The role of the CISO: mainly risk and audit
“There are two types of CISOs. The group of people who are busy checking boxes, compliance, and then there’s a group that believes in process innovation, solving risks.” During a recent interview for Security Innovation Stories, this observation from a CISO sparked an interesting question: how much of it is true?
Read the first article in this CISO series: There is a bigger difference between CISO and CISO than you think
Research methodology
This research is based on publicly available LinkedIn profile data of CISOs in the Netherlands. The dataset includes organizational information such as company size and industry, all sourced from public profiles. All data was anonymized to protect privacy, with personal identifiers removed during analysis. Important limitation: the analysis is limited to CISOs that have a LinkedIn account.
What does the data say?
While LinkedIn profile data can’t tell us everything about a CISO’s role, it can reveal what skills and responsibilities organizations value most. When CISOs highlight specific areas in their profiles, it suggests these are the competencies their organizations prioritize – or at least, what CISOs believe organizations value.
The numbers tell an interesting story. Among Dutch CISOs, mentions of emerging security domains are surprisingly rare: Operational Technology (OT) security, Internet of Things (IoT) security, API security, and Application security.
In contrast, terms like “ISO”(-certifications) and “audit” appear frequently in CISO profiles. This suggests that organizations place higher value on compliance and audit expertise than on specific technical security domains.
The compliance trap
This focus on compliance and audits might explain a common complaint in the security industry: CISOs’ lack of decision-making power. Recently, a security vendor mentioned they don’t focus on CISOs because budgets aren’t there – they prefer targeting CTOs and CIOs who have real decision-making power and who control budgets.
This raises an uncomfortable question: If the CISO’s role is primarily focused on audits and compliance, should we be surprised by their limited decision-making authority? Consider the parallel with quality assurance: We don’t typically expect QA engineers to make business decisions. Their role is to identify issues and ensure quality standards are met, while the broader organization decides how to address these findings.
When CISOs focus solely on compliance and audits, they essentially perform the same function as QA engineers but for security standards instead of product quality. They check boxes, ensure adherence to frameworks, and identify gaps – but don’t drive strategic decisions. If we wouldn’t include QA engineers in major business decisions about product direction, why would we treat compliance-focused CISOs differently? This might explain why many organizations keep their CISOs out of strategic technology and business discussions.
The risk of risk management
The contrast with other leadership roles is striking. Marketing leaders consistently take strong positions on emerging trends, technologies, and strategies. They actively shape discussions about digital transformation, customer experience, and market evolution. Yet in the security domain, the most heated CISO discussion I’ve witnessed recently was about the effectiveness of security awareness training.
Where are the CISO voices leading conversations about threat intelligence strategies? Why aren’t we seeing CISOs taking strong positions on managing OT security, or shaping the discourse around emerging security architectures? While marketing leaders confidently guide their organizations through digital transformation, many CISOs seem hesitant to lead beyond their audit-focused comfort zones.
This audit-centric approach might be creating a self-fulfilling prophecy: Organizations hire CISOs primarily for compliance, limiting their involvement in strategic security decisions. This, in turn, reinforces the perception that CISOs should stick to audit and compliance work.
Moving forward
The question isn’t whether audit and compliance are important – they are. The question is whether this should be the primary focus of the CISO role. As security challenges become more complex and technically sophisticated, organizations might need to reconsider the balance between compliance and technical security leadership in their CISO positions.
For vendors and security professionals, this insight has practical implications. If you’re selling to CISOs, understand that their influence might be limited by their organization’s view of their role. Consider whether other technical leaders might be better positioned to make security investment decisions.
For organizations, it’s worth examining whether an audit-focused CISO role truly serves their security needs. In a world of rapidly evolving threats, perhaps it’s time to expand the CISO’s scope beyond compliance and into more strategic security leadership.
Michelle is an expert in understanding target audiences in security and IT, and transforming the product positioning of complex products into sharp, compelling marketing strategies that hit the mark.
