Why So Many Companies Misunderstand the Role of a CISO
A few months ago, I was contacted by a recruiter who said I was a great fit for a Chief Information Security Officer (CISO) position.
It was one of those opportunities that instantly make you feel excited. The company had a great mission, a strong culture, and every conversation I had with their team felt authentic.
The process was long and demanding but in a good way. I enjoyed every step. I received very positive feedback, and everything pointed toward a strong match.
And then came… silence.
After a few days, I reached out to ask for an update.
The response?
“We think you’re an excellent match, but we’ve decided to move forward with a more technical profile.”
That caught me off guard.
A CISO role is not primarily about tools or configurations. It’s about reducing business risks related to constantly evolving cyber threats. Tools are part of the story, but governance, risk, and compliance (GRC) is what ensures those tools are applied where they truly matter.
Every effective cybersecurity program balances both: Technology for protection, and GRC for direction.
When a company decides to “go with a more technical profile,” it often reflects a deeper misunderstanding. It’s not about the candidate. It’s about how the organization defines cybersecurity in the first place.
Technology feels tangible and immediate. You can deploy a system, configure a firewall, or run a scan—and see results right away.
GRC, on the other hand, requires reflection. It deals with policies, risk analysis, and decision-making frameworks that shape long-term resilience. It can feel abstract. And that’s precisely why so many companies underestimate it.
But here’s the irony: When cybersecurity governance is weak, even the best tools can’t save the organization.
Choosing a purely technical focus might seem easier, but it often leaves blind spots – the very risks a CISO should be there to prevent.
This experience reminded me how widespread this gap still is. Many organizations want a CISO, but not all are ready to understand what a CISO truly does.
Until we bridge that gap, the gap between cybersecurity technology and GRC thinking, many companies will continue to chase the illusion of security rather than achieve it.
What do you think? Have you seen companies confuse cybersecurity leadership with technical expertise?
