The CISO had the title. But no money, no team, no veto.
I worked with a company where the CISO was officially “in charge” of cybersecurity.
On paper, he had the mandate to protect the business. In reality? He had no control.
His budget was part of IT.
Every new cybersecurity initiative had to compete with system upgrades, service desk tickets, ERP roll-outs, and infrastructure fixes.
Every request for resources had to go through the IT Manager who had his own roadmap and no interest in delays caused by “security”.
The CISO didn’t own a single resource.
- He didn’t control priorities.
- He didn’t have a seat at the execs’ table.
- He couldn’t even stop a risky vendor integration that exposed a major vulnerability.
But when the breach happened, guess who was called to explain?
Guess who was blamed?
He wasn’t just under-powered. He was set up to take the fall.
If your CISO needs permission to protect you, then your structure is your biggest risk.
