Barnes Tech

Back
1 min read

Good CISOs / Bad CISOs

I came across this recently, and thought it was a really good read - Good CISO / Bad CISO.

Key points 

  • Strategy vs. projects: Good CISOs craft a clear, generative strategy; bad CISOs confuse tool lists and project plans for strategy.
  • Flywheels vs. firefighting: Good CISOs build scalable, self-reinforcing systems; bad CISOs chase incidents and ticket counts.
  • Business communication: Good CISOs speak in risk, capital, opportunity with quantified positions; bad CISOs use techno-jargon and FUD.
  • Ownership and culture: Good CISOs own vendor risk, empower teams, surface bad news fast, and partner with the board; bad CISOs abdicate, bottleneck, and are last to know.

Excellent insights and definitely something I’ve observed over the years. This applies to all IT leadership, not just CISOs.

IT and Security are so often seen only as a cost center by businesses, but IT and Security leadership can change that if they approach this the right way.

🔗
Links
* https://www.philvenables.com/post/good-ciso---bad-ciso
Good CISOs / Bad CISOs
https://barnes.tech/blog/good-cisos-and-bad-cisos
Author Barnes Tech Blog
Published at October 5, 2025

On the Other Hand...

Apple - Between a Tough Spot and a Tough Spot