Five years ago, the Chief Information Security Officer never spoke to press.
Today, the CISO is named on the 8-K, fielding Bloomberg calls, and — in two high-profile cases — on the federal indictment list.
The structural change is not partial. It is complete. The CISO has moved from internal infrastructure role to externally-facing, personally-accountable, public-facing executive. And most CISOs have not been trained for the job they now hold.
The structural change
Three developments combined to redefine the role.
One. The SEC cybersecurity disclosure rule (December 2023). The CISO is now a primary input into materiality determinations that get filed with the SEC and become part of the public record. The CISO's name is attached — sometimes by signature, often by attribution — to filings that move stock price. See: The SEC 8-K Era.
Two. The SolarWinds enforcement action. The SEC filed charges against SolarWinds and its CISO, Tim Brown, in October 2023, alleging fraud and internal control failures around cybersecurity disclosures. The case was partially dismissed in July 2024 — but the precedent that CISOs can face personal liability for public statements about cybersecurity is now established.
Three. The Uber/Joe Sullivan precedent. Uber's former CISO Joe Sullivan was convicted in October 2022 on charges related to concealing a 2016 breach. He was sentenced to three years probation in May 2023. The case established that CISOs face personal criminal exposure for breach concealment.
The combined effect is that the CISO is now a named, accountable, public figure whose communications discipline has direct legal consequences.
What the role now requires
The CISO competency stack has expanded.
The traditional stack — technical security architecture, risk management, compliance — remains foundational. It has not been displaced. But two new legs have been added.
Regulatory communication. Direct engagement with the SEC, FTC, state regulators, and international authorities. Understanding of materiality standards, disclosure obligations, attorney-client privilege management, and the boundaries between forensic investigation and regulatory cooperation.
Public communication. On-camera capability. Press briefing capability. Investor call capability. Board presentation capability under cross-examination conditions. Message discipline in adversarial settings.
Only the first leg appears in most CISO job descriptions, education programs, or hiring criteria. The other two legs are mostly absent from how the role gets filled and trained.
The training gap
Industry surveys consistently show that fewer than 15% of Fortune 500 CISOs have undergone formal media training. The percentage who have undergone formal SEC-disclosure-specific simulation training is lower.
The contrast with other public-facing executives is stark. CEOs are media-trained as standard practice. CFOs are trained for earnings calls and analyst events. General Counsels are trained for regulatory testimony. CISOs are trained for none of those, despite now being expected to perform all three under crisis conditions.
The gap is filling unevenly. Large financial institutions and healthcare systems are investing. Most other sectors are not.
The new CISO competency stack
A CISO operating in the post-2023 regulatory environment needs five competencies beyond the technical foundation.
One. Materiality determination judgment. The ability to assess whether an incident meets the materiality threshold, document the reasoning, and operate the four-business-day clock without rushing into premature disclosure or risking late filing.
Two. SEC disclosure language. Familiarity with the disclosure language frameworks, the FAQ patterns the staff has signaled it expects, and the second-order effects of specific word choices on amendment likelihood.
Three. Press communication. Ability to deliver structured statements, field hostile questions, and stay on message under time pressure. This is on-camera capability, not just written statement review.
Four. Board communication. Ability to brief boards with the quantified, prioritized, benchmarked content boards now expect — not the technical depth that earlier-generation CISOs delivered. See: The Boardroom Briefing No CISO Survives Without.
Five. Cross-functional coordination. Ability to operate inside the joint committee with Legal, Communications, IR, and Finance during the 96-hour window without ceding technical authority or losing the operational picture.
What organizations need to do
Three steps.
Audit the bench. Assess current CISO and deputy CISO readiness against the five competencies. Identify the gaps. Most organizations will find significant gaps on competencies three, four, and five.
Build the training program. Media training. SEC disclosure simulation. Board briefing structure. Quarterly drills with realistic facts and time pressure.
Plan for succession. The CISO role is increasingly high-burnout. The personal liability exposure is real. The training investment should extend to the next two layers — Deputy CISO, security leadership team — so the organization has bench depth.
The CISO is now a Tier-1 spokesperson. Train accordingly — or face the inevitable test under conditions you did not choose.
