Some CISOs just suck.
Not because they don’t know security. Not because they aren’t smart. But because their egos have taken over. They’ve forgotten how to be decent, collaborative, self-aware human beings. The title went to their head. The influence got addictive. The attention from vendors, peers, and press inflated a sense of importance that has nothing to do with real leadership. And let’s be honest: Too many people are too afraid to call it out.
Well, here it is. I’m calling it out.
We’ve glamorized the role to the point where the worst behaviors are tolerated, even rewarded. CISOs who posture in every meeting, refuse to be challenged, hire only people who nod along, and treat vendor conversations like ego-feeding exercises are becoming more common, not less. I’ve been in this role. I’ve led programs. I’ve made hard calls and hard mistakes. But I’ve also had a front-row seat to this pattern, and I’m tired of watching us pretend it’s not happening.
Steve Hindle, CISO in residence at The CISO Society, put it bluntly when he said that “CISO egos are so fragile that personal liability insurance exists. Vendors worship them. The industry has given them platforms, and they’re not being checked.” He’s right. We’ve created a feedback loop that rewards title over substance, influence over integrity, and control over collaboration. The more a CISO postures, the more some people applaud.
How did we get here?
The market is partially to blame for how we’ve gotten here. The role exploded in visibility and demand. Salaries jumped. Everyone wanted a CISO on stage or on a panel. But while the job grew in importance, not everyone grew with it. As David B. Cross, CISO at Atlassian, put it, “Some people just want to be in control. Some are addicted to it. Others feel entitled because they’ve worked hard and think the world owes them.” That entitlement shows up everywhere, especially in how we treat others.
Let’s talk about how some CISOs treat vendors. I’ve watched CISOs act like tyrants in meetings. Dismissive. Condescending. Impossible to engage. And it’s not about vetting products or being skeptical; that’s our job. It’s about how some people genuinely enjoy making sales reps squirm. They treat meetings like games, with no intention of solving problems, just flexing power. Some turn it into a “gotcha” moment, waiting for a rep to slip up on a technical detail just so they can jump in, show off, and feel like the smartest person in the room.
And I’ll be honest, even as a fellow CISO, I’ve found it exhausting trying to talk to some of our peers. Sorry to my friends in Sales; you’re not imagining it. Some of us make it incredibly difficult to have a basic, respectful conversation. That’s not leadership. That’s insecurity wrapped in a title.
Adam Arellano, field CTO at Traceable, calls this “punk artist syndrome.” These CISOs act like they’re too cool, too principled, or too special to actually collaborate. He described it as “fragile masculinity wrapped in an image they don’t want to see fade.” And while it’s not just a male problem, let’s not pretend the pattern isn’t familiar.
The problem doesn’t stop at vendor interactions. It shows up inside their teams, too. Many CISOs don’t build leadership pipelines; they build echo chambers. They hire people who won’t challenge them. They micromanage strategy. They hoard influence. And they act surprised when innovation dries up or when great people leave. As Jadee Hanson, CISO at Vanta, put it, “Ego builds walls. True leadership builds trust. The best CISOs know the difference.” That distinction matters, especially when your team’s success depends on your ability to listen, adapt, and share the stage.
Andrew Wilder, CSO at Vetcor, summed it up clearly: “These guys need to stop hiring ‘Yes people.’ You want people to disagree with you. Absolute power corrupts absolutely.” And that’s not philosophy; it’s practical. Security needs friction. Debate. Context. If your whole team agrees with you, either you’re not leading or they’ve stopped trying.
Where do we go from here?
To put a stop to this rising issue, we need to stop pretending this is someone else’s problem. We stop excusing toxic behavior just because someone carries the right title. And we stop treating leadership like it’s an untouchable domain reserved for those with the loudest voices or the longest résumés.
This isn’t just about venting frustration; it’s about raising the bar.
Security isn’t just a technical function anymore. It’s a leadership discipline. And that means we need more than frameworks and certifications; we need a shared understanding of how CISOs should show up. Internally, externally, in boardrooms, and in the broader community.
That’s why I’m publishing this. Not because I have all the answers, but because the profession needs a new baseline. A new set of expectations. A standard we can hold ourselves, and each other, to. Not about compliance. About conduct. About how we lead.
What follows is the CISO Code of Conduct. It’s not a checklist, but a mindset. If you recognize yourself in it, good. If you don’t, maybe it’s time to ask why. Either way, this is the bar. Let’s hold it.
This isn’t a hit piece. It’s a challenge.
A lot of people in this space are trying to do the right thing. But there are also a lot of people hiding behind a title. If this article made you uncomfortable, that’s fine. Maybe it should. Discomfort can be useful if you’re willing to look at it head on.
Let’s stop making excuses for bad behavior because someone has “CISO” in their title. Let’s hold each other accountable; not just for outcomes, but for how we get there. Let’s stop worshiping influence and start rewarding integrity.
Ditch the ego. Lead for real.