Refuse the Seat: Why Modern CISO Leadership Advice Is Failing the Profession

Refuse the Seat: Why Modern CISO Leadership Advice Is Failing the Profession

By Jake Martens

May 22, 2026

Key Takeaways

  • “Earn a seat at the table” is the most damaging advice in modern CISO leadership.
  • CISO tenure averages 18 to 36 months because the role demands operator-level accountability while requiring CISOs to trade away their outsider perspective.
  • Domain expertise creates blind spots that only outsider perspective can reveal.
  • Security frameworks have been hollowed out by the same institutional capture that ended design thinking.
  • Practitioner-first leadership is the operational defense against synthetic-human fraud, not a leadership philosophy.

The single most repeated piece of advice in security leadership is also the one doing the most damage to the profession.

Earn your seat at the table. Become a business translator. Integrate into the operator class.

The CISOs who follow that advice end up burned out, legally exposed, and stuck in five-jobs-in-one roles with 18-month tenures.

Let me be clear, the advice isn’t failing because security leaders aren’t executing on it well enough. The professionals I know are some of the hardest working people in the industry, putting in overtime and sacrificing their work/life balance. At the root of it, the advice is the problem.

The consensus is uniform

Open any 2026 piece on the evolving CISO role and the prescription is identical. CSO Online’s January piece on the skills CISOs need to master centers on being a “business translator.” Phil Venables’s CISO 2.0 framing describes the CISO evolving into a peer business executive alongside the CIO and other leadership. CFO.com and Vantedge Search both position the modern CISO as an emerging “enterprise operator” with authority over product velocity and capital deployment. Pentera’s framing is the same. Every advisory voice in the industry is selling the same instruction set: become more like the executives you report alongside, speak their language fluently, get inside their decisions, earn the right to be in the room when capital and product calls are made.

This is not a fringe view or hot take. It’s the industry expectation playing on a loop, and once you see the pattern, you can’t unsee the opening it presents.

The symptoms the consensus can’t explain

The same publications selling the “earn your seat” advice are the ones reporting that the CISO role is in crisis.

Computer Weekly puts the average CISO tenure between 18 months and three years. The C-suite average is over five. Pentera’s recent numbers put it at 24 months. The role is now described, in Computer Weekly’s own framing, as five jobs in one. By widely cited estimates, roughly 60 percent of CISO time goes to compliance work, leaving 40 percent for actual security. The Sullivan-at-Uber and Brown-at-SolarWinds prosecutions have crystallized what GovInfoSecurity called, in March, “the era of the Fall Guy,” where regulators looking to file charges look for the person who signed the attestation, and that person is the CISO.

ISMG’s coverage of the liability shift is the cleanest single source on what this is doing to the role day-to-day. CISOs increasingly spend more time with general counsel than with engineering. The role’s primary function has begun to drift from defending the network to defending a career under legal scrutiny.

Better leadership coaching won’t solve these because they’re not isolated problems. They’re the predictable outputs of a role that has been told, for fifteen years, to integrate into the operator class while remaining personally accountable for the operator class’s risk decisions. If you look at it closely, this is an inverted incentive structure disguised as helpful career advice. That’s not a sustainable role design, and it ultimately hurts the very profession we’ve spent our careers building.

The trap

Here’s what the consensus advice is actually asking the CISO to do.

Take on operator-level accountability while keeping outsider-level authority. Integrate into the speed-first culture so you can have influence over its decisions. Become fluent enough in the operator’s incentives that you stop being able to see what the operator can’t see. Earn the seat by demonstrating you no longer need the perspective that earned you the seat in the first place.

That’s asking a lot of one person. Maybe too much.

CISOs are expected to carry the unique security perspective that makes them necessary to the businesses they protect, while simultaneously holding the weight of integrating so deeply into operator culture that the perspective itself starts to fade. The accountability stays. That’s the trap. And it’s built into the advice.

I’m a Field CISO precisely because the in-house version of this role has been structurally pushed into a position no individual leader can sustainably occupy. I wrote about this in Practitioner First. The deeper point I want to make here is that the Field CISO function exists at all because the in-house version of the role has lost its practitioner footing. That’s a symptom of the broader profession.

What the research actually says about outsider perspective

There’s research on this that the security leadership discourse has almost entirely ignored.

A study referenced in MIT Sloan Management Review’s piece on outsider perspectives makes the point concretely. Researchers gave separate groups of carpenters, roofers, and in-line skaters the same set of design problems: improve the carpenter’s respirator mask, the roofer’s safety belt, and the skater’s kneepad. Each group was significantly better at solving the others’ problems than their own. The carpenter saw the kneepad problem the skater could not see. The skater saw the safety belt problem the roofer could not see. Domain expertise creates blind spots that only outsider perspective can reveal.

This is how human cognition works. And it tells you exactly what the most useful CISO looks like: someone who maintains practitioner distance from the operator class while investing serious cognitive effort in understanding what the operators are trying to do. That combination is what produces breakthrough security insight. It’s not what the consensus advice produces. The consensus advice produces well-integrated insiders who can no longer see the kneepad problem.

What practitioner-first leadership actually provides

Take the deepfake threat data that began in earnest a few years ago; it makes the operational stakes of all this concrete. The Hong Kong deepfake video conference fraud against the engineering firm Arup cost it the equivalent of HK$200 million in 2024. The FBI has issued explicit public warnings on deepfake CEO fraud as one of the fastest-growing financial crime categories targeting US enterprises. NCC Group has demonstrated real-time voice cloning vishing in production-grade form. Deepfake-as-a-Service is now a commercial category that mirrors Ransomware-as-a-Service in business model.

These threats aren’t running ahead of security frameworks because the frameworks are out of date. They’re running ahead because the frameworks were optimized for the operator’s view of normal, and the new threat category specifically exploits what the operator’s view can’t see. Static identity controls. Compliance dashboards. Posture-based attestations. All of these are insider artifacts. They describe what the organization believes is true about itself. They don’t describe what is actually happening at runtime.

This is the same institutional capture that hollowed out design thinking a decade ago. Frameworks promised centrality. They delivered ceremony.

The defense isn’t better insider artifacts. The defense is the practitioner perspective itself. Threats like these get past frameworks because frameworks weren’t built to catch them. They get caught by leaders who can still see what an insider can’t, who haven’t traded the outsider view for a seat. The CISO at the top of their game is what stands between an organization and the next variant of these threats. Practitioner-first leadership isn’t a philosophy. It’s a defense.

The bridge

The Field CISO role exists for a structural reason. In-house CISOs have been so thoroughly absorbed into the operator class that someone from outside now has to do the practitioner work the in-house role used to do. Practitioner First made the case for how the Field CISO version of that work should be structured. The case I want to make here is broader.

The fix isn’t to keep building external workarounds for a role that has lost its practitioner footing. The fix is to give the role its footing back. To stop treating the seat at the table as the goal and start treating practitioner distance as the asset it actually is. To recognize that the most useful security leaders are the ones who refuse the integration trade, even when offered the seat.

The advice has been wrong for fifteen years. The symptoms have been visible for at least ten. The data makes it all visible; the carpenter cannot see the kneepad problem.

It’s time security leadership took its outsider perspective back.

Refuse the Seat: Why Modern CISO Leadership Advice Is Failing the Profession

Further Reading

AI Threat Landscape
Thought Leadership

The AI Threat Landscape Demands a New Cloud Security Model

Moshe Hassan Upwind

By Moshe Hassan

May 13, 2026

This week, the Shai-Hulud npm campaign showed how quickly a compromised package can move through the software supply chain, jumping across trusted dependencies and reaching build pipelines before many teams even knew what they were looking at. But this is not just an npm story, and it is not just a story about one campaign. […]

Agentic Pack
Thought Leadership

The next wave of AI is here. Upwind becomes Agentic.

A smiling man wearing glasses and a pink t-shirt, sitting in a lounge in front of exposed brick.

By Amiram Shachar

May 13, 2026

One of the most fascinating technologies I’ve encountered in my personal life over the past few years is autonomous driving. It started as a curiosity, “can my car really drive itself?” Can it actually make decisions with enough necessary context, and not rely solely on static things it sees like trees and roads? Can it […]

The exploit window didn't shrink. It flipped.
Thought Leadership

The exploit window didn’t shrink. It flipped.

Smiling person with short dark hair and a beard, wearing a black shirt with a logo that includes the letter U. The background is a plain light grey.

By Tomer Hadassi

Apr 29, 2026

TL;DR: Time-to-Exploit (TTE), the gap between vulnerability disclosure and first observed exploitation, has gone negative. Mandiant’s M-Trends 2026 report shows attackers now exploit vulnerabilities, on average, before a patch is publicly available and we see the same in running environments. That breaks the foundational assumption every legacy CNAPP architecture was built on — that defenders […]