{"id":4699,"date":"2025-09-08T07:00:00","date_gmt":"2025-09-08T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4699"},"modified":"2025-09-08T07:00:00","modified_gmt":"2025-09-08T07:00:00","slug":"10-security-leadership-career-killers-and-how-to-avoid-them","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4699","title":{"rendered":"10 security leadership career-killers \u2014 and how to avoid them"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

There are some bad behaviors that can get executives in trouble.<\/p>\n

Illegal and unethical actions are the most obvious, and they typically make an executive unemployable. Most professionals know to avoid such behaviors if they want to continue their careers.<\/p>\n

But there are many other missteps that can halt upward mobility, some of which are less obvious and therefore harder to avoid, according to executives, career coaches, and executive consultants. Plus, there are concerns or actions specific to security leadership that can prove career-limiting.<\/p>\n

Following are 10 performance shortcomings that can short-circuit a security leader\u2019s career.<\/p>\n

1. Failing to align security to business priorities<\/h2>\n

This is one of the top requirements for security leaders now, and not doing so will land them on the sidelines.<\/p>\n

\u201cSecurity has evolved from being the end goal to being a business-enabling function,\u201d says James Carder<\/a>, CISO at software maker Benevity. \u201cThat means security strategies, communications, planning, and execution need to be aligned with business outcomes. If security efforts aren\u2019t returning meaningful ROI, CISOs are likely doing something wrong. Security should not operate as a cost center, and if we act or report like one, we\u2019re failing in our roles.\u201d<\/p>\n

Carder says CISOs who aren\u2019t yet aligning security to business strategy need to make \u201ca major shift in mindset.\u201d<\/p>\n

\u201cStart by accepting that the role has changed. We\u2019re not gatekeepers anymore. We\u2019re enablers of progress,\u201d he says.<\/p>\n

2. Being just a technologist rather than a business executive, too<\/h2>\n

To align security with enterprise strategy, security professionals need to be business leaders<\/a>, too, says Ryan Knisley<\/a>, former CISO of The Walt Disney Co. and Costco Wholesale.<\/p>\n

That remains a struggle for many CISOs, who still tend to ascend through the security organization and not lines of business \u2014 a career progression that leaves many without the skills to tie risk to revenue or measure security effectiveness using business metrics<\/a>.<\/p>\n

\u201cSo their role becomes marginalized, and they\u2019re viewed as overhead,\u201d says Knisley, now chief product strategist at tech company Axonius.<\/p>\n

He advises CISOs to build their business skills<\/a> by enlisting professional mentors outside of cybersecurity and getting professional experience also outside of security.<\/p>\n

3. Stopping short of a \u2018yes\u2019<\/h2>\n

CISOs generally know that the security function can\u2019t be the \u201cdepartment of no.\u201d<\/p>\n

But some don\u2019t quite get to a \u201cyes,\u201d either, which means they\u2019re still failing their organizations in a way that could stymie their careers, says Aimee Cardwell<\/a>, CISO in residence at tech company Transcend and former CISO of UnitedHealth Group.<\/p>\n

Getting to yes requires CISOs to understand the organization\u2019s risk tolerance so they can appropriately balance security controls with the business\u2019 need for speed and ease of transactions.<\/p>\n

\u201cCISOs <\/a>who want to advance their careers are those who are able to say, \u2018Yes, and let me help you do it safely and securely and help you do it with more resilience,\u2019\u201d explains Tim Rawlins<\/a>, senior advisor and security director of NCC Group.<\/p>\n

4. Drawing red lines<\/h2>\n

Rawlins recently worked with a CISO who, when learning of a high-risk idea from his business colleagues, told them, \u201cThat\u2019s a red line for me.\u201d<\/p>\n

Rawlins advises against issuing such commands, as doing so shows that the CISO is not really focused on business needs.<\/p>\n

\u201cCISOs can\u2019t draw a red line and say, \u2018Absolutely not,\u2019 because if it\u2019s important to the business, they have to come up with a way to deliver it safely and securely. Otherwise, the business will work around you,\u201d Rawlins says.<\/p>\n

5. Being too rigid with the rules<\/h2>\n

Similarly, CISOs who are too rigid with the rules do a disservice to their organizations and their professional prospects, says Cardwell.<\/p>\n

Such a situation recently came up in her organization, where one of her team members initially declined to permit a third-party application from being used by workers, pointing to a security policy barring such apps.<\/p>\n

Cardwell worked with her staffer to do a deeper dive into the situation, learning that the app would run on only two machines for two months and was critical for a business initiative.<\/p>\n

They opted to make an exception to the security rule and implemented controls \u2014 such as creating a service ticket to ensure the app is removed at the expected project end date \u2014 to take a calculated risk on behalf of the business.<\/p>\n

That, Cardwell notes, demonstrates security\u2019s willingness to be a business enabler and ensures the CISO and the security team are viewed as partners, not obstacles to work around.<\/p>\n

6. Getting AI wrong<\/h2>\n

As artificial intelligence becomes pervasive, CISOs need to mature their understanding of the technology so they can appropriately secure it<\/a>. Otherwise, they\u2019ll be seen as relics of the pre-AI era.<\/p>\n

Yet many security professionals still treat AI \u201clike a typical technology tool, and not as a terrain,\u201d says Jenai Marinkovic<\/a>, a virtual CTO and CISO with Tiro Security and cybersecurity expert with the ISACA, a professional association focused on IT governance.<\/p>\n

\u201cAI is a terrain modifier,\u201d she says. \u201cIt alters the adversarial landscape, the decision loops, and even the nature of \u2018truth\u2019 inside organizations. Professionals who continue treating AI as a feature will misread their environment and offer solutions to threat classes that no longer exist. Their logic becomes extinct in real-time.\u201d<\/p>\n

She adds, \u201cThe careers that fail tomorrow will not be killed by laziness or incompetence, but by operating on outdated ontologies.\u201d<\/p>\n

7. Failing to have adequate visibility into assets and interdependencies<\/h2>\n

CISOs who don\u2019t have a firm grasp on all that they must secure won\u2019t succeed in their roles. \u201cIf they don\u2019t have visibility, if they can\u2019t talk about the effectiveness of the controls, then they won\u2019t have credibility and the confidence in them among leadership will erode,\u201d Knisley says.<\/p>\n

But Marinkovic says visibility today is more expansive than ever before, and those CISOs who don\u2019t model the unseen interdependencies that exist in nearly all organizations today are setting themselves up to fail.<\/p>\n

\u201cIn hybrid systems, biological, digital, operational, geopolitical, the most catastrophic failures occur at points of unmodeled coupling,\u201d she says. \u201cIf you cannot see how your control logic \u2014 technical or managerial \u2014 interfaces with invisible systems, regulatory, cultural, economic, you cannot govern it. Your career becomes brittle not for lack of skill, but for lack of synthetic perception.\u201d<\/p>\n

8. Sticking to yourself<\/h2>\n

Professionals in every discipline advance in part by helping others do their jobs, becoming trusted partners to their colleagues, and building relationships throughout their organizations. Some people find networking easy, while some roles require the kind of collaborating that helps forge those workplace bonds.<\/p>\n

The security function at many organizations doesn\u2019t frequently fall into either of those categories, however, even though building relationships is no less important for both successful security programs and individual career advancement, says Kimberly Roush<\/a>, founder of All-Star Executive Coaching.<\/p>\n

As a result, security workers must create more of their own opportunities. Roush suggests letting colleagues know you\u2019re interested in connecting: Reach out and ask questions; acknowledge others\u2019 successes; set up meetings to learn from others. \u201cYou should absolutely be doing those things if you want to have influence beyond your own [department].\u201d<\/p>\n

9. Being stingy with your time and attention<\/h2>\n

There\u2019s no question CISOs are pressed for time<\/a>, but they need to guard against being so busy that they can\u2019t give their attention to those who come to them with concerns.<\/p>\n

\u201cYou don\u2019t want to push someone off with a sharp response, because when you do that, then you\u2019ve lost that person for good; you make that person think, \u2018I don\u2019t want to work with the CISO,\u2019\u201d Cardwell says.<\/p>\n

In such cases people will work around the security function, and they will keep concerns and information about security lapses to themselves.<\/p>\n

\u201cI know the first time I shut someone down is the last time they bring me something; so if people bring something to me, I receive it with gratitude,\u201d Cardwell adds.<\/p>\n

Paying attention to even small complaints or concerns could uncover significant security issues that if left unchecked could reflect badly on the security team and its leadership, she notes. \u201cThat\u2019s why if someone is coming to you with something, you should be curious about what they\u2019re bringing to you. It may expose some really interesting things.\u201d<\/p>\n

10. Mishandling a breach<\/h2>\n

CISOs aren\u2019t the only ones who recognize that a security incident is not a matter of if but when; their executive colleagues know that now, too.<\/p>\n

Consequently, an incident isn\u2019t a career-killer anymore.<\/p>\n

\u201cIt used to be that having a breach would be a black mark for a CISO,\u201d Cardwell says. \u201cBut these days I think that\u2019s almost flipped. I\u2019d prefer to not hire a CISO who has never had a breach, because I would prefer that they\u2019ve had to go through a breach somewhere else, learn from that, and then come into my organization with that experience and a better view of what it takes to be resilient.\u201d<\/p>\n

Yet a security incident can still tank a CISO\u2019s career if that CISO fumbles the response.<\/p>\n

\u201cIt\u2019s not handling it well that will kill a career,\u201d Rawlins says.<\/p>\n

CISOs need to have a well-rehearsed incident response plan<\/a> so they can execute decisively, staunch the damage, and quickly move toward recovery, he says. They need to communicate calmly and clearly. They need to be in control.<\/p>\n

\u201cIt might still be that your time with that employer would be ending. We still see CISOs who have a major breach have maybe 18 months left in their tenure there,\u201d Rawlins says. \u201cBut it doesn\u2019t have to ruin your career.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

There are some bad behaviors that can get executives in trouble. Illegal and unethical actions are the most obvious, and they typically make an executive unemployable. Most professionals know to avoid such behaviors if they want to continue their careers. But there are many other missteps that can halt upward mobility, some of which are […]<\/p>\n","protected":false},"author":0,"featured_media":4700,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4699","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4699"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4699"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4699\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4700"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4699"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}