The role of the Chief Information Security Officer (CISO) has evolved significantly over the past few years. Once seen primarily as a technical expert, today's CISO is expected to be both a strategic business leader and a guardian of an organisation's cybersecurity posture. 

In a recent episode of The Decloaked Podcast, Jake Bernardes, Field CISO at Anecdotes, and Leo Cunningham, CISO at Owkin, dive into the complexities and challenges that come with this evolving role. They explore issues that are often overlooked in discussions about cybersecurity leadership, including the growing concern of burnout, the limitations of authority, and the critical need to build resilience within security teams.

The challenge of limited control and security demands

One of the biggest challenges that CISOs face is the lack of control over critical systems that are often managed by other departments. While the CISO is responsible for ensuring the organisation’s cybersecurity posture, they don’t always have direct authority over the platforms or systems that pose the greatest security risks. This disconnect creates a significant barrier in enforcing security measures, ensuring compliance, and maintaining best practices.

Bernardes highlights how relationship-building plays a pivotal role in overcoming this challenge; “The modern CISO role is all about your ability to operate as a business leader, and that means you have to form those relationships based on trust”. In order to succeed, CISOs must develop strong relationships across the organisation—especially with executives in IT, engineering, and other business units. This collaboration helps establish shared goals and a collective understanding of the importance of cybersecurity.

For security leaders who come from a technical background, such as penetration testing or system architecture, there is an added advantage. These leaders can communicate effectively with CTOs and engineering teams in a language they understand, making it easier to articulate the critical need for security protocols. Rather than simply imposing mandates, successful CISOs craft persuasive arguments and engage in two-way conversations that ensure the implementation of security measures is seen as a collaborative effort rather than a top-down directive.

Tabletop exercises: A practical approach to security preparedness

Another essential component of effective cybersecurity leadership is ensuring that teams are prepared for real-world threats. While many organisations claim to have security protocols in place, these procedures can fall apart when tested under pressure. Bernardes emphasises the importance of conducting "surprise tabletop exercises" to simulate real-life cyberattacks and evaluate the effectiveness of security measures.

"When you have engineering teams that say, ‘We can meet our SLA with disaster recovery, no problem,’ I say, ‘Great, it's Monday morning, and I’ve just shut off AWS—go restore your stage environment now," said Bernardes. By introducing sudden disruptions like shutting down cloud services or enacting a ransomware attack, CISOs can identify weaknesses in their teams' response plans. These unplanned exercises reveal vulnerabilities that may not be evident during routine training or theoretical planning.

These exercises also foster a culture of accountability. When teams see firsthand how security lapses, it can have a profound impact on business operations. They become more motivated to adopt proactive security measures. It’s no longer just about checking boxes on a compliance checklist—it's about being prepared for the unexpected and ensuring that every team member understands their role in responding to cyber incidents.

Bridging the gap between security and business

One of the most significant hurdles in cybersecurity leadership is bridging the gap between security teams and the business side of the organisation. Many security professionals struggle to effectively communicate the value of security initiatives to business leaders, which makes it difficult to secure the necessary resources and support for critical cybersecurity projects.

Bernardes notes, "The single biggest problem in security is that most security leaders cannot speak business. They literally fundamentally cannot do it." This issue often arises because many CISOs and security VPs come from deeply technical backgrounds and may not have the business acumen needed to communicate their value in terms that resonate with executive leadership. As the cybersecurity landscape evolves, these leaders must evolve as well—embracing a more strategic, business-oriented mindset.

CISOs need to demonstrate how security investments are not just about compliance, but about driving business outcomes. For example, Bernardes points out that becoming GDPR-compliant opens up new market opportunities by allowing businesses to sell into European markets. "If we get GDPR certification, we can sell into the European market, where we’ve identified a customer base that meets our ideal profile. Here’s the return on investment I think we can get," he explains. Framing security as an enabler of business success helps secure the buy-in of business leaders, ensuring that security remains a priority at the executive level.

Similarly, using real-world breach data can help quantify the financial risks associated with not addressing cybersecurity vulnerabilities. Bernardes adds, "If we get breached for this specific type of attack, here’s what the last ten companies paid. If you want to take that risk, that’s fine, but if you don’t, you can pay now and mitigate it before it happens." By communicating the potential cost of inaction, CISOs can make a more compelling case for investing in preventive measures.

Building resilience in cybersecurity leadership

The pressures faced by CISOs can lead to burnout, which has become an increasing concern in the cybersecurity field. Cybersecurity leaders are constantly tasked with protecting their organisations from evolving threats, managing complex risk landscapes, and leading teams through high-stress situations. As a result, burnout is a real and growing issue for many in these roles.The 2024 CISO Burnout Report by Vendict found that 80% of CISOs considered themselves "highly stressed." This high stress level is exacerbated by the fact that 63% of CISOs reported receiving little to no formal support in managing their roles.

Building resilience is not only important on an organisational level but also for security leaders themselves. To manage burnout, CISOs must learn to delegate responsibilities effectively, set realistic expectations, and maintain a healthy work-life balance. Leadership in cybersecurity requires not just technical skills but emotional intelligence and self-care. When security leaders model resilience and self-care, they set the tone for the rest of their teams.

Organisations also have a responsibility to support the mental health and well-being of their security teams. It’s essential for companies to recognise the intense pressures placed on their cybersecurity staff and provide the necessary resources to help them manage stress, prevent burnout, and sustain long-term success.

Final thoughts

The role of a CISO extends far beyond technical expertise—it requires business acumen, strong relationships, and a proactive approach to resilience. As Cunningham highlights, "Building psychological safety within security teams is key. People need to feel part of the process and understand their role in the larger security strategy."

By focusing on relationship-building, hands-on security testing, effective communication, and mental well-being, CISOs can navigate the complexities of their role more effectively. Security is not just the responsibility of the CISO—it’s a team effort, and the more security leaders align their strategies with business objectives, the better equipped they will be to drive lasting change.

For a deeper dive into how CISOs can prevent burnout and implement effective strategies for their teams, check out our in-depth guide. Learn how to build resilience, foster a strong security culture, and create a sustainable approach to leadership in cybersecurity. Read more here.

How Metomic can help

Metomic makes it easier to protect sensitive data, stay compliant, and reduce the workload for your IT and security teams:

• Sensitive data discovery and classification: Metomic automatically finds and classifies sensitive data, making sure it’s organised and protected the way it should be.
• Data loss prevention (DLP): Metomic helps stop unauthorised access to sensitive data, reducing the chances of accidental leaks or breaches.
• Compliance software: Stay on top of regulations like GDPR, CCPA, and ISO 27001. Metomic automates key compliance tasks to make sure your data handling and access controls are up to scratch.
• Access controls: With granular access controls, Metomic helps you manage who can access sensitive data, reducing the risk of insider threats.

With these features, Metomic simplifies security and compliance, lightens the load for your teams, and helps protect your organisation’s most sensitive information.

Getting started with Metomic

Integrating Metomic into your organisation is simple and designed to improve security, streamline compliance, and lighten the load for your IT and security teams. Here’s how you can begin:

• Start with a risk assessment: Take advantage of our free tools to evaluate your current data security measures and spot any gaps. This gives you a clear understanding of potential risks and compliance issues.
• Request a personalised demo: Book a personalised demo. We’ll showcase to you how Metomic works, highlight its key features and explain how it can help strengthen your security, simplify compliance, and protect sensitive data.
• Get expert advice: Have any questions or specific needs? Get in touch! Our team of experts is ready to support you. We’ll work closely with you to integrate Metomic into your systems while ensuring a solid security posture.