For years, I led from the seat of a Chief Information Security Officer (CISO). From 4X CISO to CEO.
As a CISO I learned “healthy paranoia”. I learned to see around corners. I learned to prepare for failure without becoming ruled by it. I learned that resilience is not a slogan, trust is not soft, and pressure reveals what an organization really is.
Then I became a CEO.
The title changed, but that was not the real transition. The real transition was this: the scoreboard changed.
Success means something very different now.
As a CISO, much of the job revolves around reducing downside. You protect value. You harden systems. You reduce exposure. You prepare for impact. Success often shows up as the absence of disaster.
As a CEO, that is no where near enough.
A CEO still has to manage downside. But the real job is broader and frankly, harder. You have to create upside even the upside is not obvious. You have to allocate capital, focus people, accelerate execution, build trust, and make the company stronger under pressure. You are no longer measured only by what you prevent. You are measured by what you build, what you compound, and whether the organization can win.
That shift has changed how I think about leadership.
It has not made me less disciplined. It has made me more complete.
Here are the lessons that came into focus for me in the move from CISO to CEO.
Protecting value and creating value are not the same job
Security leaders are trained to think in terms of exposure, controls, failure paths, and resilience. That training is valuable. In fact, in a volatile world, it is a serious leadership advantage. But …
The CEO role forces a wider lens.
You cannot lead a company by focusing only on what might break. You have to decide what deserves energy, capital, and conviction. You have to place bets. You have to define where the company will lead, where it will differentiate, and where it will refuse distraction. You also have to make the hard choices between protecting something or paving a path to new revenue.
That is a major shift.
A CISO protects value.
A CEO creates, compounds, and defends value.
The distinction matters because it changes the posture of leadership. It moves you from preservation alone to purposeful construction.
Risk is only part of the story
For a long time, one of the most important questions in my world was: What could go wrong?
That question still matters. It always will.
But CEOs have to ask a broader set of questions:
What are we building?
What are we solving?
What are we choosing not to do?
Where are we underinvesting?
What will matter six quarters from now, not just six weeks from now?
This is where many leaders get trapped. They confuse awareness of risk with clarity of direction.
These are not the same.
A company can become highly fluent in threat, friction, and constraints and still fail to move. It can become excellent at discussing complexity and poor at converting that complexity into action.
The CEO’s job is not to eliminate uncertainty. The CEO’s job is to move the organization through uncertainty with judgment.
That is a different discipline.
Capital allocation spells truth
One of the clearest lessons of becoming CEO is that strategy sounds impressive in slides but reveals itself in budgets.
Capital allocation exposes the truth.
You can say innovation matters. But if you do not invest in data quality, operating discipline, and workflow redesign, then innovation does not really matter.
You can say trust matters. But if you underfund execution, transparency, and customer experience, then trust does not really matter either.
You can say growth matters. But if priorities are bloated, ownership is vague, and friction is tolerated, then growth is a cheap talking point.
This is one of the hardest truths in leadership: strategy is not what you announce. Strategy is what you consistently fund, reinforce, and protect.
The CEO sees that more directly than anyone else.
Money is not just a resource. It is a declaration of belief.
Clarity scales better than intensity
Earlier in my career, I thought strong leadership often meant pushing harder, doing more, leading in very visible form.
I no longer believe that.
Strong leadership now means clarifying faster.
Companies do not scale on intensity alone. They scale on clarity. They scale when people know what matters, who you are selling to, who owns what, how decisions get made, what good looks like, and what deserves to be ignored.
Intensity without clarity creates motion, not momentum.
This becomes even more important at the CEO level because ambiguity compounds as it moves through the organization. A vague executive statement becomes a confused team priority. A confused priority becomes wasted time. Wasted time becomes operating drag. Operating drag becomes missed expectations.
That is why clarity is not just a communication skill. It is an operating advantage.
The larger the company, the more expensive vague leadership becomes. But, it also takes longer to unearth that type of situation. In smaller companies vague leadership exposes itself way quicker as there are fewer buffers.
Trust is not soft. Trust is throughput.
Too many leaders still talk about trust as if it belongs in the category of culture alone.
It does not.
Trust affects speed. Trust affects execution. Trust affects retention. Trust affects customer confidence. Trust affects whether people escalate intelligently or defensively. Trust affects whether hard truths surface early or get buried until they become an expensive burden.
In low-trust environments, everything takes longer. People protect themselves. Decisions loop slowly. Teams revisit the same conversations. Energy leaks everywhere. Indecision reigns.
In high-trust environments, accountability gets stronger, not weaker. Standards become easier to uphold because intent is clearer and friction is lower.
This is one of the biggest mindset expansions I have had as a CEO.
Trust is not theater.
Trust is infrastructure.
And in many organizations, it is the hidden variable behind execution quality.
Resilience matters more than compliance
Compliance matters. It builds baseline discipline. It creates structure. It can improve consistency.
But compliance is not the same as resilience.
A compliant company can still be fragile.
A resilient company absorbs pressure without losing direction. It adapts when conditions change. It makes decisions based on imperfect and/or incomplete information. It keeps operating even when the environment turns hostile.
That distinction matters now more than ever.
The modern business environment does not reward organizations simply for looking prepared. It rewards organizations that can keep moving when things break.
This is where my years in security still shape me deeply. I know what fragility looks like. I know how fast confidence erodes when stress exposes weak assumptions. I know the difference between a control that looks good and a capability that holds.
As CEO, that lesson only became more important.
Build for the test, not just the audit.
The CEO’s steadiness becomes part of the operating model
This may be the most personal lesson of all.
The CEO carries more than accountability. The CEO carries signal.
The ecosystem around you (employees, the board, investors, peer CEOs, partners, customers) watch how you process. How you process pressure. How you process the sea of bad news with the sprinkle of good here and there. They watch how you handle incomplete information, mixed results, difficult tradeoffs, and external noise. They watch your tone when momentum slows. They watch your posture when the answer is not obvious.
This does not mean a CEO needs to project false certainty.
It does mean the CEO has to project steadiness.
And do so irrespective of what is at hand. That steadiness matters because organizations borrow emotional direction from leadership. When the environment is noisy and/or unsteady, the CEO helps determine whether the company becomes reactive, distracted, disciplined, or resolved.
That is not abstract leadership philosophy. It’s not a textbook principle taught in business school. That is operational reality.
Steadiness preserves focus. Focus preserves execution. Execution preserves trust.
In the end, leadership is not about being right. It is about steering the organization towards an outcome, making sure employees stay oriented while the organization works through challenges and hurdles.
Security-Centric Steadiness
Security teams alone cannot secure a company from threats. The company’s organizational culture, risk tolerance, and investments are defined collectively by leadership, in many organization this means a roll up to the CEO. It is ultimately the CEOs responsibility to:
- Set the tone (organizational culture): if the CEO treats security as a priority, it permeates the entire organization. If neglected, it breeds a relaxed, vulnerable afterthought culture.
- Define risk tolerance: the CEO must decide what level of risk is acceptable and where to invest in defense, rather than assuming the CISO can stop 100% of attacks alone. This is a challenge as a lot of CEOs, for the sake of self-preservation, shy away from explicitly taking a stance on risk. Even if a CEO isn’t signing an acceptance/rejection of risk they can define tolerance levels.
- Create cross functional alignment: silos break down due to force from the top, IT, Legal, HR, and Operations work together to protect the company when that is a mandate coming from the CEO.
What I carried with me from the CISO seat
I did not leave my CISO instincts behind when I became CEO.
I feel I brought the best of them with me.
I still believe in disciplined thinking.
I still believe in resilience under pressure.
I still believe in asking hard questions early.
I still believe that trust takes years to build and minutes to lose.
I still believe leaders should prepare for failure without becoming defined by fear.
But the CEO role forced me to widen the aperture.
The mission is no longer only to defend the enterprise.
The mission is to build an enterprise that can win.
That means creating trust, not just protecting it. It means creating momentum, not just preventing disruption. It means turning discipline into direction, and direction into execution.
That is the real shift.
Final thought
Going from a 4X CISO to CEO did not make me think less about security. It made me think more completely about leadership. I still believe the best leaders see the angles and see around corners. Now, I also believe they have to be able to build through those angles and corners.