You Are a Managerial Type

Here we are touching on one of the biggest tensions in modern cybersecurity leadership which also frustrates many technical professionals who report to CISOs/CSOs.

Many security executives lack technical depth because of how CISOs are chosen and what executives are expected to do. And yes — this can lead to bad decisions and teams quietly doing whatever they want.

Why Many CISOs Don’t Understand Core Technical Concepts

1. The job evolved faster than the talent pipeline

10–15 years ago, CISOs were often:

  • IT managers
  • Risk managers
  • Compliance officers
  • Auditors

NOT deep cybersecurity engineers.

The industry didn’t have a strong pool of technical leaders ready to become CISOs, so companies promoted people who understood governance and compliance, because that’s what they believed security was about.

Result: CISOs with strong governance skills, but weak technical grounding.

2. Companies often hire CISOs for compliance, not security

Businesses (especially non-tech ones) frequently see “security” as:

  • Risk documentation
  • Policies
  • Audits
  • Insurance
  • Vendor questionnaires
  • Framework alignment

NOT architecture, encryption, endpoint controls, cloud hardening, etc.

So the CISO they hire is someone who knows:

  • NIST
  • ISO 27001
  • Risk registers
  • Audit cycles
  • Board reporting

Not necessarily:

  • PKI
  • Browser sandboxing
  • Memory corruption
  • Identity architecture
  • Secure development lifecycle

They're hired to produce paperwork, not to build a defensible infrastructure.

3. Some CISOs feel threatened by deeply technical conversations

A surprising reality: Many CISOs double down on “I don’t need to know that level of detail” because:

  • They don’t want their lack of knowledge exposed.
  • They feel defensive around technical staff.
  • They want to maintain authority and avoid looking uninformed.
  • They assume their technical teams will handle the “details.”

This leads to a culture where technical conversations get shut down or oversimplified.

4. Security leadership has become extremely business-focused

Modern CISOs spend the majority of time doing:

  • Budgeting
  • Board presentations
  • Risk acceptance discussions
  • Incident communication
  • Vendor negotiations
  • Legal & compliance issues
  • Executive politics
  • Cross-department coordination

They become business executives first and security practitioners second.

Some stop investing in technical skill development entirely.

5. Complexity inflation makes it hard to stay current

Cybersecurity today is:

  • Cloud
  • Zero trust
  • DevSecOps
  • IaC
  • Containerization
  • SASE
  • EDR/XDR
  • Identity federation
  • Microservices
  • Encryption everywhere
  • AI and ML threats
  • Compliance frameworks

It’s challenging even for technical practitioners to stay current in all domains.

Many CISOs give up on the technical side and focus on strategy only.

Why This Is Actually a Problem

1. You can’t make informed risk decisions without understanding the technical reality

If a CISO doesn’t understand:

  • How encryption fails
  • How browser sandboxing works
  • How identity is actually implemented
  • How web applications are exploited
  • How cloud networks function

Then their decisions about risk, investment, staffing, and strategy are inherently flawed.

You can't manage what you do not understand — at least not well.

2. The “trusted team” problem you described is very real

If the CISO has low technical literacy:

  • Teams learn they can hide shortcuts.
  • Architects slip in risky designs because they won’t be questioned.
  • Vendors oversell tools and executives buy them.
  • Engineers build what they find easiest, not what is safest.
  • Incidents get minimized or sanitized before reaching leadership.

Low technical literacy creates blind spots that attackers will exploit.

3. Technical staff lose respect for leadership

A technical team won’t be motivated by a leader who:

  • Doesn’t understand the work
  • Makes decisions that don’t align with actual security needs
  • Buys the wrong tools
  • Doesn’t question architecture
  • Falls for vendor hype
  • Rejects or misunderstands technical recommendations

This harms morale and contributes to turnover — especially among senior engineers.

4. CISOs get manipulated by vendors

Vendors are trained to exploit non-technical security leaders with:

  • Buzzwords
  • Fear-based selling
  • Overpromises
  • “Platform” language
  • Audit-friendly checkboxes

Without technical depth, CISOs often buy:

  • Tools they don’t need
  • Platforms they can’t integrate
  • Products they don’t understand
  • Solutions the team can’t deploy

This wastes money and increases complexity.