Law. Finance. Cybersecurity.

These are the three major risk centers for most modern corporations. Each has (or should have) an executive risk manager—General Counsel (Law), CFO (Finance), CISO (Cybersecurity).

But law and finance are both disciplines that are thousands of years old. Nobody goes around asking questions like "so what does our head lawyer do all day long, anyway?"

Cybersecurity, on the other hand, as a civilian discipline is at most a quarter of a century old. As a result, the field is poorly understood.

It will take at least another generation, or possibly two, for cybersecurity to achieve a similar normative status in corporate governance as law and finance. I'll be dead before that happens, and you probably will be too.

So what does that mean, in pragmatic terms?

Being an effective CISO means constantly explaining what you do, why you do it, how you do it, and what you are spending money on.

There's no point being defensive about it—that's just counterproductive. Other executives and rank-and-file employees can't work with you if they don't understand what you do.

And no, appeals to authority are not as effective as pursuing a strategy of shared understanding. Employees who grudgingly do the minimum will do it badly, and executives of equal or senior rank don't have to do what you tell them.

In fact, the CISO almost never has any meaningful executive power at all. Which means driving security change and maintaining an effective risk management posture comes down to vision-driven leadership—and not just telling people what to do.

So we come back to where we began. Constantly explaining what you do is a core part of your job as a CISO. Technical skills are the foundation of technical leadership but without the communication skills, and a head for business, a CISO cannot effectively thread the needle of both managing security risk and supporting a high-velocity business at the same time.