Why Are CISOs Afraid of Power?
Some CISOs struggle to build influence despite technical expertise because no one trains them in coalition-building, executive engagement, or team empowerment. The CISO role is fundamentally political, yet many security leaders lack the frameworks to develop the organizational influence it requires.
I've worked with security leaders for two decades, and I keep seeing the same troubling pattern. Many CISOs complain constantly about their lack of influence. They're frustrated that executives don't prioritize security investments, that other departments resist their initiatives, and that they're brought into strategic decisions too late or not at all. But I’ve seen many of these same CISOs actively avoiding the very activities that would give them the power they claim to want.
Political capital isn't bestowed by technical competence alone (everyone sitting around the table is a technical expert in their respective domain). It requires deliberate relationship-building, strategic coalition formation, and a willingness to engage in organizational dynamics that many security professionals find distasteful. The CISO role is inherently political, yet too many security leaders approach it as a purely technical challenge.
Here are a few ways I've seen CISOs sabotage their own influence.
Self-Isolating
A lot of CISOs (especially less-experienced ones) tend to hunker down in their security bunkers, emerging only to deliver bad news or demand compliance with a new policy rollout. I see this self-isolation manifesting most often as minimal cross-departmental engagement, communication limited to security incidents or policy changes, and an "us versus them" mentality that positions security as separate from (and often opposed to) the rest of the business. Over the past 5 years, we’ve run dozens of message-testing focus groups, and the #1 keyword that turns off security buyers is “collaboration” because it implies group work with people who don’t report to you. That’s a problem.
The most effective CISOs I work with understand something their peers miss. You don't need to convert people to a new religion to get them into the church. A potluck works just fine, and the results are the same.
Stop waiting for other departments to come to you with the "right" level of passion or commitment to security. Instead, meet them where they are. Attend their team meetings. Understand their objectives and constraints. Find ways to make security an invaluable champion of their goals rather than an obstacle or distraction.
You'll never achieve your security objectives alone. You need allies across the organization who understand that your success is tied to theirs, even if they never become a true believer in the security religion – you don’t need their soul, only their cooperation (or in some cases, to simply stay out of the way). These relationships require consistent and authentic interpersonal interactions that demonstrates you care about their success as much as you care about your own. It’s not an awareness campaign; it’s just not.
Mistaking Correctness for Effectiveness
I've watched too many CISOs operate under the dangerous misconception that being technically correct will ultimately win the day, assuming that if they present the right data, the perfect risk assessment, or the most compelling maturity statistics, executives will naturally prioritize security investments. This is a fantasy, folks.
The CISO role is fundamentally political. Your job is to make security an invaluable business asset. And before anyone clutches their pearls, there are more lucrative career paths in security if you want to prioritize being right over being effective. But if you want a job where technical correctness is the primary currency, don’t become a CISO. I honestly wish our industry would elevate the profile of these alternative roles just as much as we’ve idolized the CISO path. It might be the right choice for some, but not for everyone, and we need to talk more about other ambitions you can pursue in this field.
However, if you do choose the CISO path, you're choosing a role where influence matters more than being right, and you need to be skilled at reading the room and choosing your battles wisely. Not every security risk requires a full-court press with the executive team. Learn to distinguish between genuine business-critical risks and issues that you can manage through tactical solutions or accept as residual risk at the appropriate level of the organization (with the appropriate business lead documenting that acceptance, not you).
Stop talking about attack vectors and start talking about customer trust, operational resilience, and competitive advantage. The C-suite is not impressed by your security architecture. They care about whether you're protecting the assets that matter to the business model.
And here's something I tell every CISO I coach — if the only time executives hear from you is during an incident or when you’re asked to report at a regularly-scheduled meeting, you're already losing. Effective CISOs consistently create value for their peers, establishing themselves as trusted advisors long before they need to ask for anything or get coerced into singing for their supper.
To be clear, I’m not advocating that anyone abandon their principles or accept unreasonable risk – but I am encouraging you to recognize that organizational change requires persuasion, trust, and strategic thinking, not only technical competence. It’s not an accident that the security leaders who build substantial political capital are the ones willing to engage in the messy, interpersonal work of organizational influence. That’s the job.
Not Understanding Executives
Here's a question I ask that routinely exposes the gap between CISOs' stated desires and their actual behavior. When was the last time you talked to the security teams at companies where your board members currently work or previously worked?
If you're like most CISOs I see complaining on social media, the answer is "never." And yet these same security leaders will spend hours complaining that their board doesn't understand security, doesn't prioritize it appropriately, and can't grasp the risks the organization faces.
This is willful ignorance masquerading as victimhood.
Your board members have extensive business experience, and they've seen security programs succeed and fail across multiple organizations. And they've formed opinions about security based on those experiences. If you want to influence them, you need to understand where they're coming from. What security incidents have they witnessed firsthand? What security leaders have impressed them, and what behaviors or approaches earned their respect? What security investments have they seen succeed, and which ones became budget black holes with little measurable impact?
This information is often available if you ask for it. Reach out to security leaders at your board members' other portfolio companies or previous organizations. Asking peer security professionals about their experiences working with shared board members is a no-brainer, and most security leaders I work with are willing to have these conversations because they understand the value of shared intelligence.
Beyond board members, take time to understand your executive peers as individuals with their own objectives, constraints, and career aspirations. Nobody is obstinately refusing to fund security because they hate you (unless you deserve it), but remember that they’re managing dozens of competing investment priorities with limited capital. When you understand the context in which your executives operate, you can frame security initiatives to align with their objectives rather than compete with them, anticipate their concerns, and address them proactively. The goal is to identify opportunities where security investments genuinely enable business outcomes rather than just reduce risk (unless you want to continue to be treated as a cost center).
Hoarding Influence Instead of Multiplying It
The most significant missed opportunity I see is CISOs failing to build political capital through their teams. Many security leaders operate as solo practitioners when it comes to organizational influence and while they might be working on their own executive relationships, they're leaving their teams completely unprepared to build credibility and trust across the organization. If you empower every member of your security team to earn influence in their daily interactions, you multiply your political capital across dozens of relationships simultaneously. Instead of one CISO trying to convince executives that security matters, you have an entire team of security professionals building trust with engineering, product, operations, marketing, and finance every single day.
Yet how many CISOs are actually training their teams in stakeholder communication? How many are coaching their security engineers on how to negotiate security outcomes into product roadmaps? How many are giving their team members the tools and support to become trusted advisors rather than rule enforcers? The answer, for most organizations, before we start working together, is effectively none.
Instead, security teams are trained exclusively on domain expertise, leaving them unprepared for the interpersonal and communication challenges that determine whether their recommendations are actually implemented. Then CISOs wonder why their teams are seen as obstacles rather than enablers, why security initiatives face resistance, and why they can't scale their influence beyond their own direct interactions. Leading a movement means training your team on communication and influence skills that work in their respective context.
It also means creating opportunities for your team to build relationships. Don't be the sole point of contact between security and other departments. Instead, connect your team members with peers across the organization, and encourage them to attend cross-functional meetings, contribute to projects outside security, and establish themselves as partners to critical business functions. If you're isolated, your team will be isolated. If you position security as separate from the business, they will too. If you only engage with other departments during crises, that's the pattern your team will replicate.
And finally, leading a movement means giving your team permission to prioritize relationships. If your team believes its job is solely to find problems and report them, it'll optimize for that, often at the expense of the trust and credibility needed to actually fix those issues. Make it clear that building effective working relationships is part of their job, not a distraction from it. And by this I mean, include it in your performance reviews because the most expensive engineers are those who can’t form productive relationships that influence outcomes (and remember, there is no single neurotypical way to do this; you have to find what works best for your team).
When you build a security team where every member actively earns influence through their daily work, you create organizational change that no individual CISO could accomplish alone, repositioning security from a department people tolerate into a function people actively seek out to partner with. This is the kind of distributed political capital that survives leadership transitions, budget cuts, and organizational restructuring. Most importantly, you create a movement rather than a mandate. And movements are far more powerful than any individual authority.
Choosing Influence
Political capital doesn’t accumulate by accident, but through deliberate effort to build relationships, demonstrate value, and engage with organizational dynamics. The choice facing many of today’s CISOs is straightforward – either continue operating as a technical expert who complains about a lack of influence, or embrace the political nature of the role and actively build the power necessary to drive meaningful security outcomes.
If you want influence, if you want the organizational authority to make substantial investments and drive real cultural change, you need to be willing to engage in the coalition-building, strategic positioning, and executive relationship management that creates political capital. And then you need to multiply that influence by empowering your entire team to do the same.
Or you can remain technically correct and organizationally powerless. It's your choice.