A CISO I know spent most of last quarter on three things: renewing cyber insurance, prepping a SOC 2 audit, and writing a board deck explaining why the company’s risk posture was “trending positive.” Zero hours on threat modeling. Zero hours reviewing detections. Zero hours pressure-testing the incident response runbook that hadn’t been touched since 2023. When the help desk got phished in March, the first call wasn’t to the security team — it was to outside counsel and the broker.
That’s the job now for a lot of people wearing the title. Not security leadership. Risk transfer, evidence collection, and liability management with a security vocabulary on top. The shift didn’t happen by accident, and it isn’t entirely the CISO’s fault. But it’s worth saying out loud, because the industry keeps pretending the title still means what it used to.
The job description quietly rewrote itself
The modern CISO role is shaped less by attackers than by three external forces: the cyber insurance market, the regulatory disclosure regime, and personal liability exposure. All three reward documentation over defense.
The insurance side is the most visible pressure. After the 2020–2022 ransomware loss years, carriers tightened underwriting hard. Renewals now hinge on a controls questionnaire — MFA coverage, EDR deployment, privileged access management, immutable backups, email filtering, security awareness training. The questionnaire becomes the security program, because the questionnaire is what gets priced. A CISO who scores well on the questionnaire and renews at flat premium is a successful CISO, regardless of whether the controls actually work in practice. The artifact matters; the outcome is downstream and unmeasured.
Then there’s the SEC’s cybersecurity disclosure rule, which took effect in December 2023 and requires public companies to disclose material cybersecurity incidents on Form 8-K within four business days, plus annual disclosures on risk management, strategy, and governance in 10-K filings. The rule is reasonable on its face. The downstream effect is that “cybersecurity” inside a public company increasingly means a workstream owned jointly by Legal, IR, and the CISO, where the deliverable is a defensible narrative. Materiality determinations, board minutes, written policies, evidence that the program exists. The CISO becomes the person who produces the documentation that proves the company took cyber seriously, whether or not the company actually did.
The third force is personal. The 2023 SEC charges against SolarWinds and its CISO Timothy Brown — alleging fraud and internal controls failures tied to public statements about the company’s security posture — landed like a meteor on the profession. A federal judge dismissed most of the charges in July 2024, but the message had already been sent: a CISO can be personally named in an enforcement action over what the company said about security. The rational response, if you’re a CISO with a mortgage, is to spend more time on what you sign and less time on what you ship. Indemnification clauses, D&O coverage, written committee minutes, careful language in every public artifact. None of that stops attackers. All of it protects you.
What an insurance broker with a laptop actually does
Strip away the title and look at the calendar. A meaningful share of CISOs spend their week on:
Audit and compliance evidence collection — SOC 2 Type II, ISO 27001, PCI DSS, HIPAA, FedRAMP, whatever applies. Most of this is screenshotting consoles and writing control narratives.
Insurance renewal cycles — questionnaires, broker calls, application attestations, sub-limit negotiations.
Vendor risk management — sending and receiving questionnaires that nobody reads carefully, scoring third parties against frameworks that don’t predict breaches.
Board and committee reporting — quarterly decks with green/yellow/red dashboards, NIST CSF maturity scores trending up and to the right, phishing click-rate charts.
Policy authorship and review — acceptable use, data classification, incident response, BCDR, all of which exist primarily to be shown to auditors.
This is real work. Some of it is even useful. But notice what’s missing: actually understanding the attack surface, sitting with detection engineers, reading recent IR reports, running tabletops with actual technical depth, reviewing change tickets for risk, threat modeling new products before launch. The technical practice of defending the company has been quietly delegated downward — to a security architect, a head of detection, a “deputy CISO” who does the engineering while the CISO does the paperwork.
The framework treadmill
A symptom worth naming: the dominance of frameworks as the unit of work. The NIST Cybersecurity Framework reached version 2.0 in February 2024, which expanded the original five functions — Identify, Protect, Detect, Respond, Recover — to add a sixth, Govern, that explicitly elevates oversight, policy, and risk strategy. ISO/IEC 27001:2022 restructured Annex A into 93 controls across four themes. CIS Controls v8 reorganized into 18 controls and three implementation groups. PCI DSS v4.0.1 became mandatory at the start of 2025.
These are useful frameworks. The problem is that for a lot of CISOs, the frameworks have become the program rather than a tool to build one. The maturity assessment becomes the strategy. Moving a CSF subcategory from “partial” to “risk-informed” becomes the goal. The board sees a radar chart, the audit committee sees a heat map, the broker sees a checked questionnaire box. None of these artifacts predict whether the company can detect an Okta token replay, contain a vendor-driven supply chain compromise, or rebuild from immutable backups when the encryption keys for the production cluster are also encrypted.
The framework treadmill produces a specific kind of CISO: fluent in maturity language, comfortable in board rooms, often genuinely smart, but increasingly distant from the technical reality of their own environment. Ask them what their mean time to detect is for a credentialed insider scenario and you get a framework citation, not a number.
What the role looks like when it actually works
The good CISOs — and they exist — share a few traits that cut against the broker pattern.
They keep one foot in the technical work. They sit with detection engineers reviewing recent alerts. They read the IR write-ups in full, not the executive summary. They can have a real conversation about why the EDR missed something, not just whether EDR is “deployed.”
They treat compliance as a tax, not a strategy. SOC 2 gets done because customers require it; it isn’t confused with security. The framework score is a communication tool for the board, not the operating plan for the team.
They negotiate scope hard. They say no to running IT, physical security, privacy, fraud, and trust & safety as a bundle, or they get explicit budget and headcount for each. The job has been expanding into a generalized “head of every adjacent risk” role, and the people who let that happen end up doing nothing well.
They build talent below them and protect it. The senior detection engineer, the principal security architect, the IR lead — these people are the actual security program. A CISO who can’t retain them isn’t leading a program; they’re presiding over one in slow decline.
They tell the board the truth in plain language. Not “we are NIST CSF 2.0 tier 3 across the Govern function,” but “our detection coverage for identity-based attacks is weaker than I want, here is the specific investment to fix it, here is what we will not cover, here is what I am accepting on your behalf.”
Why the broker pattern persists anyway
Pointing at lazy CISOs misses the structural cause. The broker-CISO is what the system has selected for. Boards want assurance and a name to point to in a 10-K. General counsel wants someone who can sit in privileged conversations and produce defensible documentation. CFOs want the insurance premium to renew. CEOs want a green dashboard. Recruiters screen for “boardroom presence” and frameworks fluency, not detection engineering chops.
If every incentive in the hiring funnel rewards the broker pattern, the broker pattern is what you get. The handful of CISOs who resist it usually do so because they came up technical, kept their hands in the work, and are senior enough to push back on the role expanding into pure risk-translation. That’s not most of the market.
The honest version of the title
“Chief Information Security Officer” implies someone responsible for the security of information. A more honest title for a lot of the role as practiced would be Chief Cybersecurity Risk Officer — accountable for documenting, transferring, and disclosing cyber risk, with operational security delegated to deputies. There’s nothing shameful about that job. It’s a real job and the company needs someone doing it. The dishonesty is calling it security leadership and then being surprised when the company gets breached and the CISO genuinely didn’t see it coming, because the calendar that produced their last twelve months had no time on it for seeing things coming.
If you’re a CISO reading this and the description stings, the question worth sitting with isn’t whether the critique is fair across the profession. It’s what your own last quarter actually looked like, and whether the person doing the technical security work at your company has your title or someone else’s.
