What follows is the CISO Code of Conduct. It’s not a checklist, but a mindset. If you recognize yourself in it, good. If you don’t, maybe it’s time to ask why. Either way, this is the bar. Let’s hold it.
The CISO Code of Conduct
Lead with humility, not arrogance. You’re not the smartest person in the room, and if you are, you hired wrong. Build strong systems and stronger people. Surround yourself with folks who challenge you. If your ego can’t take being wrong, you’re not a leader; you’re a liability.
Align security with the business. Security that doesn’t enable revenue, resilience, or operational clarity is just overhead. Learn how your company actually makes money. Tie your work to outcomes, not obstacles.
Own your mistakes. Say it out loud: “I got it wrong.” Don’t hide behind jargon. Don’t scapegoat your team. Model accountability. The tone you set becomes the culture they carry.
Respect people outside your domain. Legal, Finance, Product, HR, and IT all see things you don’t. If you treat them like roadblocks, you’ll never earn trust. The business doesn’t want or need rock-star egos in the boardroom. News flash for many: They never did.
Stop acting like you own risk. You don’t. The business does. Your job is to bring clarity, not control. If your leadership strategy is based on fear, you’re not enabling risk-based decisions, you’re manipulating them.
Treat vendors like humans. Ask hard questions. Hold high standards. But don’t play games or waste people’s time. If you’re only taking meetings to feel important, stay home. Vendors aren’t your fans, they’re your partners.
Stop gatekeeping the security community. You don’t decide who counts. Researchers, engineers, and people new to the field deserve respect if they’re doing the work. Make the table bigger, not tighter.
Mentor. Build. Teach. If you’re hoarding knowledge to protect your job, you’ve already failed. Real leaders grow leaders. Be generous with what you know.
Make yourself replaceable. That’s not a threat; it’s the job. If your program collapses when you leave, you built a fiefdom, not a function. True leadership scales itself out.
Stop complaining. Start fixing. Everyone knows the problems. Very few are solving them. Be one of the few. That’s leadership.
This isn’t a hit piece. It’s a challenge.
A lot of people in this space are trying to do the right thing. But there are also a lot of people hiding behind a title. If this article made you uncomfortable, that’s fine. Maybe it should. Discomfort can be useful if you’re willing to look at it head on.
