By Byron V. Acohido
The cybersecurity landscape has never moved faster — and the people tasked with defending it have never felt more exposed.
Related: How real people are really using GenAI
Today’s Chief Information Security Officers (CISOs) operate in a pressure cooker: responsible for protecting critical assets, expected to show up in the boardroom with fluency, yet rarely granted the authority, resources — or organizational alignment to succeed. Many burn out. Some are scapegoated. A few, as we’ve seen recently, face criminal charges.
And now comes the GenAI wave — flooding security vendors with new tools, but also disrupting organizational dynamics, blurring responsibility lines, and injecting fresh uncertainty into already fragile governance structures.
This is the backdrop for The CISO on the Razor’s Edge, a new book by Steve Tout, longtime identity strategist and advisor to Fortune 500 security leaders. It reads not as a how-to manual, but as a diagnosis of systemic design failure — and a blueprint for recovery. Tout introduces Strategic Performance Intelligence (SPI) as an operating model to help CISOs reclaim their influence, align cybersecurity with business outcomes, and speak the language of decision-makers.
This isn’t another call for CISOs to “communicate better” or “get a seat at the table.” It’s an acknowledgment that the table itself is often rigged, and that rebuilding trust will take structural clarity — not more dashboards or playbooks.
I spoke with Steve to explore what pushed him to write this book now, how GenAI changes the game, and what security leaders must do to escape the scapegoat cycle.
LW: You frame the CISO role as “broken by design.” What convinced you that this wasn’t just a people problem — but a system design issue?
Tout: It started with patterns I kept hearing—from friends in the role, from guests on the Candid CISO podcast, and from consulting work. One friend joked it should be called Chief Scapegoat Officer, and he wasn’t wrong. The way accountability is structured, everything rolls downhill to one person, even when the real issues are baked into the system.
The deeper I looked, the more it became clear this wasn’t just about people—it was about priorities. Cybersecurity programs are operating inside organizations optimized for financial engineering and extracting shareholder value. That’s not inherently wrong, but it pushes security into a compliance role, limits long-term thinking, and creates conditions where the CISO becomes disposable. It’s not a people problem. It’s a structural one.
LW: SPI 360 is a central concept in your book. Can you briefly explain what makes Strategic Performance Intelligence different from current governance, risk and compliance (GRC) or dashboard approaches?
Tout: I’m a long-distance runner—I run in ultra marathons—and one thing I’ve learned is that multiple factors play a role in my performance on any given day. There’s an app on my watch that can track over 600 data points. That inspired me to think differently about how we track human performance in cybersecurity.
SPI 360 is different because it doesn’t just monitor tech. It looks at environment variables—team health, leadership alignment, gaps between strategy and execution. Things SIEMs and GRC dashboards can’t see. because log files don’t tell the whole story, and nearly every tool in this space is obsessed with the [log files] tech stack. But humans play a critical role in outcomes. Strava and my “marathon readiness” score were big inspirations. We have a huge opportunity to do this better.
There’s a saying in the running community: “If it’s not on Strava, it didn’t happen.” It’s cute when we say that about our runs. But in cybersecurity, it points to something deeper. We need to move beyond raw data and start generating meaningful insight that leaders can actually act on. That’s what SPI 360 is designed to deliver.
LW: You make a strong case that cybersecurity has become a “strategic function without a strategy.” What role should boards and CEOs play in fixing that?
Tout: Thank you. Unfortunately, I’m seeing more cases where the CISO is quietly replaced by a “Head of Cybersecurity” with a mandate to manage risk and compliance. Maybe that works outside of public companies, but it’s often just a way to downgrade the role into something purely technical. These heads tend to lack T-shaped skills—no financial discipline, limited leadership experience, and little to no board exposure.
Tout
Removing the CISO is one response, but someone still has to lead. My guidance? Invest in leadership development for technical CISOs—and stop treating them like the lone line of defense. Build shared accountability across the C-suite. The next wave of CISOs may have less technical depth, but they’ll bring business fluency, influence, and the ability to link cybersecurity to real outcomes.
LW: GenAI is moving fast — in both attack surface and tooling. How does agentic AI reshape the challenges (or opportunities) for the next-gen CISO?
Tout: Agentic AI is absolutely a force multiplier—on both sides. It’s already making life harder for CISOs by accelerating everything for cybercriminals and nation-state actors. Defense use cases like chaos modeling, monitoring, and pen testing are no-brainers. But the more interesting opportunity is where agentic AI fills gaps most teams just can’t staff.
Take a CISO without a dedicated GRC analyst. An agentic system can now surface system-level risks, track performance across business units, and provide insight—without hiring a full-time employee. A vCISO supporting multiple orgs can finally get visibility without assuming full-time liability or overextending bandwidth. I don’t think AI agents replace CISOs anytime soon, but I do think they give lean teams a real shot at higher performance.
It’s not about replacing leadership. It’s about amplifying it—especially in places where resource constraints and complexity have been holding teams back. The smart move is to keep a human in the loop and let AI handle the scale.
LW: You cite high-profile security leaders who’ve been scapegoated. How should CISOs prepare themselves — contractually and strategically — to avoid being next?
TOUT: Perfect question—and a timely one. I’m seeing more interest in vCISO roles where leaders come in as contractors with their own liability insurance and enabling business transformation without putting their career on the line. That model gives organizations flexibility and gives CISOs some breathing room. But for full-time roles, I think more CISOs need to approach the job like executives—with an eye toward negotiation, shared goals and liabilities, and radical transparency. SPI can help support that transparency by making the invisible parts of the system visible and measurable.
I also believe there’s a bigger conversation to be had around protections—maybe even a cybersecurity equivalent of Sarbanes-Oxley, but we cannot wait for that. It’s not reasonable to ask CISOs to absorb the full weight of systemic, global threats like espionage or terrorism without structural safeguards. There’s still work to do on defining what that looks like.
LW: A recurring theme in the book is “strategic amnesia” — the tendency to forget hard lessons after each crisis. Why does this keep happening?
TOUT: I’m sorry… What was the question again? Haha. Honestly, I believe it ties back to an obsession with technology, a fixation on risk and compliance, and the revolving door CISOs are constantly walking through. When the goal is surviving the quarter, there’s no incentive to remember what nearly broke the business last year.
Organizations that normalize heroics without investing in disciplined learning and development are playing a dangerous game. And no, I’m not talking about security awareness training. We could fix corporate amnesia overnight with the right strategic incentives—but that would require companies to stop managing cybersecurity like an expense and start managing it like a long-term investment.
LW: What’s one thing a CISO can do this quarter to begin shifting from tactical defense to strategic influence — without waiting for permission?
Tout: The one thing I’d say? Drop the “paranoid CISO” and “CISO burnout” talk track. It’s a familiar trap — and it’s not helping anyone—and it’s not helping anyone. Everyone feels the pressure. Everyone’s stretched. But no one is coming to save you. At some point, we have to shift from survival mode to leadership mode. That starts with owning the role for what it is now—not what it used to be.
If you can’t show that your cybersecurity program is a real business enabler with measurable ROI, you’re asleep at the wheel. That might sound blunt, but it’s the job now. Boards aren’t looking for more dashboards or technical detail—they want outcomes, clarity, and a reason to trust that security is helping the business move forward, not just keeping it from falling apart.
Start by learning how business leaders think. Study how they use data to drive decisions. This isn’t about mastering finance or becoming a spreadsheet wizard—it’s about connecting the dots between what you do and why it matters. No one’s going to teach you this on the job. You’ve got to go seek it out. Because if you want to lead, you have to show that you’re already thinking like a leader.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(Editor’s note: A machine assisted in creating this content. I used ChatGPT-4o to accelerate research, to scale correlations, to distill complex observations and to tighten structure, grammar, and syntax. The analysis and conclusions are entirely my own—drawn from lived experience and editorial judgment honed over decades of investigative reporting.)