I watched George Kurtz deliver one of the most pointed keynotes at RSA this year, and it hit on something I’ve been thinking about for a while:

CISOs are being called into the boardroom—but most haven’t been prepared to lead once they get there.

George didn’t mince words.
He drew a direct parallel to what happened after Sarbanes-Oxley in 2002. That law redefined board composition and pushed CFOs into positions of real power. Today, the SEC’s cybersecurity disclosure rules are setting up a similar moment for CISOs.

We’re living through the early stages of a structural shift.
Cyber risk is no longer a side conversation about firewalls and phishing. It’s a strategic governance issue. A financial risk. A leadership mandate.

But here’s the tension I keep seeing:

Boards are waking up. CISOs are burning out. And the system that should help them evolve doesn’t exist yet.

CISOs Are Caught Between Two Worlds

Most CISOs I talk to are incredibly capable. They’ve built world-class programs, handled breaches under pressure, and know their environments inside and out.

But that’s not the same thing as board readiness.

Boardrooms operate on different frequencies:

• They speak the language of risk, return, and legal exposure.

• They focus on outcomes over effort.

• They expect strategic presence, not operational reporting.

When a CISO walks into that room with technical slides or dashboards filled with metrics no one understands, the disconnect is real. It’s not a failure of talent—it’s a failure of translation.

We’ve spent decades training CISOs to be world-class defenders.
But we haven’t given them the tools to be recognized as business leaders.

The Problem Isn’t the CISO. It’s the Operating System Around Them.

George talked about how only 29% of boards have cyber expertise, even though 72% say they want it. That stat sounds like a skills gap. It’s actually a systems gap.

There’s no consistent way for CISOs to:

• Understand how boards see risk, finance, and governance.

• Evaluate their own leadership readiness across non-technical dimensions.

• Communicate their value in terms the board will act on.

And without that, we’re back in the same loop:
CISOs give presentations. Boards listen politely. Nothing changes.

Or worse—when a seat does open up, it goes to someone else. Someone with less cyber depth but more board fluency.

What We Need: A New Model for Strategic Cyber Leadership

This is where I’ve been focusing my energy over the past year—trying to design a system that helps CISOs break out of the tactical trap and step into the strategic role they’ve earned.

I call it Strategic Performance Intelligence (SPI), and it’s built around a simple premise:

You can’t lead what you can’t measure—and you can’t elevate what you can’t communicate.

SPI helps CISOs evaluate their performance across four domains:
Strategy. Governance. People. Technology.
Not just tools and controls—but alignment, decision-making, culture, and leadership.

It’s not a dashboard. It’s a leadership framework.
And it’s designed to help CISOs:

• Understand how their work connects to board priorities,

• See where they’re strong and where they need to evolve,

• And communicate the value of cybersecurity in plain business terms.

Because no one gets handed a board seat. You have to earn it—and you have to be seen earning it in a language the board understands.

If You’re a CISO Reading This, You’re Probably Already Ahead

You’ve already made it through the fire.
What you need now is clarity, not chaos.
A structured way to grow—not just as a protector, but as a strategic operator.

We’re not going to solve this overnight. But the time to start is now.

Because in a few years, we’ll look back at this moment the way we look at Sarbanes-Oxley:
As the turning point.

The only question is—did we build the systems to help CISOs rise to meet it?

If this resonates with where you are—or where you're heading—I dive deeper into this transformation in my upcoming book, The CISO On The Razor’s Edge. It’s available now for pre-order on Amazon.