Over the years, I’ve seen how dramatically the chief information security officer (CISO) role has evolved and how, in many boardrooms, that evolution is still catching up. Cyber security has moved to the top of the agenda, and rightly so. Yet, despite the growing urgency, I still see boards unsure of what they should really be looking for in a CISO.
It’s not just about hiring someone with the right credentials or technical pedigree. Choosing the right security leader is one of the most important strategic decisions a board can make. Because today’s CISO isn’t just there to put out fires, they’re there to help prevent them from ever happening, and to do so in ways that protect the business while enabling it to grow.
The question is: what does a great CISO look like from the board’s perspective?
The role has outgrown its job description
It wasn’t long ago that most CISOs came up through the infrastructure or engineering ranks. The role was highly technical, mostly internal-facing, and focused on keeping systems running securely in the background. That’s changed.
Today’s CISOs are being asked to be much more than security architects. They’re expected to understand brand risk, interpret complex regulations, speak fluently to investors, and navigate global threat landscapes, all while ensuring their teams can respond at speed and scale when something goes wrong. In some cases, they’re signing off on financial filings and taking legal responsibility for incidents.
It’s a big job. And it requires more than technical skill. It demands business acumen, communication finesse, and a mindset rooted in partnership and accountability.
Risk translator, not just risk reporter
One of the most valuable skills a CISO can bring to the table is the ability to translate risk into language the board understands. This isn’t about dumbing things down. It’s about framing decisions in a way that’s aligned with business priorities.
When the CISO presents, are they simply listing threats and vulnerabilities? Or are they clearly articulating what those risks mean to the business? Can they explain how a delay in patching a system might affect customer trust, revenue, or regulatory standing?
Great CISOs don’t just report risk. They help boards make informed choices about which risks to accept, which to mitigate, and where to invest. That level of clarity builds confidence, even in the face of uncertainty.
Strategic partner with a growth mindset
A strong CISO is someone who understands how the business operates, not just the security tools it runs on. They know which systems drive revenue, where data flows, and how customers interact with the product or platform.
Security shouldn’t be a blocker. It should be an enabler. Boards should be looking for CISOs who ask, “How can we secure this and make it easier for our teams to move fast?” That’s the kind of leader who contributes to innovation, rather than holding it back.
What works for me is treating security as a business function, not a separate domain. When security is woven into strategic conversations from the beginning, alignment becomes far easier, and that’s how you build momentum that actually sticks.
Comfortable in ambiguity
No matter how good your defences are, the nature of cyber security means that there’s always some degree of uncertainty. The best CISOs aren’t paralysed by that, they thrive in it. They know how to make decisions with incomplete information, how to guide a team through a fog of conflicting signals, and how to stay calm when the pressure is highest.
That kind of resilience can’t always be captured on a CV. Boards need to engage directly with candidates to get a feel for how they operate in crisis. Because when a breach happens, or a regulation shifts overnight – you want someone who brings stability, not panic.
Board fluency and cultural alignment
Technical knowledge is important. But at the board level, communication and leadership style often matter more.
Can this person hold their own in a boardroom full of seasoned executives? Do they instil trust? Are they able to challenge assumptions constructively and frame their input around enterprise risk, not just security checklists?
And just as importantly, ask yourself are they a good cultural fit? Every organisation has a different rhythm. Some are fast-moving and aggressive. Others are consensus-driven. The right CISO is someone who can adapt to that rhythm while still holding the line on what matters.
Where boards get it wrong
I’ve seen boards make some well-intentioned missteps in this space. One of the most common is hiring based on logo pedigree or technical certifications alone. Those things may look impressive, but they’re no guarantee of leadership ability.
Another trap is assuming that the CISO “owns” the risk entirely. In reality, risk is a shared responsibility. A good CISO facilitates conversations across the executive team. They don’t make unilateral decisions and they drive alignment and surface consequences.
And finally, there’s the tendency to view past incidents as an automatic red flag. Security is about continuous improvement. What matters isn’t whether a breach ever happened. It’s how the leader responded, what they learned, and what they changed as a result.
Lessons from both sides of the table
Having served on boards myself, I’ve seen how transformative it is when a company really understands and values the CISO role. The conversations shift. The investments become more strategic. And the security function starts to drive not just protection, but progress.
It’s also a two-way street. CISOs need to understand the language of the board. That means being able to speak to material risk, business impact, and long-term resilience.
If your CISO can bridge that gap, they’re not just a protector. They’re a partner.
Secure leadership starts at the top
Choosing the right CISO isn’t just a security decision. It’s a business leadership decision. And it’s one that can shape the future of your company more than almost any other executive hire.
So if you’re sitting on a board and evaluating security leadership, I’d encourage you to think beyond the job description. Ask how your CISO sees the business. Ask how they influence change. Ask whether you’ve given them what they need to succeed.
Because when you back the right CISO, you’re not just reducing risk. You’re building a smarter, stronger company.
Rinki Sethi is chief security officer at Upwind Security, a Bay Area cloud security specialist.
