Ross Haleliuk dismantles a pervasive industry cliché with surgical precision, arguing that the claim that Chief Information Security Officers (CISOs) lack business acumen is not just outdated, but a dangerous myth that obscures the real systemic failures in corporate governance. While the security sector often obsesses over technical vulnerabilities, Haleliuk shifts the lens to the evolution of the C-suite itself, offering a historical corrective that busy leaders need to hear before their next board meeting.
The Historical Anchor
The piece gains immediate weight by grounding its argument in the specific origins of the role. Haleliuk writes, "Thirty years ago, in 1995, Steve Katz (1942 - 2023) was named to the newly created CISO role by Citicorp. This was the first time a company hired a dedicated CISO." He correctly identifies that this wasn't a proactive strategic move but a reaction to a crisis: Russian hackers had stolen over $10 million, and the bank needed someone to manage the fallout. This historical context is vital because it explains why the early role was often a "scapegoat" position rather than a strategic partnership.
Haleliuk points out that the early CISOs were often seasoned managers thrust into a role with no playbook. "It ended up being a lot of on-the-job learning experiences on everybody's part: CISOs had to figure out P&L ownership, strategy, and working with boards, while companies hiring CISOs needed to learn where to draw the line between other roles and that of a CISO." The author's framing here is effective; it reframes the "incompetence" narrative as a failure of organizational design. If the role was created to absorb blame rather than drive strategy, of course the incumbent struggled to speak the language of the board.
The unfortunate part has been that many of the CISOs hired to act as scapegoats if something fails were given no resources and no executive support to actually make a difference. To put it differently, they were set up to fail.
Critics might argue that this historical excuse is becoming a crutch, suggesting that modern leaders should have evolved faster. However, Haleliuk's timeline is compelling. He notes that the infrastructure, the workforce, and the business models have shifted so drastically that comparing a 1995 CISO to a 2026 leader is like comparing a telegraph operator to a satellite engineer. The role has undergone a "complete transformation," driven by the emergence of formal education programs and a wealth of resources that simply did not exist two decades ago.
The Modern Reality of Risk Translation
The core of Haleliuk's argument rests on the financial reality of the modern CISO. He challenges the notion that these leaders rely on technical jargon to secure funding. "Do you really think that when the CFO & CEO are deciding where to allocate budget, and the CISO ends up getting the money, it happens because the CISO just bamboozles them with technical jargon and some CVE-2024-XXXX speak?" This rhetorical question cuts through the noise. In an environment where every dollar spent on security is a dollar taken from growth initiatives, the ability to secure a budget is the ultimate proof of business fluency.
Haleliuk writes, "I would argue that any CISO who can get their executive team bought-in to fund new security initiatives, when everything is about cost-cutting and top-line growth, is a master communicator, negotiator, and evangelist." This is a powerful reframe. It suggests that if a CISO is getting resources, they have already proven they understand the business. The persistence of the myth, therefore, says more about the cynicism of the observers than the capabilities of the leaders.
The author also addresses the boardroom dynamic directly, noting that modern CISOs are not discussing technical vulnerabilities but rather "business impact, regulatory exposure, operational resilience, brand and customer trust." This aligns with the evolution of the role seen in the broader executive suite, where leaders like the first CISOs at Citicorp had to learn on the fly, but today's leaders enter with a toolkit of certifications, associations, and peer networks that were unimaginable in the era of Gene Spafford's early academic work on security myths.
The idea that CISOs are "too technical" for the board ignores the reality that getting to the CISO role in 2026 requires mastering far more than technical triage.
Systemic Barriers vs. Individual Failure
Where the article shines brightest is in distinguishing between individual capability and systemic dysfunction. Haleliuk acknowledges that while the "lazy myth" is false, real problems persist. He identifies three systemic issues: companies using CISOs as liability shields, the inherent difficulty in measuring risk reduction, and unrealistic expectations of certainty.
He notes, "Boards want certainty, and executives still measure security success by 'no breaches' instead of resilience." This is a critical insight. The failure is not that the CISO cannot explain the business case; it is that the business case for security is inherently counter-intuitive. As Haleliuk puts it, "How do we measure risk reduction? How do we explain the ROI and quantify the savings of the attacks that didn't happen?" This rhetorical challenge is shared by other functions like HR and marketing, yet security leaders are uniquely punished for the inability to prove a negative.
The author's conclusion is a call to stop blaming the messenger. "We most definitely need to debate these problems and continue maturing our practices. At the same time, it's really time to retire the lazy idea that CISOs are 'bad communicators who don't understand the business'." This is a necessary correction for an industry that often looks for easy scapegoats when defenses fail.
Bottom Line
Haleliuk's most compelling contribution is the historical evidence that the CISO's perceived lack of business acumen was a structural artifact of the role's infancy, not a permanent trait of the profession. The argument's strongest vulnerability lies in its reliance on the "average" successful CISO; it may overlook the specific struggles of those in under-resourced or hostile corporate cultures who are indeed set up to fail. However, the verdict is clear: the industry must stop conflating systemic governance failures with individual leadership deficits, or it will continue to misdiagnose the root causes of its security gaps.