It’s pretty well established that the CISO’s role is moving away from technical to that of a business leader. But all business leaders have different purposes. What’s a CISO’s purpose to serve the business?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining us is Ejona Preci, group CISO, LINDAL Group.
Join the conversation on LinkedIn
Huge thanks to our sponsor, ThreatLocker
Full Transcript
Intro
0:00.000
[David Spark] It’s pretty well established that the CISO’s role is moving away from technical to that of a business leader. But all business leaders have different purposes. What’s a CISO’s purpose to serve the business?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining me for this very episode, it’s one of your favorites, whether you’ll like it or not. He has to be one of your favorites because he’s one of our three regular co-hosts of the show.
It’s the senior EVP and CISO of Frost Bank, Edward Contraras. Eddie, say hello to the audience.
[Edward Contraras] Hello, audience. And David, thank you for having me back yet again.
[David Spark] We love having you back, Eddie. Our sponsor for today’s episode is ThreatLocker. You’ve heard them here before. Well, they’re the world’s leading Zero Trust platform. And heck, they’re a wonderful sponsor of the CISO Series. What’s great about them is they set you up to allow what you need, block everything else by default including ransomware and rogue code.
And here’s what’s even cooler. We are going to be at Zero Trust World in March so stick around. We’ll talk about that a little bit later.
Now, Eddie, we talk all the time on CISO Series about what makes a successful CISO, but do we have any agreement on what the role actually entails? Richard Seiersen at Qualys defined it as “about making collaborative tradeoffs with accountable peers on control, transfer, and reserves, relative to what the business stands to lose from digital-based threats and related regulatory concerns.” I think that’s one really good take.
Do you have another one, Eddie?
[Edward Contraras] You know, I do. I think historically speaking, people bucket CISOs into 5three categories: strategic, functional and tactical and I think that can be offensive. And the reason I say that is because what if you’re defined as functional and tactical, yet everybody’s telling you, you should be strategic?
So I like to overcomplicate it and say there’s actually six roles here. Those six roles then give you a purpose. And I agree with what we’re talking about is.
[David Spark] It’s a combination of those three like all three, two of one of them?
[Edward Contraras] It’s even separate from that because I think historically speaking, again, if you bucket into those three, the two that are not strategic are going to say, “Well, I should be, shouldn’t I?” And so I look at this as you’re either transformational, you’re operational, you’re compliance focused, you’re steady state, you’re customer facing or you’re a post-breach CISO.
If you always assume you’re going to be strategic in all those categories, then you’re still at the level with the executives that you need to be at, but now you know the purpose for which you were hired.
[David Spark] All right. We hope not to confuse our audience here, Eddie. So you’re going to have to walk us through this as we do our show.
[Edward Contraras] I am so ready for this, David.
[David Spark] I am very excited to bring our guest on. I was introduced by another guest in our show, Peter Gregory. And in fact, the two of them have been writing books together. Very excited to have her on board. It is the CISO of the LINDAL Group, Ejona Preci.
Ejona, thank you so much for joining us.
[Ejona Preci] Hi, everyone. I’m thrilled to be here. Thank you so much for inviting me, David.
What’s a CISOs role?
3:01.285
[David Spark] Eric Staffin of Staffin Cyber Risk Associates said, “Being a CSO isn’t about systems. It’s about consequence authority. Who owns it? Who hides from it? And who gets blamed when the music stops? Most CISOs aren’t empowered to touch consequence architecture.
They’re stuck patching the perimeter while the business runs wild with exposure they’ll never see until it detonates.” That’s a pretty interesting take.
Alexander Rogan of Abatis ABTU said, “The CISO should be a business risk leader, not a technologist fixed on dashboards. However, what we are up against, it’s not just structural alignment. It’s conceptual. Many boards and C-suites still fundamentally misunderstand what cyber risk is.
They don’t see it as an enterprise risk. They see it as an IT problem with compliance obligations.” All right. Eddie, both Eric and Alexander here have definitely seen CISOs getting burned before. I would say historically I’ve seen that happening, but I don’t see that happening that much now.
And I am just talking anecdotally now. What do you think? Do you think these stories that Eric and Alexander are strong today or they’ve not as bad as they used to be?
[Edward Contraras] I think Eric and Alexander may be demonstrating a little PTSD. There’s some memory here. There are some challenges and maybe historical war wounds. There’s a saying, if everyone owns it, no one owns it. And so I think when it comes to being a CISO, there is an accountable party, which should be one, but there should be everybody who’s responsible for executing that program, which should be all.
And I think that’s the delineation is you have to understand when it comes to accountability, you should have a single owner, but when it comes to execution and responsibility, that’s a collective. If you kind of unpack those quotes, there’s some scar tissue there.
[David Spark] Right. What do you think? I mean, there’s a lot of sort of fear here that the CISOs are not placed appropriately to be business leaders, but we kind of all know as CISOs that is your job. CISOs have been more pushing themselves in. Again, we’re only speaking anecdotally, but what have you seen in what is your role?
[Ejona Preci] I believe the role of CISO today is nothing like it was five years ago. It has evolved and changed a lot. So we’ve gone from being the chief of department of “no” to the chief of department of “let’s talk about it” and that’s a progress.
But we have to face it. For a long time, many CISOs didn’t get it right because we were patrolling instead of listening what the business actually needs. And maybe this is an unpopular opinion, but this is how I see it. I think there’s some victimization for the role of CISO.
We’re often the scapegoat. So when things go wrong, we are the first to blame and when things go right, we are barely noticed.
And I don’t quite agree with that narrative because the truth is, until recently, many CISOs didn’t really bother to understand the business. So we were busy implementing controls and safeguards without measuring the real consequence and the friction they create.
Most of the CISOs were talking IP addresses to business leaders instead of explaining what is the risk in clear and relatable terms. And I think this is the root problem that brings everything else on stream.
[David Spark] You bring up a good issue is that we’ve all realized this now, but we can’t assume just because we’ve all realized it that the whole business is at the same point coming with us, yes, Ejona?
[Ejona Preci] Absolutely. Most CISOs still don’t have a seat at the table where critical business decisions are made. And they step in too late after the direction and strategy’s already set, which creates friction and feeds the misalignment of the goals later on.
And this is not a problem itself. This is the symptom. So many CISOs are waiting to be invited to that table, but why would we wait for that? I mean, go talk to your board, to your executives. Explain why you should be there and they’ll get it. They’ll understand it.
Meet them where they are because I truly believe that it’s easier for us to translate this into a business language than for them to learn ours, to learn the technical terms.
What are they looking for?
7:38.626
[David Spark] Segun Adeshina of Symbotic said, “A CFO is a financial expert who transitioned to financial risk and strategy executive. A CISO should be a cybersecurity expert who transitioned to cybersecurity risk and strategy executive.” Good analogy here.
There is a natural path between deep expertise and strategic vision. CISOs can lead strategic conversations without credibility that comes from lived experience.
And Thomas Zeppa of the US Department of Housing and Urban Development said, “A CISO is a business leader, but also needs at least some technical background. I’ve seen career manager CISOs listening to the wrong people because they didn’t have a solid background in the field to know if someone was selling them BS or providing actual value.” Now, we have had both technical and non-technical CISOs on our show before.
But both of these quotes are talking about the need to be a business leader, but have that basis of some technical knowledge. Eddie, just quickly, why do you need that basis of technical knowledge if you’re not actually doing the work, if you’re not looking at the dashboards?
[Edward Contraras] If you look at what Thomas said at the end there where are you dependent on somebody with their expertise to provide you guidance, yet you can’t pick up on the guidance is potentially incorrect? And that’s not a CISO problem. That’s a leadership problem.
And that could happen with any C-level. It can be a CFO dependent on somebody without a financial background. It can be a CEO dependent on somebody without management background. So I don’t think that’s isolated to just a CISO.
I think that really is if you’re a good leader, you build a strong workbench. You build a phenomenal backdrop to that workbench and you solicit information from a lot of people. It’s not just a single expert. And if you can do that in a way that everybody feels included, if you can do that in a way where the message resonates and people can understand how you came to a conclusion, that ultimately is the goal of the CISO.
So whether you have an MBA, whether you have a technical degree, computer science degree, ultimately your job is to be able to come to a conclusion based on a consensus. If the group says, “Hey, we’re going to help guide you there.” And you have to be able to make ultimately that decision.
[David Spark] And Eddie, one of the things that you have said before many times and we’ve heard this many times before is the CSO has to be the great translator. But what I’m hearing now and what I hear from a lot of people is, yes, you have to be the great translator, but your first language has to be the tech in the security department.
Yes?
[Edward Contraras] Absolutely. And going just even to Segun’s quote, the CFO, they know finance, but they’re not signing off on all the aspects of SOCs. So if you have a publically traded company, you actually have a SOCs office that does all that stuff.
So you do need to know the controls that are required, even though ultimately you don’t have to execute it by yourself. So yeah, you’re all dependent on others, but you do need to know that information.
[David Spark] Ejona, your take on the need for technical CISO because I want to stress we’ve had a lot of very successful non-technical CISOs on our programming.
[Ejona Preci] Right. However, I believe that that’s absolutely spot on what Segun and Thomas said. I personally think that you can talk credibility about cyber risk at the board level if you have never been in the trenches or understood how these controls work in practice.
And that said, yes, in technical terms, technical credibility matters, but it is just the ticket in the door. So it’s not what keeps you in the room. It’s not a destination. And unfortunately, many CISOs stop there. They believe that having those technical controls would be enough to keep them in the room, but the real evolution happens when you start translating that expertise into business language.
We need to expand our horizon to understand the business more. And I think the CFO analogy is great because nobody questions whether a CFO belongs at the table. They earn it. They earn the credibility through both financial expertise and strategic maturity.
And CISOs need to do the same. It’s all about moving from defending the security perimeter to shaping business resilience. And I believe that’s where the role of CISO really transforms.
Sponsor – ThreatLocker
12:09.267
[David Spark] CISOs hear Zero Trust everywhere, but very few conferences actually teach you how to implement it. Zero Trust World 2026 does exactly that. Join us, and I mean us, yeah, CISO Series will be there, March 4th to the 6th, 2026, in Orlando for a fully immersive experience with hands-on hacking labs, ransomware analysis sessions, and practical workshops that show you how to roll out zero trust in the environments you actually manage – hybrid, remote, and, well, good old-fashioned, messy.
You’ll leave with practical playbooks for reducing attack surface, locking down privileges, and maintaining zero trust without overwhelming your team.
And if that wasn’t enough, I will also – yes, that’s me, David Spark – will be doing a live episode of the CISO Series podcast at Zero Trust World again. We did it last year. We’ll do it again this year on the morning of Friday, March 6, 2026, right there on the main stage.
Now, here’s another bonus. CISO Series listeners get $200 off with the code ZTWCISO26 if you go to the website ztw.com. Now, ZTW is standing for Zero Trust World, right? So register today and I’ll see you at Zero Trust World 2026. And if you forgot all those codes, just go to the blog post for this episode.
We’ve got everything there and you click on ZTW, you enter your code, ZTWCISO26, and you’ll get your $200 off. See you there.
Does anyone understand what’s going on?
13:42.049
[David Spark] Jordan M. Schroeder, a CISO over at Arxa Cyber, said, “The CISO role is completely undefined in general.” This was sort of the setup for today’s topic. And while that presents ambiguity between CISOs in different contexts, it presents an opportunity for organizations to properly define what is needed and needed from them for the CISO to succeed in their context.
By the way, I will also add we’ve seen a lot of CSO job listings and a lot of CISO pay and I will tell you that the descriptions in the job listing and the pay ranges are all over the map. So there’s definitely a lot of confusion of the role.
Emma Höij of Change Ability said, “Many organizations hire CISOs blindly, thinking the CISO will teach them everything and fix everything instead of supporting the discussion based on real knowledge about what security is and what security in IT isn’t.
The hiring managers and boards somehow know exactly what they want, but don’t know what they need and they call it a CISO.”
And Steve Albee of Albert said, “If you have a C in your title, then you should be doing whatever the company needs you to do. Just as there is no single definition of what a CEO should do at their company, the role of the CISO will vary based on our organizational context, maturity, industry and strategic priorities.” Ejona, first of all, let me ask you how many times have you been a CISO?
Is this your first or have you done it multiple times?
[Ejona Preci] This is my first time as a CISO, yeah.
[David Spark] Okay. Well, I’m sure you have CISO colleagues. Does everyone have the same job?
[Ejona Preci] Well, I don’t know two people that might have the same job. Each one of them has a different job description. And yeah, that’s another painful truth right there. So the CISO role is still undefined, for sure. Almost every company wants a CISO, but nobody can tell you what they actually mean.
Someone a firefighter, someone a compliance mascot and the other one is strategies. And sometimes they want all these three together in one person. But in chaos, sometimes there’s also big opportunity. So we get to define that success. So why not design the role of CISO based on the organizational needs?
And the problem is most companies never take that seriously. They hire a CISO, throw a thousand of expectations at them and then wonder why relationships blow up after one and a half months because that’s an average for CISOs when they resign or get fired.
The CISO role should not be mysterious. It should be contextual based on the size and the strategy of the organization. Every business needs to decide do you want a security operator, do you want a risk leader, do you want a business enabler? Because if you can’t answer that question, then you don’t need a CISO.
You just need more clarity.
[David Spark] Eddie, you kind of began this whole discussion in our opening about the different styles of CISOs. And Ejona brings a really good point, is that each company has different needs. And so while someone may come to the table or looking for a CISO job may be very, very talented, they may not be the right CISO for that organization.
Can you give me an example of how that plays out?
[Edward Contraras] Yeah, absolutely. And if you think about those six categories that I gave you out, and this is why every CISO needs to have these conversations with the business. And they are unique conversations. If the strategic goal of the company is mergers and acquisitions, if it’s really about growth then you’re probably not looking for a post-breach type CISO.
You’re probably looking somebody that’s more on the operational side where they can help you streamline operations and make sure that if you’re going throw the M and A, it’s not disruptive. If you’re a company that’s looking for revenue growth and you’re saying, “Hey, we’re going to transition to the cloud and we’re going to digitize and modernize everything,” you’re probably looking for a transformational CISO, somebody that knows how to take existing controls and embed them in this new generation technology stack.
But then again, you might be a company that’s on the Fortune 100 list and you’ve been there for a long time. You should be looking for a steady state CISO. You don’t want disruption. You don’t want somebody coming in and saying, “Hey, I’m going to redesign everything.
I’m going to put my stamp on it.” That’s not what you’re wanting. And even the customer facing CISO, and this probably applies to a lot of private equity, venture capitalist, where you’re looking for somebody that understands more of the B2B conversations, how do you engage with those that need to understand your business concepts?
And so they all serve different functions, but you have to have the conversation to know which CISO seat am I sitting in.
[Ejona Preci] That’s spot on. And I think the mistake many people make is thinking that the title defines the mission. And it doesn’t. The context does. As Eddie pointed out, we need to understand organizational needs. Our job as CISO is to make sure security enables what the company is trying to achieve and that’s it.
Support business objectives.
What’s the optimal approach?
18:55.589
[David Spark] Eckhart M., a CISO over GIZ GmBH, said, “The modern CISO is not only responsible for digital resilience, but increasingly for the integrity of machine-assisted decision-making, must assure that AI systems are explainable, resilient against adversarial inputs and aligned with regulatory and ethical expectations.
This requires collaborating with data science, legal and compliance teams to govern algorithmic risk. There’s no discussion of humans in here, which would be an interesting thing to throw away, but it is one good take here, Eddie. What do you think?
[Edward Contraras] This is the perfect spot for an agentic CISO, right? I mean, everybody’s talking about AI, so bringing an agentic CISO.
[David Spark] Because humans are part of this equation here, just Eckhart left it out, but let’s just take his take here. It’s okay.
[Edward Contraras] You think about what he’s saying, this really falls on the back of an operational CISO, somebody that understands, “Wait a minute. If you’re going to bring AI in, you’re typically going to enhance, optimize some type of ineffective or strenuous operational activity.
So why would you bring in somebody who’s transformational who doesn’t know what the organization is doing? So if you work for Coca Cola, if you work for Nestle, if you work for a car dealership, you truly want to understand their operations to be able to apply AI.
So in your pursuit of a CISO, the company should be looking for an operational CISO and sometimes that may come from within. We need somebody that knows our workflows. We need somebody that understands our delivery mechanism so we can apply AI appropriately.
So yeah, they’re a part of the conversation and you do have to get there gracefully with security, but you also have to understand the business intimately.
[David Spark] All right. What’s your take, Ejona?
[Ejona Preci] I believe AI is definitely changing or circumventing the traditional security boundaries. And as organizations in this game of automating more judgement through AI, the CISO becomes a guardian of integrity. And integrity attacks are something that we have to focus a lot more than what we have been focused in the past.
So CISOs must ensure that AI systems are explainable, are resilient against manipulation and aligned with regulatory and ethical expectations.
We can’t just protect data anymore. We have to protect judgment itself and build trust. So that means building deep partnership with other stakeholders in the organization, such as data science, legal or compliance teams, is necessary to govern AI risk.
We have to treat AI models like living systems. They should be continuously monitored and stress tested and retrained against biases and data drift because trust in AI won’t come from the technology. It will come from the transparency and the accountability around those systems.
Closing
22:03.924
[David Spark] All right. Well, that brings us to the point of the show, Ejona, where I’m going to ask you to take a look at all these past quotes and tell me which one do you like the most and why?
[Ejona Preci] The first quote from Eric because CISOs don’t really have consequence authority and I think this is a systemic problem. They are given responsibility without power. They just don’t own the architecture that creates the exposure. They can’t slow down or avoid a risky deployment or override a bad business decision.
So, yeah, that’s the broken dynamic. The CISO is often held accountable for risks that they can’t actually govern. And that’s why it points back to the idea that CISOs should be introduced earlier in the discussions and decision making. So that’s definitely my favorite one.
[David Spark] Excellent. All right. Eddie, I throw it to you, your favorite quote in one.
[Edward Contraras] So my quote I’m picking is really for the audience here. So if you’re a CISO in pursuit or you’re hiring a CISO, really look at Emma’s quote from Change Ability. If you find yourself in that interview process and you don’t have the answers to which CISO they’re looking for, ask the question, “What role are you looking for me to fill?” That way, both people understand what you’re walking into because if you accept a CISO role and you haven’t defined your position, you’re probably not going to be on steady water for that tenure in your position.
So great quote, Emma.
[David Spark] Excellent. Well, thank you to everybody who contributed. We greatly appreciate it. Often these people become unknowing contributors because we find a great discussion and we pull the quotes and we quote them, so thank you to everyone for being unknowing contributors.
Huge thanks to our sponsor. That’s ThreatLocker. You remember you can go to their website, threatlocker.com, but you’ll also want to go to Zero Trust World. That’s where we’ll be. We’ll be doing a live recording the CISO Series Podcast. In fact, I’ll also be recording there the day before.
It’s all happening in early March.
Remember, ZTWCISO26. That’s a coupon code. If you go to the website, ztw.com, standing for Zero Trust World, you get $200 off. Go do it. Register. I’ll see you at Zero Trust World, 2026. Ejona, thank you so much for joining us today. We greatly appreciate it.
Eddie, as always, fantastic. We love having you on, so please come back again and again. And to our audience, as I always say and I truly mean it, we greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review. Leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at david@CISOseries.com. Thank you for listening to Defense in Depth.