The CISO role has outgrown its job description

Ten years ago, the CISO was the person who kept the firewalls running and made sure the penetration test came back clean. That version of the role is gone. The modern CISO is expected to manage regulatory compliance across multiple jurisdictions, oversee third-party risk across dozens of suppliers, lead incident response under pressure, report to the board in business language, and somehow retain a team in one of the most competitive hiring markets in technology.

Most of them are doing this without enough budget, enough people, or enough time in front of the board to explain what is actually happening. The result is a role that burns people out and produces reporting that does not reflect real risk.

The board reporting problem

We see this in almost every engagement. The CISO produces a board pack with colour-coded risk dashboards, maturity scores, and compliance percentages. The board glances at it, sees mostly green, and moves on. The CISO leaves the meeting frustrated because none of the hard questions got asked.

The problem is not the CISO's communication skills. It is the format. Boards do not need a dashboard. They need answers to three questions: what could go seriously wrong, how likely is it, and what are we doing about it? If the CISO cannot answer those in plain language with specific examples, the reporting structure needs to change.

We have helped organisations restructure board reporting around scenarios rather than metrics. Instead of "our patch compliance is 87%," the conversation becomes "if a ransomware group hit us today, here is what would happen to our operations and here is what recovery would look like." That gets attention. That drives investment.

The skills gap is real but misunderstood

Everyone talks about the cybersecurity skills shortage. It is real, but the bigger issue is role design. Many organisations are hiring security analysts to do compliance work, or expecting one person to cover everything from cloud security to privacy regulation.

The most effective security teams we work with have clarity about what they need. They separate operational security from governance and risk. They use external support for specialist capabilities like identity architecture or resilience testing rather than trying to build everything in-house. And they invest in keeping the people they have rather than constantly recruiting replacements.

What needs to change

If your CISO is spending more time writing reports than managing risk, something is wrong. If your board only hears about security after an incident, something is wrong. If your security leader has no peer relationship with the CFO or COO, something is wrong.

The organisations that get this right treat security as a business function, not a technical one. The CISO has a seat at the table, reports on risk in terms the business understands, and has the authority to make decisions that stick. That is not a luxury - it is the minimum standard for any organisation that takes its risk posture seriously.