Do We Even Need a CISO Anymore?
Welcome to Unchained, your monthly dose of hot takes and practical advice from – and for – engineering and security leaders.
I’ll be honest: sometimes I wonder if my job should even exist. See if the following sounds familiar:
So there you are, in another audit committee meeting. You’re presenting your slides about how many billions of attacks the company faced last quarter, and how many of those were P1 or P2 incidents—whatever those actually mean. Or maybe it’s a report on IT project milestones, “EDR coverage,” or “defects per device.” And as your colleagues sit there, trying to secretly scroll their phones under the table, hoping you won’t notice, you know they’re not thinking about security at all—they’re thinking about how to get an earlier flight home, the 2H budget projections, or mostly how none of this word salad on the screen seems to connect with the ransomware attacks they keep reading about in the headlines.
You start to wonder: Is this really how a company should manage cybersecurity risk? Is this the best we can do?
To me, the answer is a resounding no.
I’ve spent more than a decade leading both offensive and defensive cybersecurity programs, and I’m convinced we can do much better. In fact, we must do better—for our employees, our investors, and for our society at large. What I’ll share here are my own reflections, shaped by experience and conversations with peers.
The Problem With the Old Game
The Chief Information Security Officer (CISO) role was born in the 1990s, when corporate computing and security still felt new and scary. Cyberattacks were happening, nobody knew how to handle them, and companies started hiring people to own the problem. That “owner” became the throat to choke if something went wrong. Yet decades later, too many CISOs are still playing the same game like it’s the ‘90s: cranking out audit reports, and hiding behind acronyms and risk registers.
Let’s be real: if security programs want a shot at being effective today, they need to act like part of the business and serve it, not sit off in an ivory tower issuing proclamations at it.
Recommended by LinkedIn
Enter AI
Why? Because AI is changing the game for businesses. Generative AI is increasing the volume of code, the velocity of engineering, and the demands for performance. Microsoft recently reported that 30% of their code is written by AI, and Dario Amodei, Anthropic’s CEO, predicts that in 3-6 months, AI will be writing 90% of new code. For security leaders, this is happening. Simply thinking they can say “no” to AI won’t work. Nor will simply treating AI like a compliance or data security problem. To be relevant in this emerging world, CISOs and their strategies need to evolve to match the new pace and attack surface of their organizations. They need proactive approaches that secure AI-generated code and AI-powered businesses at scale.
AI can also now handle an increasing amount of the security workload – investigating alerts, drafting security strategies, planning and executing basic penetration tests, and even guiding engineers in writing more secure code. I’ve seen prompts to ChatGPT produce security strategies on par with what you’d get from a lot of CISOs. And yet, many security leaders are still clinging to their old playbooks instead of embracing these new opportunities.
The real opportunity here isn’t merely to retool or churn out even longer slide decks with AI. It’s to fundamentally rethink how and why our security programs do what they do from the ground up.
The Hard Question
So here’s the uncomfortable question: do we even need CISOs anymore, at least in the traditional sense?
If the role is just about producing slide decks for the board, maintaining certifications, and being the scapegoat when things go wrong, that’s not leadership. That’s bureaucracy. The companies that thrive in the next decade won’t be the ones with the most audits, the biggest controls matrix, or the longest vendor risk questionnaires. They’ll be the ones that bake security into engineering, leverage AI to scale it, and build products that customers really love. The ones who prove that security can be invisible, intelligent, and a catalyst for innovation and growth, rather than a drag on them.
That’s the game. And it’s time we start playing it differently.
-Quincy Castro, Chief Information Security Officer, Chainguard
For more supply chain security musings and ready-to-use resources from the Chainguard team, sign up here for our monthly newsletter.
Complex Incident Management & Response | Product Security | DFIR | SOAR & Security Automation | Security Engineering, Program Management & Security Program Design
1mo+1. Would you ever seek to hire a CFO, CMO, Chief of Product, Chief Engineer, etc. that wasn't expected to add business value in some manner? Then (1) don't maintain a CISO position that's not expected and enabled to do so, and (2) don't hire/retain a CISO that can't, either.
Software Engineer
1moI really appreciate how Quincy listens and quickly understands what people are saying and where they are coming from. That empathy and a security-first mindset empowers my team to voice needs and to stay focused on high impact work. We’re not just going to meet compliance needs, we’re going to exceed them and embed security at the core of our distro.