I’ve been a CISO for two separate companies, know several CISOs personally, and interact with many others through various cybersecurity forums. We all have one thing in common. We can tell you our patching SLA numbers off the top of our heads. Ninety-five percent of criticals closed in 14 days. Eighty-something on highs. The board slide is green. The auditors are satisfied. The client questionnaires come back clean.
Then I ask a different question: what still needs to be done? And the tone shifts from the confident “We’ve got it all covered” to “Wellll… we’ve got some legacy tech debt holding us back.”
What they’re really saying, when someone’s been in the role long enough to stop performing...