Week 9: Reading the Room: What Your CISO Actually Cares About

Security work doesn’t fail because it’s wrong—it fails because it’s misaligned. This post breaks down what CISOs are actually accountable for, how pressure shapes priorities, and how to align security work with the realities of leadership decision-making.
A CISO seated in a boardroom weighs compliance requirements, risk metrics, incident alerts, and budget limitations during an executive meeting.

If you’re trying to get security work done, you need to understand what your leadership cares about. And I mean actually cares about, not what they say in all-hands meetings or what’s in the security strategy document.

Because there’s often a gap between the official priorities and the real priorities. Between what sounds good and what actually drives decisions. Between the aspirational vision and the day-to-day reality of what gets resources and attention.

This isn’t about your CISO being dishonest. It’s about the difference between what they wish they could focus on and what they’re actually accountable for. Between long-term strategic goals and immediate pressures. Between building the ideal security program and managing the organization they actually have.

Understanding this gap—and learning to operate effectively within it—is critical. Because if you’re optimizing for what you think leadership cares about instead of what they actually care about, you’re going to be confused when your priorities don’t get support.

The Board and Executive Pressure

Your CISO has a boss. Usually it’s the CEO or CFO or CIO. And that person has priorities that shape what your CISO can realistically focus on.

If the board is asking about cybersecurity risk quarterly, that’s going to drive attention to board-presentable security initiatives. Things that show measurable progress. Things that can be explained to non-technical executives. Things that demonstrate the organization is taking security seriously.

That might mean compliance certifications even if they’re not the most impactful security work. That might mean high-visibility projects like MFA deployment even if there are more critical but less visible gaps. That might mean metrics that look good in a board deck even if they’re not the most meaningful security measurements.

This isn’t your CISO being shallow. This is them managing upward to people who control budget and strategic direction. If the board cares about something, the CISO has to care about it—or at least has to show they’re addressing it.

Similarly, if the CEO is worried about customer trust, security work that protects customer data gets prioritized. If the CFO is worried about financial risk, security work that prevents fraud or reduces insurance premiums gets attention. If the business is pursuing enterprise customers who require SOC 2, that becomes the priority.

Your CISO’s priorities are shaped by what their leadership cares about. If you want to understand what will get resourced, start there.

The Audit and Compliance Reality

A lot of CISOs spend more time on compliance than they’d like. Not because compliance is the most important security work, but because compliance failures have immediate, measurable consequences.

Audit findings have remediation deadlines. Compliance certifications affect customer contracts. Regulatory requirements have penalties for non-compliance. These create forcing functions that security improvements often don’t have.

Your CISO might know that improving detection capabilities is more valuable than fixing the specific audit finding. But the audit finding has a deadline and potential business impact. The detection capability is important but not urgent.

So compliance work gets prioritized. Not because it’s the best security work, but because it’s the security work with clear deadlines and clear consequences for not doing it.

Understanding this helps you frame security initiatives. If you can connect your project to compliance requirements, it’s more likely to get resources. If you’re proposing work that’s purely about risk reduction without any compliance component, you’re competing against things that have regulatory or contractual forcing functions.

That doesn’t mean you can’t get non-compliance work funded. But you need to make a stronger case, because it doesn’t have the built-in pressure that compliance work has.

(We’ll dive much deeper into the compliance-versus-security tension in Week 9. For now, just understand that your CISO is navigating this dynamic constantly—compliance creates forcing functions that security risk assessments often don’t.)

The Incident Pressure

If your organization has had a security incident recently, that shapes priorities dramatically.

The weakness that got exploited suddenly gets attention. If it was a phishing attack, now there’s budget for security awareness training. If it was unpatched vulnerabilities, now there’s pressure to improve patch management. If it was inadequate logging that made investigation difficult, now there’s support for logging improvements.

This is unfortunate because it means security improvements are reactive rather than proactive. But it’s also reality. Incidents create urgency and political will that risk assessments often don’t.

Your CISO is operating in this environment. If there’s been a recent incident, proposals that address similar risks get easier approval. Proposals that address different risks have to fight harder for attention.

If your organization hasn’t had a major incident, there’s less urgency generally. Security is important, but it’s competing with other important things that have more immediate pressure.

The other dynamic is incident preparedness. If your CISO is worried about the next incident (because of industry trends, peer organizations getting hit, increasing threat activity), they’re going to care about detection, response capabilities, and forensic readiness. Projects that improve those capabilities align with that concern.

The Resource Constraints

Your CISO is managing with finite budget, finite staff, and finite organizational capacity for change.

They might know that the ideal security program includes a dozen major initiatives. But they can realistically fund three this year. They have to choose.

They might want to hire five more security analysts. But they’re approved for two headcount and they’re competing with every other department that also wants to hire.

They might want to implement comprehensive security improvements. But the IT team is already overloaded, and asking them to take on more work means something else gets delayed or dropped.

These constraints are real. Acknowledging them when you’re proposing work shows you understand the environment you’re operating in. This ties directly back to what we covered in Week 7 about why security projects fail. Budget competition, finite staff capacity, and organizational bandwidth constraints aren’t excuses—they’re the reality your CISO navigates every day. Understanding these constraints helps you propose work that can actually succeed.

This means being realistic about scope. Proposing a multi-year initiative when there’s budget for a one-year pilot. Proposing something that can be implemented with existing staff or modest contractor help rather than requiring three new headcount. Proposing something that integrates with current work rather than requiring a separate dedicated effort.

Your CISO is looking for proposals that deliver value within realistic constraints. Not proposals that require perfect conditions and unlimited resources.

The Risk They’re Actually Worried About

Your CISO has a mental model of the organization’s biggest security risks. That model might not match yours.

Maybe you think the biggest risk is inadequate network segmentation. They think it’s third-party vendor risk because of recent supply chain attacks in your industry.

Maybe you think the priority should be improving vulnerability management. They think it’s insider threat because of recent employee incidents.

Maybe you think the focus should be technical controls. They think it’s security culture because the organization keeps making the same mistakes.

Understanding what they’re actually worried about—not what the risk assessment says, but what keeps them up at night—helps you align your work with their priorities.

Sometimes you can learn this from direct conversation. “What are you most concerned about right now?” is a reasonable question.

Sometimes you can infer it from what gets attention and resources. What do they ask about in meetings? What do they fund even when budget is tight? What do they escalate when incidents happen?

If you’re proposing work that addresses a risk they’re not worried about, you need to make the case that they should be worried about it. If you’re proposing work that addresses a risk they are worried about, you’re aligned with their existing priorities and you’ll get a much warmer reception.

The Measurable Progress Problem

Leadership loves metrics. Your CISO probably has to report security metrics to executive leadership or the board.

This creates pressure to work on things that produce measurable improvement. Patch compliance percentages. Percentage of systems with MFA. Number of security training completions. Time to detect and respond to incidents.

Not all valuable security work produces clean metrics. Cultural change is hard to measure. Architectural improvements might not show up in standard dashboards. Detection engineering doesn’t produce a simple percentage.

But measurable work gets reported up the chain. It shows progress. It demonstrates that the security program is doing something.

Your CISO cares about work that produces results they can show their boss. If your proposal will improve security but won’t produce any measurable evidence of that improvement, that’s a harder sell.

This doesn’t mean you should only work on things that produce metrics. But it does mean that if you can articulate how success will be measured and demonstrated, your proposal becomes more attractive.

The Political Capital Budget

Your CISO has political capital with other leaders, and they spend it carefully.

Every time they push for something that creates friction—delays a project for security review, denies a business request, requires organizational change that people resist—they’re spending political capital.

If they spend it too freely, they lose influence. People stop taking them seriously. Their requests get ignored or worked around.

So they pick their battles. They push hard on things that matter most. They compromise on things that matter less. They build relationships so they have capital to spend when they need it.

This means they’re not going to fight for every security proposal you bring them. They’re going to support the ones that are most important and most defensible. The ones where the risk is clear and the solution is reasonable.

If you bring them a proposal that would burn political capital (requires other leaders to give up something they value, creates significant friction, challenges existing relationships), you’d better have a very strong case for why it’s worth it.

Understanding this dynamic means being selective about what you escalate and ask them to fight for. Bring them things that matter. Don’t burn their political capital on things that are nice-to-have or that you could accomplish through other channels.

If you read Week 6 on reporting through IT leadership and Week 7 on political navigation, this concept should sound familiar. Your CISO is doing the same thing at a higher level—managing relationships, building capital, picking battles. The skills we talked about for you to operate effectively apply to them too. They’re just operating with higher stakes and broader organizational scope.

What They Wish They Could Focus On

Most CISOs wish they could spend more time on strategic, proactive security work. Threat modeling. Architecture review. Long-term program building.

What they actually spend time on is often more reactive and tactical. Compliance deadlines. Incident response. Vendor negotiations. Executive reporting. Firefighting.

They know what the ideal looks like. They also know what’s realistic given their constraints.

When you’re proposing work, understand the difference between what they wish they could prioritize and what they can actually prioritize right now.

If you’re proposing strategic, long-term work, acknowledge that it’s competing with immediate demands on their time and attention. Frame it in a way that shows you understand the trade-offs.

If you can find ways to make strategic work fit into their current reality—phased implementation, leveraging existing resources, aligning with compliance requirements—you make it easier for them to say yes.

How to Communicate Effectively

Understand their constraints before you ask for things. Budget cycle timing. Current incidents or pressures. Political relationships. Compliance deadlines. What they’ve already committed to.

Frame proposals in business terms. Not just technical security improvement—impact on risk, compliance, customer trust, operational resilience. The things they have to report on.

Be realistic about scope and resources. Don’t propose things that require conditions that don’t exist. Propose things that can actually be accomplished.

Articulate measurable outcomes. How will you demonstrate that this work achieved something? What metrics or evidence will show progress?

Align with their known priorities. If they’re focused on third-party risk, propose work that addresses that. If they’re focused on compliance, connect your work to compliance requirements.

Bring solutions, not just problems. They already know there are risks everywhere. If you’re bringing them a problem, bring at least one realistic option for addressing it.

Pick your battles. Don’t escalate everything. Don’t ask them to fight for everything. Reserve that for things that genuinely matter.

Help them manage up. If your work produces something they can show their boss or the board, make that easy. Give them the summary, the metrics, the explanation that they can use.

What This Isn’t

This isn’t about being political in a manipulative sense. It’s about being effective.

Your CISO has constraints and pressures that shape what they can realistically accomplish. Understanding those constraints helps you propose work in ways that are more likely to succeed.

It’s about communicating in terms they care about, aligning with their priorities, and being realistic about what’s achievable. That’s not manipulation—that’s basic organizational effectiveness.

Practical Takeaways

Your CISO’s priorities are shaped by what their leadership cares about. Understand the board and executive pressures they’re managing.

Compliance work gets prioritized because it has deadlines and consequences. Connect your proposals to compliance requirements when possible.

Recent incidents drive priorities. Work that addresses similar risks gets easier approval.

Resource constraints are real. Propose work that fits within realistic budget, staffing, and organizational capacity.

Understand what risks they’re actually worried about, not just what’s in the formal risk assessment.

Measurable work gets funded more easily. Articulate how success will be demonstrated.

Political capital is finite. Don’t ask them to fight for everything. Be selective about what you escalate.

Frame proposals in business terms with clear outcomes. Make it easy for them to say yes.

Help them manage up. If your work produces board-reportable results, make those easy to communicate.

Read the room. Understand what they’re actually able to focus on versus what they wish they could focus on

Podcast: Download (Duration: 17:56 — 9.8MB) | Embed

Subscribe to the Cultivating Security Podcast Spotify | Pandora | RSS | More

Tweet
Share
Share

Table of Contents

Found this benifical?

Subscribe to be notified when we publish new content!

Support this work

If you liked this and want to support more analysis like it, consider buying me a coffee.

Buy Me a Coffee

Post Discussion

Contribute to the Discussion

Scroll to Top