While most CISOs burn out from absorbing deflected cyber risk, a new approach is already offering a more sustainable path to success.
Drew Simonis, CISO at Juniper Networks, explains why security leaders often must decide between the toxic path of becoming a "risk magnet" and the healthy path of "risk enablement."
In this partnership model, CISOs use storytelling and relationship-building to earn trust, which allows them to build genuine C-suite authority over time.
When other leaders deflect accountability for cyber risk, most CISOs face a choice: build a lasting career through influence or burn out. Ransomware and high-profile breaches might make cybersecurity a familiar topic in the boardroom, but that awareness rarely translates into genuine ownership.
For an expert's take, we spoke with Drew Simonis, Chief Information Security Officer at Juniper Networks and a seasoned cybersecurity executive helping Juniper's transition into the HPE ecosystem after its recent acquisition. With experience leading global security programs at major technology and insurance firms, including CISO and Vice President-level positions at Hewlett Packard Enterprise and Willis, Simonis has a long history with the CISO's dilemma. From his perspective, the blame falls squarely on an accountability vacuum at the top.
"The CISO role is still a bit of a 'Heisman.' Some C-suite leaders are starting to recognize that they might have a problem. But still, I don't think they see it as their problem," Simonis says. Meanwhile, other leaders outsource risk to the cyber team without providing the investment to manage it. Eventually, that deflection creates a "catch-22." In this environment, the CISO's choice is everything, he explains.
A real bear trap: The unhealthy path is to become a "risk magnet" by absorbing accountability from others, Simonis continues. "CISOs on the toxic path build an environment within which they cannot be successful. It's a real bear trap, and they stick their own foot in it." According to Simonis, this misguided play for importance often contributes to the short tenure for which the position is known.
For you vs. with you: Meanwhile, the healthy path requires a fundamental shift in approach that enables the business to manage its own risk. "The difference is between the toxic, 'I will manage your risk for you,' and the healthy, 'I will help you manage your risk better,'" Simonis says.
Because external enforcement is often lacking, the CISO's ability to build influence from within becomes the primary engine for change. "In heavily regulated places, companies don't have a choice. There's a compelling factor that makes them not just aware, but also engaged. Where that factor is lacking, accountability is grossly lacking," Simonis explains.
A shrug from shareholders: But with regulators and even shareholders frequently failing to drive accountability, the CISO must create that momentum internally. "We're being more transparent with shareholders through disclosure, and they're shrugging their shoulders. So I don't know what's going to change these circumstances to drive that accountability."
Now, the disruptive force of AI is adding more strain on this already fragile system, Simonis explains. Poised to act as an accelerant, the technology threatens to strain the "baling wire and bubble gum" that holds many enterprise systems together, he cautions.
Just a vanity 'C': Compounding the pressure is the reality that the CISO role is often still new and ill-defined—especially compared to an established position like the CFO. "CISOs get frustrated. They look at the 'C' in their title and think it's real, when for many companies, it starts off as a vanity title that you have to grow into."
But the frustration of holding a title without inherent power is what can tempt CISOs down the toxic path, Simonis explains. In his experience, the solution is to think more like a partner than a manager. It's precisely the type of human-centric approach that's vital when environments are fundamentally unpredictable, he says. "We're not dealing with deterministic systems like in the IT world," he says. "In the cyber world, the adversary gets a vote. You have another person who's smart, motivated, well-resourced, and determined to be successful. That's what makes that area gray—the uncertainty that an intelligent adversary creates."
However, most CISOs cannot simply command the authority needed to match their immense accountability overnight. Instead, success depends on building lasting influence through genuine partnerships, Simonis concludes. "You have to go through a maturity phase of storytelling and relationship building. As you demonstrate to people that you understand the problem and can deliver valuable solutions, they will begin to trust you with greater authority. You can't just go in expecting to grab it. You've gotta earn it."
