Sign in Subscribe
9 min read CISO Leadership

Leading Through Transformation as a CISO

Cybersecurity leadership changes when problems stop being merely complicated and become complex or chaotic. This article explores how CISOs must move beyond technical control toward sensemaking, decision-making, and organizational stabilization under uncertainty.
Share
Leading Through Transformation as a CISO
Foto E. Mehler 2026

Most organizations believe they are transforming cybersecurity. In reality, many are simply accelerating complexity and chaos faster than their leadership can still govern it.

By Eckhart Mehler for CISOsCISO — a perspective on cybersecurity leadership, governance and the decisions that determine whether organizations retain control.

Cybersecurity Stops Being Technical When Complexity Begins

Most organizations still manage cybersecurity as if every problem were, at its core, technical.

Some are.

Many are not.

That distinction matters more than most boards realize. Because cybersecurity problems do not all belong to the same category. Some are complicated. Others are complex. And in critical moments, organizations suddenly enter chaos.

Each environment requires a fundamentally different form of leadership.

A CISO who treats all three environments the same will eventually fail — not because of a lack of technical expertise, but because technical expertise alone is not enough when uncertainty, organizational behavior, politics, fear, incentives, and executive decision-making start shaping the real risk landscape.

This is one of the most important transformations in the CISO profession.

Cybersecurity does not stop being technical because technology becomes irrelevant. It stops being purely technical when complexity begins to dominate the system.

The Comfortable World of the Complicated

Complicated problems are difficult, but they are still understandable.

They can be analyzed. They can be decomposed. Experts can investigate them, model them, redesign them, optimize them, and improve them.

This is the world where cybersecurity has traditionally felt most at home.

Examples include IAM architectures, SAP authorization concepts, DNSSEC configurations, DDoS mitigation, SIEM tuning, cloud security architectures, network segmentation, vulnerability management, endpoint hardening, and logging strategies.

These are serious topics. They require experience, discipline, engineering judgment, and deep technical expertise.

But they are still, in principle, solvable.

You can bring in specialists. You can design a target architecture. You can identify deviations. You can implement controls. You can test effectiveness. You can measure progress.

In complicated environments, there is still a reassuring assumption: if we apply enough expertise, enough analysis, and enough structured effort, we can restore control.

And often, that assumption is correct.

This is why many organizations are relatively comfortable in the complicated domain. It fits existing management models. It fits project plans. It fits control catalogs. It fits maturity assessments. It fits procurement logic. It fits audit language.

A complicated problem may be hard, expensive, and politically inconvenient — but it remains recognizable.

The organization knows what kind of machine it is looking at.

Modern cybersecurity, however, increasingly operates outside that comfortable world.

Complexity Begins Where Human Behavior Starts Dominating Technology

Complexity begins when technology is no longer the primary source of unpredictability.

It appears when technology, politics, organizational culture, incentives, fear, leadership behavior, regulatory pressure, external dependencies, and uncertainty begin interacting faster than governance structures can stabilize them.

This is where many traditional security models start to weaken.

Because complex environments cannot simply be “solved.”

They must be understood, influenced, shaped, and continuously navigated.

Examples are easy to find in any large organization: security culture, AI adoption, shadow IT, international governance structures, cloud dependency, risk acceptance behavior, organizational resistance, CIO/CISO power struggles, fragmented security responsibilities, awareness effectiveness, data governance failures, executive denial, and the quiet normalization of exceptions.

These are not engineering problems in the classical sense.

They are socio-technical realities.

In complex systems, cause and effect often become visible only in hindsight. Small decisions can create disproportionate consequences. A local workaround can become a global operating model. A temporary exception can become permanent practice. A weak governance signal can reshape behavior across hundreds of teams.

And most importantly: human behavior becomes more important than technical architecture.

This is the point at which cybersecurity leadership changes.

Because a technically correct answer may still fail if the organization is not able, willing, or mature enough to act on it.

When Control Mechanisms Become Theater

Many security programs do not fail because people are careless or incompetent.

They fail because the organization applies control mechanisms designed for stable systems to environments that are adaptive, political, and unpredictable.

The visible result often looks professional.

There are policies. Dashboards. Awareness campaigns. KPIs. Certifications. Steering committees. Risk registers. Audit plans. Governance forums. Management reports.

On paper, the security system appears to be operating.

But underneath, the real risks continue to grow.

AI tools spread without a meaningful governance model. Cloud dependencies deepen without an exit strategy. Privileged access remains fragmented. Data classification exists as a document exercise but not as operational reality. Local exceptions accumulate. Critical dependencies are accepted without strategic discussion. Risk ownership becomes blurred. Committees discuss, but do not decide.

This is what I often call audit theater.

  • Not because audits are useless. They are not.
  • Not because policies are irrelevant. They are not.
  • Not because certifications have no value. They do.

But because artifacts can begin to replace reality.

A dashboard can create the feeling that something is being managed. A certification can create the impression that security has been achieved. A committee can create the illusion that accountability exists. A policy can create the belief that behavior has changed.

In complex environments, this is dangerous.

Because the organization may become increasingly fluent in describing security while becoming less capable of actually changing risk.

The Role of the CISO Changes in Complex Environments

In complexity, the CISO is no longer primarily a controller of security controls.

That part of the role still exists. It remains important. But it is no longer sufficient.

The CISO becomes something else entirely.

An interpreter of weak signals.

A navigator through uncertainty.

A translator between technology and executive decision-making.

A challenger of comfortable narratives.

And often, the first person noticing where the organization is already losing agency.

This is not always visible work.

It happens when you recognize that accountability is becoming blurred before the organization has admitted it.

It happens when you see that decisions are being silently deferred into committees.

It happens when operational pressure overrides governance again and again until the exception becomes the model.

It happens when security ownership dissolves across departments, projects, vendors, and countries.

It happens when leadership starts believing that dashboards represent reality.

This work is much less technical than many assume.

It is organizational.

It is political.

It is psychological.

It is strategic.

And it rarely appears clearly in ISO control catalogs, security tool roadmaps, or annual audit plans.

Yet this is where many of the decisive risks of modern cybersecurity actually emerge.

The CISO as a Sensemaker

In a complicated environment, the CISO can ask: What is the problem, and which expertise do we need to solve it?

In a complex environment, the better question is: What is really happening here, and why is the organization behaving this way?

That is a different leadership posture.

It requires the CISO to look beyond incidents, vulnerabilities, and control gaps. It requires attention to patterns.

Where do exceptions accumulate?

Where are risks repeatedly accepted without visible ownership?

Where does IT optimize for delivery while governance assumes control exists?

Where does compliance produce evidence while operational reality remains unchanged?

Where do business units create shadow capabilities because official processes are too slow?

Where does the organization confuse responsibility with participation?

Where is everyone involved, but nobody accountable?

These are not side questions.

They are often the real questions.

Because cybersecurity risk in large organizations rarely grows only from missing controls. It grows from decision patterns. It grows from incentives. It grows from unclear mandates. It grows from governance fatigue. It grows from the gap between what leadership believes is happening and what is actually happening.

A mature CISO must be able to read that gap.

Then Chaos Arrives

Eventually, some organizations cross the line from complexity into chaos.

This can happen suddenly.

A ransomware crisis. An identity platform compromise. A major SAP outage. A geopolitical cyber event. A large-scale data leak. A coordinated DDoS campaign. An insider incident. A destructive cloud misconfiguration. An AI-driven disinformation attack. A supply chain compromise.

In chaos, the organization loses its ability to interpret the situation through normal structures.

Information becomes fragmented. Decisions become urgent. Communication becomes unstable. Senior leaders ask for certainty where none exists. Technical teams operate under pressure. Legal, communications, compliance, IT, business continuity, data protection, and executive management all enter the same crisis from different perspectives.

In that moment, analysis becomes secondary.

Not irrelevant — but secondary.

The first task is stabilization.

This is where many leadership models collapse.

Because governance workshops, reporting structures, escalation matrices, and carefully designed process documents suddenly become less important than one thing:

orientation.

People need to understand what is known, what is unknown, what must be decided now, what must wait, and who has authority to act.

Without orientation, organizations do not simply become slow.

They become reactive.

And in a cyber crisis, reactivity can become a second incident.

What a CISO Actually Does During Chaos

In chaotic situations, the role of the CISO becomes decisional rather than technical.

The CISO does not personally solve every technical problem. That would be impossible and usually counterproductive.

Instead, the CISO reduces uncertainty.

Creates temporary structure.

Prioritizes aggressively.

Forces decisions where ambiguity would otherwise paralyze the organization.

Coordinates fragmented realities.

Stabilizes communication.

Protects technical teams from political noise.

Prevents executives from either panicking or underreacting.

And translates a rapidly changing technical situation into decisions leadership can actually make.

Most importantly, the CISO absorbs uncertainty without transmitting it uncontrolled into the organization.

That may be one of the least discussed responsibilities of the role.

Organizations mirror leadership behavior during crises.

A nervous CISO creates nervous executives.

A reactive CISO creates a reactive organization.

A political CISO creates paralysis.

A purely technical CISO may drown leadership in detail while failing to create direction.

A mature CISO does something different.

They create enough clarity for the next decision.

Not perfect clarity. Not complete certainty. Not final truth.

Enough clarity to act responsibly.

In chaos, that is leadership.

Technical Excellence Is Still Necessary — But No Longer Enough

None of this means that technical competence has become less important.

The opposite is true.

A CISO who does not understand technology deeply enough will not be credible in complicated environments, will misread complexity, and will lose authority in chaos.

But technical excellence is no longer sufficient.

The modern CISO must be able to operate across three very different domains:

In complicated environments, the CISO must ensure expertise, architecture, controls, and disciplined execution.

In complex environments, the CISO must interpret behavior, shape governance, influence leadership, and expose hidden risk patterns.

In chaotic environments, the CISO must stabilize decision-making under pressure.

These are not the same skills.

And they cannot be replaced by a tool, a framework, a certification, or a reporting dashboard.

This is why the profession has quietly changed.

Many organizations still believe they hired a technical security manager.

In reality, they increasingly need someone capable of stabilizing organizational decision-making under uncertainty.

That is no longer purely cybersecurity.

It is leadership under pressure.

Why Boards Often Misunderstand the CISO Role

Boards and executive teams often underestimate this transformation because they still view cybersecurity through a control lens.

They ask: Are we compliant? Are we certified? Are the findings closed? Are the risks documented? Are the dashboards green? Are the critical vulnerabilities decreasing? Are employees trained?

These questions are legitimate.

But they are not sufficient.

A more mature board would also ask:

  • Where are we losing decision-making capability?
  • Where are responsibilities fragmented?
  • Which risks are growing beneath formal reporting?
  • Where do our governance structures create delay instead of clarity?
  • Which dependencies have become strategic constraints?
  • Which exceptions have become normal?
  • Where are we confusing evidence with effectiveness?
  • Where does the organization no longer have the ability to say no?

These questions move cybersecurity from control management to executive reality.

They also change how the CISO is perceived.

Not as the person who owns all security risk.

That would be structurally wrong.

But as the person who helps the organization see, understand, and govern security risk before it becomes operationally, legally, or strategically irreversible.

The Transformation CISOs Must Lead

Leading in transformation does not mean constantly introducing new tools, new frameworks, or new programs.

Sometimes transformation means helping the organization understand what kind of problem it is actually facing.

Is this complicated?

Then bring expertise, structure, and execution.

Is this complex?

Then stop pretending that more policies alone will solve it. Look at incentives, behavior, power, culture, ownership, and decision patterns.

Is this chaotic?

Then stop searching for perfect analysis. Stabilize. Decide. Communicate. Contain. Reorient.

The mistake is not that organizations lack cybersecurity activity.

Most large organizations have plenty of activity.

The mistake is that they often apply the wrong leadership mode to the wrong environment.

  • They respond to complexity with control catalogs.
  • They respond to chaos with committees.
  • They respond to cultural resistance with awareness campaigns.
  • They respond to strategic dependency with technical architecture diagrams.
  • They respond to accountability gaps with RACI matrices that nobody lives by.

This is how security programs become busy without becoming effective.

The CISO as a Leadership Function

The future of the CISO role will not be defined only by technical depth.

It will be defined by the ability to connect technical reality with organizational truth.

That means being able to speak with engineers without losing strategic perspective.

  • Being able to challenge executives without becoming political.
  • Being able to understand regulation without reducing security to compliance.
  • Being able to use frameworks without hiding behind them.
  • Being able to operate under pressure without transmitting panic.
  • Being able to detect when an organization is not merely insecure, but losing agency.

This is the real leadership challenge.

Because cybersecurity is no longer just about protecting systems.

It is about protecting the organization’s ability to act, decide, recover, and remain trustworthy under conditions of uncertainty.

That is a much larger mandate than many organizations have admitted.

And it is exactly why the CISO profession is changing.

Quietly.

Structurally.

Irreversibly.

Final Thought

Cybersecurity remains technical in its instruments.

But it becomes strategic in its consequences.

It becomes organizational when human behavior determines whether controls work.

It becomes political when accountability, power, and incentives shape risk decisions.

It becomes psychological when fear, denial, and pressure influence leadership.

And it becomes existential when chaos arrives and the organization must still be able to act.

The mature CISO understands this transition.

Complicated problems require expertise.

Complex problems require sensemaking.

Chaotic situations require orientation.

And modern cybersecurity leadership requires all three.

That may be the most underestimated transformation happening in the CISO profession today.

Because the question is no longer whether the CISO understands cybersecurity.

The question is whether the organization understands what kind of leadership cybersecurity now requires.

Publication Note & Disclaimer
This article was originally published on LinkedIn on May 23, 2026 and may have been edited or updated for publication on this site.

It reflects my personal professional perspective and does not represent the official policy or position of my employer. Drafting and editorial refinement may have been supported by commercially available AI-assisted tools. The analysis, conclusions and final curation are entirely my own.

For information regarding image credits, copyrights, trademarks and other intellectual property rights, please refer to the Imprint.

Published by:

Eckhart Mehler

You might also like...

17
Jun
AI in the SOC: Why We Didn’t Gain Control — We Scaled Complexity

AI in the SOC: Why We Didn’t Gain Control — We Scaled Complexity

AI promised control, speed, and automation in the SOC. Instead, many organizations scaled complexity. Why the future of security operations is not about more intelligence—but about governance, explainability, and decision quality.
6 min read
17
Jun
The Most Dangerous Sentence in Information Security? “That’s Not in Scope.”

The Most Dangerous Sentence in Information Security? “That’s Not in Scope.”

The most dangerous security gap is often not a vulnerability—it is an exclusion. Why ISMS scope is not documentation, but a governance decision that determines what an organization chooses to see, govern, and ultimately protect.
6 min read
16
Jun
Annex A Is Not a Security Strategy

Annex A Is Not a Security Strategy

Most organizations mistake Annex A for a security strategy. It isn’t. The greatest cybersecurity failures of the next decade may not come from missing controls, but from unchallenged assumptions about cloud, AI, resilience, and dependency.
6 min read
16
Jun
The Security Requirements Nobody Wants to Write

The Security Requirements Nobody Wants to Write

Security is no longer defined by the controls you implement, but by the dependencies you govern. The modern CISO’s role is not merely to protect systems—it is to ensure the organization remains in control when its assumptions fail.
5 min read
16
Jun
Privacy Is Complicated. Information Security Is Complex.

Privacy Is Complicated. Information Security Is Complex.

Privacy is complicated. Information security is complex. Boards, CISOs, CIOs and DPOs must understand the difference to build governance that creates real trust — not just documentation.
13 min read

Member discussion