What can a CISO do if their authority is unequal to that of other C-suite execs (apart from the CEO)?

Security & GRC Internal CXO Relationships Security Strategy & Roadmap

1.3k views26 Comments

Senior Information Security Manager in Software, 501 - 1,000 employees

Consider that CSO in that case = Chief Scapegoat Officer.

2 1 Reply

IT Director in Education, 5,001 - 10,000 employees

LOL. Ain't that the truth, Ben. Good one!

Director of Enterprise Technology Advisory in Software, 10,001+ employees

Just do the job? Many roles need to operate without authority. As a C-Level (even a pseudo one) this must be a skill in their toolbox.
I think if you continue to deliver, that authority will come over time too anyway

Director of Enterprise Technology Advisory in Software, 10,001+ employees

MSP & IT Director in Services (non-Government), 2 - 10 employees

One can only do sound work if they have the appropriate authority. However, one doesn’t always need specific authority to do their job right. In this case one needs to evaluate if the authority is adequate.

Director of IT in Finance (non-banking), 10,001+ employees

Leading without authority is one of the traits of any level of leadership to be successful. Use your influence by building partnership with other peers. If you can create/establish the need, you can earn the credibility to introduce any change.

Senior Director, Information Technology in Services (non-Government), 501 - 1,000 employees

As with many other IT leadership roles, a CISO's persuasion skills must be top-notch. Convincing executive leadership to spend money on technology or services they don't understand is part of IT. If they can't earn the trust of company leadership that their function is necessary, it will be difficult to succeed.

Director of IT in Healthcare and Biotech, 51 - 200 employees

Continue to do your role to the best of your ability. Unless your environment is truly toxic/unreasonable, eventually you will achieve the level of authority you need to fully acquit your duties. If it is that toxic or unreasonable, look elsewhere.

Director of IT in Healthcare and Biotech, 201 - 500 employees

Continue to work the position until the authority needed has been earned/created. If the environment doesn’t evolve to support this, then consider looking elsewhere.

Program Director of Information Security in Hardware, 10,001+ employees

CISO role is a critical role for most organizations and its best to have the role with full authority to have most impact on cybersecurity culture of organization. If you do not have equal authority in your role as other C-suite executives, it becomes a similar situation as you have with a Project role in a matrix organization. Influencing are leadership are the best options and I know many successful PMs deliver complex projects with budget upward of 50M without formal authority over resources or executives.

Senior Director of Engineering in Software, 501 - 1,000 employees

Truth be told or the CISO can sit down with the CEO and reframe the role/duties or maybe it's time to leave?
What's the point of a c-level role if you can't have autonomy to have an impact?

Content you might like

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

People & Leadership Strategy & Architecture Cloud +57 more

CTO in Software, 201 - 500 employees

Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.

142 19 Replies