Redefining the Role: What Makes a CISO Great

June 27, 2025 Neel Achary technology 0
4 Surprising Benefits of a Temporary CFO, Online Gambling in 2025, Smarter Material Sourcing, What Makes a CISO Great

Lane Sullivan – SVP, Chief Information Security and Strategy Officer with Concentric AI

Being a CISO today is a balancing act of strategic leadership, financial literacy, technical expertise, and human connection, regardless of whether the company has 100 or 100,000 employees. The role is no longer about just defending the perimeter; it’s about driving the business forward with resiliency while managing risk with clarity, courage, and strategic intent.

After years in the trenches, here’s what I’ve learned about what it really takes to be an effective CISO. Everybody has a different journey, and every company is different. You may not need any of these, or you might get insights on all of them. If I missed anything, please add your comments for the benefit of the other CISO’s or future CISO’s.

  1. Understand the Business You’re Securing

You can’t protect what you don’t understand. CISOs must go beyond security metrics and learn what truly drives business success.

  • How does the company work, and how does it make money?
  • What does the sales cycle look like or what does the company do on the front lines?
  • How do product, engineering, clinical and finance work together?

Bring this knowledge back to your security team. Help them see they’re part of something bigger than policies and patching.

  1. Build Bridges Across the Business

Security doesn’t live in isolation. Relationships across the C-suite and business units are essential.

  • Trust is your currency. It’s earned over time and through action, especially when you show up for things “outside your job description.”
  • Host regular 1:1s with IT and business leaders to understand their goals and challenges.
  • Hold a monthly “CISO Fireside Chat” with non-technical employees to humanize security and listen to feedback.
  • Legal and Privacy should be an extension of your team, including outside counsel. Know them, use them.

The goal? Build a culture of collaboration, not control.

  1. Be a leader, not a manager

Your talent is your most valuable asset. Protect it. Invest in it. Empower it.

  • Set clear guardrails and goals, but give your team room to find the best path forward.
  • Avoid micromanagement. If you’re managing tasks, you’re not leading people.
  • Hire great people, and then trust and invest in them.
  • Manage Mental Health, period. Do not wait for an incident to find out, it’s too late.
  • Be curious, not judgemental

Lead with hope, but balance it with honest accountability. That’s where growth happens.

  1. Create a 18-36 month Strategy, and Revisit It Quarterly

Five-year roadmaps are great… until reality changes six months later. Instead:

  • Align your strategy to the organization’s strategy and priorities, you need to be able to show how you support the business goals.
  • Build a rolling 18-36 month strategy and identified maturity gaps. Reevaluate it every 90 days to ensure it stays relevant and aligned.
  • Use models like NIST CSF not just for compliance, but as tools to build executive trust and measure maturity in meaningful terms.
  • Don’t be afraid of new technology vendors, innovation does not start at creation.

Strategy is not static. It’s a living thing. Treat it that way.

  1. Financial Acumen

Understanding how your company handles finances is non-negotiable. If you can’t speak the language of CFOs and controllers, you’ll never earn a seat at the decision-making table.

  • Learn the difference between cash and accrual accounting.
  • Know when to capitalize vs. expense security investments.
  • Build a defensible budget that aligns with business objectives, not fear-based narratives.
  • Manage your budget, and do not ask for money unless it is a requirement.

Security leaders who understand the financial mechanics of their organization are positioned as business partners, not budget drains.

  1. Stay Informed and Invest in Your Network

Cybersecurity is a fast-moving domain. Don’t let headlines surprise you.

  • Attend industry events and conferences, not just for the sessions, but for the relationships.
  • Security leaders need to be students of the world. Track emerging tech, geopolitical shifts, and threat actor trends. Your job is to anticipate, not just react.
  • Mentor whenever possible

Often, the value of a conference comes from a hallway conversation, not a keynote. On a tough day, knowing who you can call matters more than what’s in your tech stack. If you see another contact having a bad day in the news, reach out and check on them.

  1. Speak Candidly About Risk, and Build Resiliency

Boards and executives don’t want sugar-coated updates. They want the truth, paired with a plan.

  • Be transparent about where risks exist, even when it’s uncomfortable. But never come to them without a proposed path forward.
  • Draw boundaries between corporate risk and personal exposure. For personal risk, draw a line and don’t cross it.
  • Use language and analogies they understand, speaking tech talk won’t get you too far.
  • Everything you discuss is based on risk and resiliency, ask yourself “So what”, because they will.
  • Create awareness of what is expected of them during an event before you have one will benefit you so much more than you realize.

In security, bad news is inevitable. What defines you is how you handle it.

  1. Data Is the Real Risk

That means your job isn’t just to patch systems, it’s to protect, govern, and deweaponize sensitive data.

  • Know where your data lives.
  • Understand who accesses it and why.
  • Focus on data-centric controls, not just perimeter defense.
  • Ensure there are plans for resiliency when it matters.

In a world of hybrid cloud, AI, and third-party sprawl, a data-first security strategy is no longer optional, it’s foundational.

  1. Reporting, and Metrics That Matter

Boards do not want anecdotes, they want measurable progress. You own your own data, how you use it matters.

  • Report on business-aligned metrics, not just technical KPIs.
  • Show how your program reduces risk exposure or improves resiliency. Translate into executive language: Resiliency, risk reduction, business continuity, reputational protection.
  • CISO’s own all the information in reports that are shared outside their team, make sure you have oversight of all of them.

Numbers don’t replace storytelling, but they give it credibility.

  1. Own Third-Party and Supply Chain Risk

Your risk doesn’t end where your infrastructure does. Third-party vendors and integrations can become your weakest link, and could impact you more than an internal event.

  • Evaluate vendors early, during procurement, and post-breach. Continuously assess their security posture.
  • Include contractual security requirements (Including AI) and access governance reviews as part of your operational model.
  • Know how your environment is connected to third parties, that is half the battle when the news hit’s the wire about an incident with a vendor.

You’re only as strong as your weakest partner. Strengthen that chain.

  1. Enable AI, but govern it

AI is no longer hype, it’s here. And it could introduce new risks but also opportunities.

  • Partner with your data, legal, and product teams to guide safe AI adoption.
  • Define controls to prevent data leakage, shadow AI usage, and model abuse.
  • Treat AI governance as part of your security program, not an afterthought.

AI will reshape how we operate. Make sure it doesn’t reshape your risk profile the wrong way.

Final Thoughts

Security is everyone’s responsibility, but as a CISO, it starts with you.

Lead boldly, think broadly, speak the language of business, protect your people, and never lose sight of the mission: enabling your organization to thrive, even in the face of risk.