CEOs Take the WHEEL!! Do CISOs Really Fail?

I love Barak Engel’s work. His storytelling is fantastic, and his cybersecurity insights are thoughtful and always on point. I’ve just purchased his book “Why CISOs Fail” and it’s got me thinking. Do they really fail?

I’ve just started reading and I’m not done yet, but I need to get my thoughts down on paper because… I’m old and I forget things.

First, I see cybersecurity in organizations like brakes on a car. Brakes aren’t just for stopping; they’re for control, agility, and speed. Just think of driving your car without brakes.

It is possible but I’m 99.999% certain you’d rather not.

Brakes are safety features that also give us (the drivers) more options. So, if CISOs are in charge of the organization’s brakes, do they really fail?

Consider this: Why do brakes fail? You may think it’s because of worn pads, fluid issues, overheating, faulty lines, or a bad cylinder.

But you’ll know they’re on the verge of failing because of the warning signs: squealing, grinding, a soft pedal, vibrations, dashboard warning lights, burning smells, etc.

Who notices these signs first? You!!! The driver, then maybe a mechanic, inspector, or fleet manager.

So, again…why do brakes fail?

Because someone ignored the warning signs.

If CISOs (and the cybersecurity program they manage) “fail” due to breaches, poor risk management, short tenure, or misaligned goals, there were probably warning signs. And it’s the “driver” — the CEO — who’s ultimately accountable.

But check this out. One “warning sign” of pending CISO failure could be high staff turnover within the security team. And it could be because a mediocre CISO with an oversized tie is pretending to be a “leader”.

However, has the CEO ensured the cyber program has an adequate budget, staff and tools? Has she set the tone for how cyber is valued in the company? Is SHE aligning cyber with the busines goals and speaking directly with the mediocre CISO to hear his concerns?

Think of it this way: fully functional brakes enable a car do more than just stop. They let it maneuver, take corners, speed up, slow down — basically, adapt. Similarly, good cybersecurity, led by a CISO but overseen by the CEO, makes a company more agile, proactive, and confident. It lets the company chase opportunities while managing risks, the same way good brakes help a (good) driver handle different road conditions.

So, the CEO should be as invested in their cybersecurity program as a driver is in their brakes. This way, the company can protect itself and confidently pursue its goals, just like a driver who knows their brakes are working can drive safely and efficiently.

While CISOs, CFOs, and CMOs have their marching orders, the CEO is ultimately responsible for the whole company, and if they’re smart, promoting strong cybersecurity as part of their brand identity strengthening their competitive edge.

So, do CISOs fail? Maybe sometimes. But could the person with the decision-making power, money, and will to prevent it have done something? Absolutely.