Most CISOs Don’t Have a Capability Gap: They Have an Influence Gap

There was no such thing as a CFO until the 1970s.

Before that, there was a financial manager. They were accurate, reliable, and largely absent from strategic decisions.

Then business got more complex: regulation, inflation, M&A, shareholder pressure.

Boards didn’t need better accountants.

They needed someone who could translate complexity into decisions, frame risk in terms a CEO could act on, and build the relationships that moved capital.

The CFO wasn’t an upgrade. It was a different kind of leader.

That distinction matters because the word chief signals something more specific: enterprise-wide accountability, influence across functions, proximity to consequential decisions, and the authority to shape organisational direction.

Historically, finance leaders were valued for control, accuracy, and stewardship. But as capital markets became more complex in the 1970s and 1980s, the CFO role evolved from operational finance management into a strategic executive position focused on capital allocation, shareholder value, and corporate direction.

Earlier CFOs were often viewed as tactical “bean-counting” operators. Today, the role is expected to help shape enterprise direction, influence strategy, lead transformation, and communicate risk and performance in terms the board and CEO can act on. It is increasingly a role defined by lead transformation rather than simply manage reporting.

“Chief” came to imply stewardship not just of a function, but of organisational outcomes.

The CISO is going through a similar shift.

But many are still operating in an earlier version of the role.

Yes structure matters. Many CISOs don’t control budget, don’t always sit close to the board, and are still positioned as technical leaders.

But expectations have already moved.

The Hitch Partners 2026 Global CISO Benchmark Report found that 69% of CISOs now justify security budgets through business impact, overtaking the 49% who still lead with compliance avoidance. The framing has shifted from "cost of doing business" to "enabler of business outcomes."

The signal is clear.

You can see the gap in practice:
– Risk is understood, but not prioritised
– Funding is agreed, but not sustained
– A breach happens, and decisions happen around you

In most organisations, none of these are visibility problems. They are influence problems that show up differently depending on the leader.

And most leaders don’t see the gap, until it appears in decisions they’re not part of.

This is the shift: not more technical depth, but a different kind of leadership.

Because “chief” increasingly implies the ability to:

• Shape enterprise priorities, not just functional activity
• Translate specialist risk into business trade-offs
• Influence decisions without relying on formal authority
• Build alignment across competing executive agendas
• Carry credibility beyond your technical domain

That is fundamentally different from being the organisation’s most knowledgeable security practitioner. And most leaders are never explicitly shown what that shift looks like in practice.

It requires a measurable shift in how influence is built, applied, and expanded over time.

The Influence Curve shows your current level of influence and where it needs to be if the role continues to move in the direction it is already going.

If you had to choose: what’s the one non-technical capability that would change your impact in the next 12 months?