotiating with stakeholders, and accepting that the first version will have gaps. A consultant can deliver recommendations and leave. A security leader who stays has the responsibility to see changes through. That means applying a minimum viable product mentality, iterating rather than waiting, and calibrating acceptable insecurity rather than chasing the perfect state.

The defender’s advantage belongs to those who act on what they know.