One of the hardest lessons I've had to learn as a CISO is to stop caring so much about security. This is a hard lesson to learn and it's the reason why many security engineers tend to struggle in the role.
Security engineers care about security. That's why we all got into security in the first place. Things should be secure—secure all the things!
Except that's a 10000000% not your job as a CISO. This can be confusing, frustrating, and lead to burnout for those unable to adapt to the role. Your job is as CISO is not to maximize security.
I will say that again really slowly and extra loud for those in back: Your job as CISO is not to maximize security.
Your job as CISO is to help maximize profit for your employer while minimizing financial risks caused by security issues.
Your job as CISO is to dance the fine line between secure and insecure—what's the least amount of money and time we can spend on security in order to keep the business profitable and agile?
Your job as CISO is to serve the business, not run the business.
This is an entirely different skill compared to any defensive or offensive security work that you've done in the past.
"Can I pop a shell?" Probably. Job well done.
"Can I max out my defensive security for this app / system / what have you?" Probably. You'll hit limits but doing the basics can be incredibly effective. And ultimately you have a boss making the decisions about how you should spend your time.
But as a CISO, you are the boss. How large should the security team be? How should they spend their time? How do you prioritize scarce resources to mitigate the most amount of risk for the least amount of money (your Security ROI)? And is the remaining residual risk acceptable to execs?
How much money and time should you spend on security risk management, anyway?
The answer to that question is different for every single company. In some crowded more traditional verticals you can copy/paste a little between companies. But in new spaces—like cryptocurrency—a good CISO has to re-evaluate everything they thought they knew and build from the ground up from first principles.
Bottom line: A CISO is a business leader, not (just) an engineering manager. You have to care about security. Of course you do.
Just not too much.