Stop Telling CISOs to ‘Stop Complaining’

“CISOs should stop complaining and do something positive instead.” If you’re a board member or business leader, you’ve probably said, or heard, something like this. Perhaps you’re tired of hearing about threats. Or frustrated by yet another budget request. Or wondering why your security chief seems to focus only on problems.

Your CISO is responding to the environment you’ve created.

The paradox of invisible success

Security only makes headlines when it fails. A ransomware attack costs millions and generates emergency board meetings. The hundred attacks your team stopped last month? You never hear about them.

Your CISO succeeds when nothing happens. And in most organisations, “nothing happening” doesn’t warrant a mention in board papers. Revenue growth gets bonuses. Successful product launches get board recognition. Prevented disasters get silence.

What CISOs actually do

Good security leaders spend most of their time enabling business, not blocking it. They:

• Build security into new products from day one
• Automate threat detection so small teams can handle growing attack volumes
• Enable cloud migration, remote work, and digital transformation
• Train employees to spot phishing before it causes damage
• Help you enter new markets by meeting regulatory requirements
• Build customer trust through proven security practices

You don’t see this work because you don’t ask about it. Your quarterly business reviews focus on problems found, not business enabled. Your performance discussions centre on incidents that occurred, not disasters prevented.

You’ve encouraged your CISO to talk about threats. Then you complain that’s all they talk about.

The budget question

Let’s address the money. You’re frustrated by constant resource requests. But consider what you’re asking your CISO to do:

• Protect the organisation against nation-state actors, criminal enterprises, and insider threats.
• Comply with an expanding web of regulations across multiple jurisdictions.
• Secure systems that business units deploy without consulting security.
• Defend against vulnerabilities that appear faster than they can be patched.

And do it all with last year’s budget.

Some CISOs communicate this poorly. But poor communication doesn’t mean the underlying needs aren’t real.

When your CISO asks for resources, they’re not empire-building. They’re telling you what it costs to manage the risks you’ve accepted by running a digital business. You can either fund the defences or accept the consequences.

Calling it “complaining” doesn’t make the risks disappear.

What you need to change

First, recognise that security isn’t optional. You run a digital business. Digital businesses are targets. Every business decision you make – new markets, new products, new technologies – has security implications. Pretending otherwise doesn’t reduce risk. It just means surprises happen at the worst possible moment.

Second, change how you engage with security:

• Treat security briefings as strategic risk discussions, not scare sessions
• Ask “What did we enable this quarter?” before asking “What problems did you find?”
• Invite your CISO into business planning early, not after decisions are made
• Recognise that security spending enables revenue, not just protects it

Third, fix your metrics:

• Business projects delivered securely and on time
• Time from “can we do this?” to “yes, here’s how”
• Incidents that actually impacted business operations
• Compliance maintained across all jurisdictions
• Customer trust and retention rates

None of this happens overnight. But it starts with recognising that security is a business function, not just a technical one.

Fourth, fund security realistically. You have three options:

1. Fund the controls your CISO recommends
2. Accept the risks and document that decision
3. Change your risk appetite and adjust business plans accordingly

What you can’t do is ignore the risks, refuse to fund the controls, and then blame your CISO when something goes wrong.

What you should expect from your CISO

This doesn’t mean giving your CISO a free pass. You should expect:

• Communication in business terms, not technical jargon
• Solutions proposed, not just problems identified
• “Yes, if we do X, Y, and Z” instead of flat rejections
• Business impact quantified wherever possible

For instance, instead of “We can’t use that cloud provider, it’s not secure,” you should hear “We can use that provider if we implement these specific controls, which will add two weeks to the timeline and £50,000 to the budget.”

If your CISO can’t do these things, that’s a performance issue. Address it directly. But don’t confuse poor communication with legitimate risk management.

The real problem

Your CISO focuses on threats because:

1. You measure them on threats found
2. You blame them when breaches occur
3. You don’t credit them when breaches don’t occur
4. You exclude them from business planning
5. The culture treats raising concerns as “complaining”

They’re responding rationally to the environment you’ve created. You own those conditions.

What good looks like

Success means treating security as a business function, not a technical one. Organisational boards and executives should:

• Review security metrics that focus on business outcomes
• Include CISOs in strategic planning from the start
• Celebrate security wins, not just dissect security failures
• Fund security as part of business enablement, not grudgingly
• Ask “How do we do this safely?” not “Why can’t we do this?”

Closing thought

Most CISOs are already enabling business and managing risk. The question isn’t whether they complain too much. It’s whether you’re measuring and rewarding the right things. Change your metrics, change your engagement, and the ‘complaining’ narrative disappears. What you get instead is a security function that helps you move faster with confidence.