A majority of enterprise security leaders view their roles as “no longer fully manageable,” according to a recent report, and security consultants concede that the increasingly over-scoped nature of cyber execs’ roles is a problem not easily fixed.
At issue is the fact that companies have consistently broadened the CISO’s jurisdiction and responsibilities without providing new resources to accomplish it.
“Given the CISO role’s continued expansion across new functional domains and enterprise-wide responsibilities, more than half (52%) of CISOs reported their scope is no longer fully manageable,” the 2026 State of the CISO Benchmark Report from IANS Research and Artico Search found. “CISOs warn scope-resource imbalances may have far-reaching consequences including delays in strategic priorities, erosion of long-term resilience and reactive security operations with diminishing quality.”
In addition to traditional information security responsibilities, such as security operations, security engineering, GRC, and application security, many CISOs now oversee business risk functions, including risk and compliance, third-party risk management, disaster recovery, and product security. “Nearly 30% also have ownership over parts of the IT stack, including IT compliance, IT operations, or networking,” the survey of 662 CISOs found.
Cybersecurity consultant Brian Levine, a former federal prosecutor who serves as executive director of FormerGov, says CISOs can’t be expected to handle everything that touches cybersecurity that no one else wants.
“Enterprise CISOs aren’t just burned out; they’re boxed in. The title keeps rising, but the influence doesn’t always follow,” Levine says. “The modern CISO isn’t just running a security program anymore. They are running a geopolitical, regulatory, and enterprise‑wide risk portfolio. The scope has exploded so fast that the role is outpacing what any one person can reasonably own.”
As a result, CISOs are increasingly being placed in an impossible position — and one that is becoming a single point of failure for many organizations.
“When a single executive is accountable for everything from identity to AI governance to third‑party risk, it stops being a job and starts being an impossible expectation. That’s exactly what I’m seeing across the enterprise landscape,” Levine says.
And those impossible expectations are coming with few added resources, Aaron Painter, CEO of Nametag, points out.
“The scope has expanded faster than authority, budget, or organizational alignment,” he says. “CISOs are now expected to cover cloud, identity, insider risk, third parties, AI-driven threats, and deepfakes, often with the same teams and tools they had five years ago.”
A question of ownership and influence
At issue is an increasing perception that “the CISO can be the catch‑all for every emerging threat,” Levine notes.
Fixing the situation, for CISOs and organizations alike, will likely require a rethink of how security and risk leadership should be structured, he says.
“The solution isn’t to find superhuman CISOs. It’s to redesign the role, distribute responsibility, and give them the authority to match the accountability,” Levine advises. “The unmanageable part isn’t the work: It’s the mismatch between responsibility and influence. Until boards rebalance that equation, CISOs will continue to feel like they’re set up to fail.”
The CISO at a Fortune 100 manufacturer, who asked that his name and company not be referenced, said his purview before he became CISO was exponentially more manageable.
Today, as CISO, he says, “there is no safe space. When I was just running the operational side, I was on top of it, I was confident, and I felt in control. I don’t confidently know everything that is happening today like I did before. I feel vulnerable or naked talking to my boss or the board. I need to focus on too many things that oppose each other. You can’t be an expert in everything.”
Erik Avakian, technical counselor at Info-Tech Research Group, has seen this soup-to-nuts CISO jurisdiction in use across many verticals.
“The CISO role is quietly becoming unmanageable,” he says. “The nature of the job itself has changed. The modern CISO is expected to be a technologist, a risk executive, a compliance authority, a business strategist, a crisis manager, a public-facing spokesperson during incidents, and a de facto owner of third-party support. And to do all of that in an increasingly complex and rapidly morphing cybersecurity risk landscape.”
Avakian adds: “Boards and executives have to decide what the CISO truly owns versus what they influence. You cannot hold someone accountable for enterprise cybersecurity risk while also making them responsible for every firewall rule, phishing click, and third-party vendor misstep.”
A board-level rethink of cyber strategy is also imperative, he says.
“Strategy and operations need to be intentionally tiered. The CISO has to be structurally treated as a risk executive,” Avakian notes. “That means access to the CEO and board, business visibility and access, and the authority proportional to accountability and governance models that treat cyber risk like financial or legal risk, and shared ownership across the business.”
Structural changes necessary
Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group, says many organizations have already made the structural changes necessary to address the rising importance — and specialization — of cybersecurity and risk functions.
“The breadth and depth of information security and cybersecurity have increased so significantly over the past two decades that it drove a sea of specializations: SOC, blue and red teams, application security, cloud and infrastructure security, GRC, control monitoring, security architecture, identity and access management, and many more,” Villanustre says.
“Gone are the days when a single person could possess all necessary knowledge to cover all cybersecurity needs of a corporation,” he adds. “CISOs nowadays are more akin to CIOs, with a higher focus on security and privacy aspects, managing organizations that span from dozens to hundreds of people, in addition to leading the rest of the company by influence.”
But those organizations that continue to saddle CISOs with additional remits risk rendering the role nonviable, says Sanchit Vir Gogia, chief analyst at Greyhound Research.
“The CISO role has been pushed to its cognitive, operational, and strategic breaking point,” he says. “This isn’t about performance gaps or capability shortfalls. This is about a job that has been stretched across so many domains that it no longer fits within the bandwidth of a single human being. At least not one who wants to remain effective, credible, and sane.”
Gogia says that just in the past half decade CISOs have taken on “business continuity, data privacy, ESG reporting, supply chain integrity, AI governance, physical security, fraud, and even real estate oversight in some cases.”
“In some organizations, the CISO is also expected to lead risk quantification, participate in executive crisis simulations, and oversee elements of legal and regulatory compliance,” he says. “That’s not scope expansion. That’s an organizational dumping ground.”
Gogia suggests that the typical enterprise CISO’s day is overflowing with tasks that prevent the executive from truly performing the fundamental facet of the role: advancing enterprise defense.
CISOs today “have to communicate vulnerabilities to engineering teams in the morning, prepare board-level business risk briefings at noon, and resolve a cloud provider dispute by night. That’s not leadership. That’s intellectual triage on a daily loop. The result? Priorities blur. Roadmaps stall. Burnout creeps in not through dramatic collapse but through constant erosion,” Gogia says.
“We’ve seen this play out in multiple organizations. Security transformation programs delay quarter after quarter, not because the CISO lacks competence, but because their day is consumed by audit prep, compliance follow-ups, stakeholder briefings, and vendor escalations,” he says.
Gogia advises CISOs to work with senior management in taking a critical look at everything the CISO is being asked to do.
“What truly belongs? What has been bolted on out of convenience? What requires its own leadership function? In many cases, privacy, physical security, and ESG risk deserve separate ownership,” Gogia says. “Let the CISO be the architect of cyber risk, not the landfill for all loosely related responsibilities.”
No Responses