CyberWire Daily: Is the Role of the CISO Adding to the Confusion? [CISOP]

Date: March 13, 2026
Host: Kim Jones (N2K Networks)
Guest: Patty Ryan, veteran CISO

Episode Overview

This episode of the CyberWire Daily’s “CISO Perspectives” delves into the persistent confusion surrounding the Chief Information Security Officer (CISO) role, exploring whether ambiguity in responsibilities, reporting structure, and professional development is holding cybersecurity leadership back. Host Kim Jones is joined by fellow long-serving CISO Patty Ryan for a candid conversation about career evolution, burnout, organizational disconnects, and strategies for clarifying and elevating the CISO profession.

Key Discussion Points & Insights

1. The “Amorphous” Nature of the CISO Role

• Historical Context:
  • Jones reflects on how the CISO function barely existed when he first entered the field, noting its rapid evolution and lack of clear boundaries.
    • “The CISO is the senior executive who oversees an organization's information, cyber, and technology security...that said, we still seem to collectively struggle with most other relevant portions of the CISO gig, so much so that the job description is vague and amorphous on even the best of days.” (08:00)
• Varied Reporting Structures:
  • CISOs are found reporting to everyone from the CEO and CIO to legal, finance, even HR or medical officers in some organizations.
  • This scattershot reporting creates inconsistent authority and influence, hampering effectiveness.

2. Three Paths in Cybersecurity Careers

• Motivator Categories:
  • Jones shares a framework: people are drawn to cybersecurity for technology, making money, or solving problems.
  • “If you enjoy solving problems, then you are probably most comfortable heading down a path that culminates in sitting the CISO chair. The prerequisites for such a gig include, well, honestly, nothing, and therein lies at least part of the problem.” (07:00)
• Lack of Defined Pathways:
  • Unlike research or consulting, there’s no standardized trajectory or set of prerequisites for a CISO career.

3. Organizational Misconceptions & Mismatches

• Job Title and Authority Mismatch:
  • The title “CISO” is not always matched by organizational standing or resources. Sometimes the role is director level, sometimes C-suite.
  • In smaller companies, people performing CISO duties sometimes lack the official title, further muddying expectations and impact.

4. The Rotating CISO—Why Burnout Is So Common

• High Turnover:
  • The industry average for a CISO’s tenure is startlingly short—about two to three years.
    • Patty: “I think this is the third time... It's funny because I've been seven years here now and that's the longest I've been. Most I know that paradigm.” (12:47)
• Intense Expectations, Limited Understanding from Executives:
  • The allure wears off quickly when CISOs aren’t able to “magically make problems disappear.”
  • “It's almost as if the first year you're the shiny penny...but the gloss and the shininess melds away.” (12:56)

5. Why the CISO Experience Differs from CIOs

• Broader Scope, Less Maturity:
  • While CIOs are also under pressure, CISOs face unique challenges: the scope of security reaches beyond IT, with business functions deploying SaaS and handling data independently.
  • “It's easy to pigeonhole people to say since it involves a server, it's an IT thing. It's really not anymore because it's how the server's being used and the pervasiveness of the data, how it's flowing.” (13:44)

6. Cultural Issues: Perfectionism, Human Fallibility & the Myth of Prevention

• Impossible Standards:
  • Perfection is expected, mistakes are not tolerated, and there’s insufficient room to learn or grow into the role.
  • “Humans genuinely make mistakes. Yeah, they are the link and will always be the weakest link. But our profession rushes to perfection or the assumption that my job is to prevent something from happening.” (17:20)
• Truth Telling:
  • CISOs must push back on myths.
    • “...the board said, so you're telling me we're never going to be breached, right? And I said, no, that's exactly what I'm not telling you. And anyone who sits in my chair who tells you that is lying to you.” (19:02; Jones)

7. Metrics & Communication with the Business

• Misaligned KPIs:

  • Some metrics, like phishing click rates, are overemphasized or misunderstood; focus should be on minimizing impact, not avoiding every incident.
    • Ryan: “Yes, we do monthly phishing simulation. I don't track the click rate. I'm trying to instead understand what's driving the clicking and how do I minimize the impact.” (19:51)

• Risk as a Business Conversation:

  • Importance of embedding cyber risk tolerance into business planning—something currently lacking.
    • “Information Security is about risk... you never have a conversation really around cyber for businesses to understand what's acceptable risk thresholds or not.” (21:17)

8. The CISO Role—Types, Traits, and Accountability

• Multiple CISO Types:
  • Both guests agree CISO personalities and focuses differ (technical, operational, strategic), but organizational structure must ensure all functions are covered, regardless of title.
    • Ryan: “I don't see the person in the role as being something that needs to be cookie cutter. I do see the firm needs to have a structure so that everything is still dealt with...” (26:02)
• Importance of Accountability:
  • Regulatory changes are making CISOs more visible and legally liable—thus authority, accountability, and communication skills become crucial.

9. Addressing Burnout & Mental Health

• Admitting Burnout and Adjusting:
  • Ryan shares a personal account of burning out and returning with new boundaries and focus.
    • “I did burn out. I burnt out bad. And I had to come back with the idea that if you’re going to stay in this job, which you love... you are trying to temper and really get an understanding of livable, actionable items as well as acceptable risk. And you sleep.” (32:02)
• Learning to Let Go:
  • Focusing on relationships and communication reduces stress more than chasing technical issues in isolation.

10. Rethinking Team Building & Development

• Feedback and Cross-Functional Integration:
  • Ryan discusses instituting 360-degree feedback focused on partnership and perception rather than technical prowess alone.
    • “It was about how do you integrate, how do you operate, how do you partner and what are you perceived at as far as a trusted SME.” (36:13)
• Coaching and Mentoring:
  • Executive engagement and mentoring are key to preparing the next generation of CISOs.

11. Essential Skills for Every CISO

• Listen, Communicate, Think Strategically:
  • Ryan lists her top three:
    1. Listening: “We don’t listen. We come with solutions. And we don’t necessarily authorize questions and sit in the business issues and understand…” (39:37)
    2. Soft Skills/Partnership: “...communication and partnership. Solutions come together across functional teams.”
    3. Strategic Thinking: “A lot of CISOs don’t think strategically. They don’t. And there is an issue with that.” (39:54)

12. Building Community and Information Sharing

• Peer Connection Needed:
  • The evolving threat landscape and regulatory reshaping demand more peer sharing and community between CISOs.
    • “We as organizations need to be more CISOs, need to be tighter connected... And that's going to be a whole other paradigm shift that's going to become greater as we look at the geopolitical change that are happening.” (41:37, Ryan)

Notable Quotes

• “The job description is vague and amorphous on even the best of days.” – Kim Jones (08:00)
• “The prerequisites for [the CISO] gig include, well, honestly, nothing, and therein lies at least part of the problem.” – Kim Jones (07:00)
• “I could spell Chief Information Security Officer. I had no idea what the job is.” – Patty Ryan (10:54)
• “The gloss and the shininess melds away when you don’t magically make things disappear...” – Patty Ryan (12:56)
• “Perfection or the assumption that my job is to prevent something from happening—that’s a disservice.” – Patty Ryan (17:20)
• “Anyone who sits here and tells you, no, I’m never going to be breached is a liar.” – Kim Jones (19:20)
• “My job didn’t exist when I got out of college. Your job may not—you know, a totally different job may exist in five years that you fit into.” – Patty Ryan (37:46)
• “We don’t listen. We come with solutions. ...[but] we have to listen to figure out what the problem is.” – Patty Ryan (39:37)
• “The vast majority of CISOs have a great operating plan that they put the word strategy on that isn’t forward looking.” – Kim Jones (40:25)

Timestamps for Key Segments

• Opening Reflections on CISO Ambiguity and Development Paths – [03:00–09:55]
• Patty Ryan’s Entry into the CISO Role & Early Challenges – [10:20–11:25]
• Reasons Behind High CISO Turnover – [12:47–14:48]
• Perfectionism and the Reality of Security Leadership – [17:20–20:16]
• Communicating Cyber Risk to the Business – [21:17–22:23]
• Defining CISO Types and the Accountability Problem – [26:02–29:22]
• Burnout, Mental Health, and Letting Go – [31:30–34:09]
• Developing Teams and Preparing the Next Generation – [36:13–38:10]
• Three Essential CISO Skills – [39:37–41:26]
• Community & The Future of CISO Collaboration – [41:37–42:44]

Conclusion

This episode provides a nuanced exploration of the many forces adding to confusion around the CISO role:

• The absence of standardized career paths, varied organizational expectations, and regulatory pressures make the CISO both essential and, at times, unsustainably stressful.
• Both guests emphasize the need for clearer definitions, greater cross-functional communication, peer support, and the cultivation of soft skills, strategic thinking, and adaptability.

Final Takeaway:
The CISO role must be more clearly defined—both to attract diverse talent and to ensure business resilience as cybersecurity remains at the forefront of enterprise risk and leadership.