Note: The Following is the third part of a series on CISO/Security Leadership. Click here for Part One: CISO Soft Skills Matter More Than Ever and here for Part Two: What Separates Security Practitioners from Security Leadership?
Over the years, a common refrain has echoed through cybersecurity leadership circles: “The CISO needs to know the business.” At face value, this sounds like a reasonable and prudent expectation. After all, if you’re protecting something, shouldn’t you understand its value, its operations, and its drivers?
Yes—but not in the way most people think.
As someone who has spent a significant amount of time in the trenches of cybersecurity leadership, I believe that this advice, while well-intentioned, is misguided in its application. The Chief Information Security Officer (CISO) should, without question, understand the mission and strategic objectives of the organization. But that doesn’t mean the CISO must also become a pseudo-CFO, a part-time COO, or an amateur product manager. Instead, the CISO must build strong, trusted relationships with the people who do know the business intimately —because true CISO business alignment comes from collaboration, not imitation.
The role of the CISO is to manage cybersecurity risks—not to oversee budgets, operations, or supply chains. While it’s important to understand how security impacts these areas, the CISO’s real value lies in translating complex threats into business risks and helping the organization operate securely.
Just as a CFO isn’t expected to be an expert in malware analysis or vulnerability management, a CISO shouldn’t be expected to interpret quarterly financials or manage HR policy. Instead, the CISO and CFO should collaborate to understand how cybersecurity influences financial stability, fraud prevention, and compliance requirements.
The same principle applies across the business. The CISO doesn’t need to design enterprise systems but must work closely with the CIO and enterprise architects to ensure those systems are secure. Similarly, while the CISO may not be fluent in marketing strategy or campaign metrics, they should partner with the Chief Marketing Officer (CMO) to safeguard customer data, harden marketing platforms against abuse, and ensure compliance with regulations like GDPR and CAN-SPAM.
In all these relationships, the CISO’s job is to empower other leaders to move quickly and effectively—while keeping the right security guardrails in place to protect the organization and its reputation.
What the CISO truly needs is influence. Influence is built on trust, and trust is built on relationships. It’s the CISO’s job to know the key stakeholders, understand their goals, concerns, and challenges, and collaborate with them in meaningful ways.
That means:
These partnerships allow the CISO to develop a nuanced understanding of the organization’s risk posture, operational dependencies, and threat landscape—without needing to be an expert in all of those fields.
The myth of the all-knowing, all-seeing CISO is not only unrealistic—it’s dangerous. It sets false expectations and contributes to burnout. It suggests that unless the CISO is fluent in finance, law, marketing, DevOps, and industrial control systems, they can’t be effective. This line of thinking dilutes the purpose of the role and sets CISOs up for failure.
In reality, no one person can possibly master all facets of an enterprise’s operations. And they shouldn’t. That’s why organizations are made up of diverse teams, each with specialized knowledge and capabilities.
The effective CISO knows how to:
If we truly want to assess a CISO’s success, we should ask:
A CISO doesn’t prove their value by knowing how the revenue recognition process works. They prove it by working with finance leaders to ensure the systems supporting revenue recognition are resilient, monitored, and aligned with regulatory requirements.
Cybersecurity is a cross-functional discipline. The best outcomes are achieved when security is woven into every part of the organization. That doesn’t happen because the CISO knows every business process in detail. It happens when the CISO fosters collaboration, mutual respect, and shared accountability for risk.
It also requires the CISO to show humility—to acknowledge what they don’t know and be willing to learn from others. A good CISO doesn’t try to outshine the business; they illuminate the risks so the business can move forward with confidence.
So, the next time someone says, “The CISO needs to know the business,” I encourage a deeper conversation about CISO business alignment.
Yes, the CISO needs to understand how their work affects the business. But more importantly, they need to cultivate strong relationships with the people who live and breathe those business functions every day. They need to become embedded in the organization’s decision-making fabric—not by being an expert in everything, but by being the connective tissue between security and strategy.
The CISO is, first and foremost, the Chief Information Security Officer. And that title comes with its own deep, complex responsibilities. Let’s not dilute it by expecting the CISO to be everything to everyone. Let them be what the business truly needs: a translator, a protector, a partner—and above all, a leader.
Find out more about CISO Support Services here.
If you’re wondering what Managed Detection and Response (MDR) is and whether it’s right for your organization, you’re not alone. Cybersecurity is a 24/7 battle against relentless threats, and keeping ...
