CISOs fail in predictable, visible ways.
CISO failure is mostly not a technical failure. It is a framing and governance failure: state-language meets payoff-language, and the translation from “risk to assets” into “variance in expected enterprise payoff” does not reliably hold, so the organization keeps making the same decisions and the breakdown is visible in every meeting, escalation, and budget cycle.
In 2021 I founded New Cyber Executive. I work directly with CISOs and cybersecurity executives operating under senior leadership and board-level pressure. My perspective is shaped by time as a CISO and executive-for-hire, and by interviews with hundreds of CISOs and their executive stakeholders, where consistent patterns in how this role succeeds and fails become clear across organizations. I’ve written about remedies for this in CISO Impact and Influence: Take the Lead and Nudge the World (available on Amazon).
I don’t see this as a knowledge problem or a capability gap. Most CISOs are technically strong and understand their environments. What fails is how that understanding carries into decision-making systems that don’t operate on the same terms.
Over time, the pattern becomes clear across very different organizations: when security is framed in its own terms, decisions don’t change. The technical direction may be sound, but it doesn’t carry into how the organization actually allocates attention, resources, or accountability. I’ve worked with CISOs in Fortune 100 environments and in 100-person startups who continue to internally frame security this way, and the outcome is consistent, even when the language shifts but the framing does not.
Over the past 20 years, I have worked across public and private sector organizations helping shift cybersecurity from risk-to-assets thinking to risk-to-payoff thinking. This has included advising on strategy, governance, and risk management, as well as stepping in as an executive-for-hire during program transformations, turnarounds, and stand-ups.
I served six years as Chief Information Security Officer for a healthcare insurer, including the early years of HIPAA Security. The program I built was later used by the U.S. Department of Health and Human Services, Office for Civil Rights as a reference point for evaluating high-performing health insurers.
My work has included Fortune 100 companies and public sector organizations, where expectations at the executive and board level, and the use of evaluative-principle strategy and portfolio approaches, materially shape how the role succeeds or fails.
I have developed cybersecurity and risk program frameworks, maturity and audit models, KPIs, and KRIs, along with internal assessment and diagnostic approaches, leveraging executive incentive environments. This work has spanned established standards such as ISO, NIST, COBIT, and regulatory environments, as well as proprietary models.
I have been active in the professional community, including founding and serving as president of the ISSA Buffalo Niagara chapter and serving as president of the ISACA Western New York chapter, along with participation in national committees.
Earlier in my career, I founded infosecpedia.org (1998).
I hold a Bachelor of Science in Computer Science from the University of New York at Buffalo.