In a first for this blog here is a post I worked on with Mike Aiello, a former colleague from Goldman Sachs and Google and someone, like me, who has worked multiple security and engineering roles and, especially in one of his most recent roles at Secureworks, worked with a range of security teams across many different types and scale of security companies. From these experiences we’ve both seen the good patterns and the not so good patterns of security leadership. 

______________________________________________________

A successful security program is one of the highest-leverage contributions an individual can make to a modern enterprise. It builds resilience, enables innovation, and creates durable trust with customers. Yet, the role of the Chief Information Security Officer (CISO) is widely varied and often misunderstood. After decades of building and observing security programs, we’ve found the difference for great CISOs is not about budget or technology; it’s about mindset, strategy, and ownership. Inspired by a16z’s Good Product Manager, Bad Product Manager framework here's the Good CISO / Bad CISO equivalent.

Good CISOs are business executives who manage technology risk. They are the CEO of the Security Program. They take full responsibility for the organization's resilience and measure themselves in terms of business outcomes. They know the context going in—the company’s strategy, its revenue model, its culture—and they take responsibility for devising and executing a winning plan to manage risk. No excuses. 

Bad CISOs are IT managers who manage security tools. They have lots of excuses. Not enough funding, developers are insecure, the board doesn’t get it, users are careless, we’re overworked. These are symptoms of a CISO who defines their job too narrowly and has abdicated ownership.

Good CISOs define a crisp strategy—a coherent theory of how to win against adversaries and build resilience. They know a plan is not a strategy. Their strategy is generative; it creates and inspires work for other teams, making the entire organization safer. They define the "what" (a secure-by-design platform) and empower others to manage the "how." 

Bad CISOs confuse a list of projects and vendor purchases for a strategy. They present complex project plans but can’t articulate a simple, overarching goal. Their work is consumptive; it burns through the security team's time and political capital. 

Good CISOs build flywheels. They design self-reinforcing systems that scale security, reduce the unit cost of control, and make the secure path the easiest path. They move security from an artisanal craft to an industrial-scale capability. They anticipate serious systemic risks and build real, scalable solutions. 

Bad CISOs run a fire station. They are constantly swamped, lurching from crisis to crisis. They complain about being a bottleneck and their primary measure of productivity is the number of tickets closed. They put out fires all day while the kindling and sparks of future fires remain unresolved. 

Good CISOs manage their vendor, software and partner supply chains. They focus on buying secure products, not just security products. They use their purchasing power to influence vendors to build security into their core offerings, raising the tide for everyone. They treat vendors as an extension of their own risk surface and hold them to high standards. They actively work to reduce demand for security services through strategic risk avoidance (e.g., tech modernization) and improve the efficiency of their supply. 

Bad CISOs just buy more security products. Their vendor management strategy begins and ends with the procurement of the next tool. They are reactive to vendor sales pitches and see technology as a silver bullet for their process and people problems. They constantly complain about a lack of budget without offering strategic alternatives to reduce the security burden on the business.

Good CISOs communicate in the language of the business: risk, capital, and opportunity. They quantify risk to provide evidence, not anecdotes. They create leverageable collateral—FAQs, white papers, clear risk position statements—to scale their message. They take written positions on important issues, from architectural choices to risk acceptance. They manage risk as Hazard + Outrage, understanding that stakeholder perception and emotion are as critical as technical facts. They proactively model and manage the narrative. 

Bad CISOs communicate in techno-speak and FUD. They overwhelm stakeholders with metrics that lack business context. They complain that they spend all day answering questions for other teams. They voice their opinions only verbally and lament that the "powers that be" won’t let it happen. When they fail, they point out that they predicted it. They are blindsided when minor incidents cause major stakeholder outrage, complaining that "they don't understand the real risk".

Good CISOs have deep technical foundations, but use them for empathy. Their technical fluency grounds their strategy in reality and allows them to understand the constraints and challenges faced by developers, engineers, and vendors. They use this knowledge not as a weapon to win arguments, but to ask better questions, foster credibility, and collaborate on practical, achievable solutions. 

Bad CISOs either lack technical depth or wield it like a club. If they lack it, they cannot have credible conversations with their engineering counterparts and are easily swayed by vendor hype. If they have it, they use it to dictate the "how," forcing their preferred implementation on teams, stifling innovation, and creating resentment. They win the technical battle but lose the strategic war for hearts and minds.

Good CISOs ensure bad news travels fast. They know that information is often filtered and softened as it moves up the chain of command, leaving leaders with a dangerously rosy picture of reality. They create a culture of psychological safety where bringing bad news early is rewarded, not punished. They want to know the ugly truth, and they want to know it first. They are not just technologists; they are culture builders. They understand that the best security controls are not firewalls, but a workforce that is security-aware and motivated to do the right thing. 

Bad CISOs are the last to know. Their leadership style discourages people from surfacing problems, ensuring they are insulated from the ground truth. They are victims of the very information filtering they helped create.

Good CISOs build and empower their teams. They focus on developing future leaders and creating leverage through federated models like security champions. They know their job is to build a function that can outlast them. They are not the single point of failure. 

Bad CISOs hoard information and decision-making. They believe their indispensability is a measure of their success. They are the primary bottleneck and the single point of failure for their team.

Good CISOs enable the board to govern more effectively by teaching them what "meta-questions" to ask about risk, turning oversight into a strategic partnership and creating shared accountability. 

Bad CISOs view the board as a passive audience to be managed or an obstacle to be overcome. They deliver status reports that aim to secure their budget but fail to build the board's own capability.

Good CISOs play long-term games with long-term people. They understand the power of their peer network, contributing as much as they take. They build relationships based on trust and mutual respect. They define their job and their success by the success of the business and instill the discipline that allows teams to operate with speed and autonomy. 

Bad CISOs are transactional. They tap their network only when they need a quick answer or their next job. They are takers, not builders. They constantly want to be told what to do and demand only compliance, which stifles teamwork and creates bottlenecks.

Bottom line: Good CISOs are practical, technical, and business-oriented executives that inspire their teams, collaborate with peers, and hold themselves accountable for driving change. They know how to balance strategy and tactics without letting either overwhelm the other. Bad CISOs, well, don’t do any or nearly enough of these things.