← Back to Newsroom

From “Dr. No” to Business Enabler: Understanding CISO Types and Qualities

26 July 202512 min read

Management

Chief Information Security Officers (CISOs) play a pivotal role in balancing cybersecurity with business needs. Yet not all CISOs approach security the same way. On one end of the spectrum are “solutions-oriented” CISOs who collaborate with colleagues to enable business objectives securely. On the other end are those who reflexively block anything risky – the infamous “Dr. No” CISOs who say no to every request in the name of security. This in-depth look explores these different CISO types, the scenarios and consequences of their approaches, and ultimately what makes a good CISO. We’ll see how a security leader can either empower the organization or create frustration-fueled vulnerabilities, backed by research and expert insights.

The Solutions-Oriented CISO

A solutions-oriented CISO views security as a business enabler, not a roadblock. Instead of defaulting to denial, this type of CISO works with teams to find secure ways to achieve business goals. They adopt a risk-based approach – evaluating the actual risks of a new idea or technology and finding mitigations – rather than simply forbidding it. As Petri Kuivala (CISO of NXP Semiconductors and former Nokia CISO) puts it, “Just because there’s a security risk with something, that doesn’t mean you just tell the CEO it can’t be done. As the CISO, I am a business enabler… it’s my job to explain the risk in a way that the board can make an informed business decision to put resources in the right places to lower risk while trying to make money.” In other words, a good CISO presents options and solutions – translating cyber risks into business terms and guiding decision-makers on how to reduce risk without stifling innovation.

This approach positions the CISO as a strategic partner. Modern cybersecurity leaders recognize that security should support the company’s mission. In fact, the role has evolved from being seen as a “nerd-driven nuisance” into a core strategic function for the business . Solutions-oriented CISOs embrace this evolution. They engage with other executives and departments to ensure security measures enable safe growth (for example, securely adopting a new cloud service rather than banning it outright). By focusing on how to do things securely instead of simply what not to do, they foster cooperation. Colleagues come to see the CISO as a problem-solver who helps navigate risks – a far cry from the caricature of the security chief who only says “No.” This collaborative mindset not only improves security but also builds goodwill: employees are more likely to follow security guidance when they know the CISO will work with them to achieve their goals securely, instead of automatically shutting them down.

The “Block-Everything” CISO

On the opposite end is the CISO who prioritizes security above all – even if it means blocking almost every new idea or tool “for the sake of security.” This “just say no” approach (often dubbed the Dr. No CISO) views colleagues’ requests with suspicion and tends to impose rigid controls without flexibility. In such scenarios, the security team might decline any software that isn’t explicitly vetted, disapprove all exceptions, and enforce strict policies to eliminate every theoretical vulnerability. On the surface, this ultra-conservative stance seems safe – after all, fewer tools and less user freedom should mean less risk, right? In reality, this approach can backfire badly. Research shows that when security measures become too onerous, employees grow frustrated and start finding ways around the controls, inadvertently creating new risks.

Why does “blocking everything” backfire? Because people need to get their work done. If security rules make it impossible or excessively difficult to do a job, employees will inevitably seek shortcuts or workarounds. A classic example is from healthcare: one hospital required a five-minute login process for accessing patient records, so technicians began sharing a single login session all day to avoid re-authenticating. They knew this violated policy, but it “felt necessary to get the job done.” This scenario illustrates how overly stringent controls can frustrate employees into finding insecure shortcuts, ultimately undermining the security they were meant to improve . In the hospital case, the strict unique-login rule ironically led to more password sharing (73.6% of medical staff admitted to using a coworker’s password), which decreased overall security . When a CISO’s policies resemble a hard blockade, users often respond by going around the wall, creating shadow IT systems, weak practices, and other vulnerabilities.

This isn’t just anecdotal – it’s a well-documented phenomenon. An academic study on information security trade-offs found that “tightening security by making systems more inaccessible can hinder employees and make them less productive. It can also result in lower security as workers struggle to find ways around the security conditions to enable them to do their jobs.” In fact, over one-third of employees surveyed in that study reported problems caused by security measures interfering with their work . In a more recent survey of 14,000 employees across multiple countries, 65% admitted to bypassing cybersecurity rules for the sake of convenience or productivity . Common workarounds included using personal devices and unsanctioned apps, or forwarding work documents to personal email – “these workarounds create vulnerabilities” in the organization’s security framework . In other words, when employees feel the official tools and policies won’t let them do what they need, they will find another way, often one that security doesn’t see or control.

Overly rigid governance can thus breed “shadow IT” – employees turning to unauthorized software or services. A 2025 industry study noted that some organizations are too strict: “I’ve also seen overly rigid governance at some firms, where employees feel that they’re not able to get their work done because they’re not able to use specific software.” The result? Employees quietly adopt unapproved solutions, like a designer signing up for a third-party file-sharing app because the sanctioned one is too cumbersome, or a manager using a personal chat app because the company’s tool is locked down. One report found that at large enterprises, workers were using hundreds of unofficial apps (far above the number IT knew about), precisely because approved tools didn’t meet their needs . Employee frustration becomes a fertile ground for security breaches: as one CIO observed, “employees struggling with slow, outdated, or underperforming IT systems naturally seek out work-arounds… turning to unapproved apps or personal devices just to get their jobs done. But this creates even more problems — security risks, data silos, and a lack of standardization.” In short, when a CISO’s mantra is simply “No,” security may appear tight on paper but is actually being circumvented in practice, often in insecure ways.

The Human Factor: Frustration Leads to Violations

Crucially, most of these policy violations are not malicious insiders trying to cause harm – they’re ordinary employees trying to meet deadlines or help the business despite burdensome rules. A recent academic study of over 330 remote workers illustrated this point well. It found 67% of employees failed to fully adhere to cybersecurity policies at least once within a two-week period, with an average of one policy violation in every 20 work tasks . Why did they break the rules? The top reasons (accounting for 85% of incidents) were “to better accomplish tasks for my job,” “to get something I needed,” or “to help others get their work done.” In other words, employees typically circumvented security in order to be productive – not to be rebellious, but to remove what they saw as obstacles. Similarly, another industry survey revealed that over two-thirds of young office workers (ages 18–24) admitted bypassing security policies, and 54% of those young workers said they worry more about getting their work done than about security . Under pressure to deliver results, people will choose the “easy way out” if security processes are too slow or complex. This phenomenon has been dubbed “security friction” – when the effort required by security measures exceeds employees’ tolerance, they will default to the path of least resistance . The upshot is a paradox: a CISO who tries to eliminate every risk by forbidding and locking down everything might actually increase the organization’s risk, because frustrated users will create new loopholes and vulnerabilities in an attempt to get things done.

What Makes a Good CISO?

Given the pitfalls of the “block-everything” approach, what does a good CISO look like? Beyond technical expertise, the best CISOs excel as leaders and partners who manage, prevent, and support effectively. They strike the right balance between protecting the company and empowering its people. Here are key traits and behaviors that characterize a high-performing, people-centric CISO:

  • Business Enabler Mindset: A good CISO aligns security with business objectives instead of viewing them as opposing forces. They refuse to be the default “Department of No.” Instead, they evaluate risks in context and offer secure solutions that allow projects to move forward. For example, rather than banning a new cloud service outright, an enabling CISO will assess its security, implement mitigating controls, and help the business use it safely. This mindset earns the CISO a seat at the table as a trusted advisor. As noted earlier, modern CISOs present cyber risk in business-friendly terms so that leadership can make informed decisions – facilitating business growth while managing risk .
  • Effective Risk Communicator: Top CISOs are excellent communicators who translate technical risks into language the organization understands. They don’t overwhelm colleagues with jargon or doom-and-gloom; instead, they frame security in terms of business impact and solutions. This skill builds bridges between the security team and other departments. It also means being honest about trade-offs: a good CISO will explain what a security measure achieves and what cost or inconvenience it entails, treating executives and employees like partners in risk management. By demystifying cybersecurity, the CISO fosters informed decision-making and ensures security is seen as a shared responsibility rather than an imposed mandate .
  • Employee-Centric Approach: Perhaps most importantly, an effective CISO treats colleagues as allies, not threats. They recognize that employees are the first line of defense and strive to turn the old notion of “humans are the weakest link” into “humans are our greatest asset.” This philosophy means building trust and a positive security culture. A servant-leader CISO doesn’t wield policies as a club to punish users, but works with employees to improve security habits. As one security culture expert put it, security teams should “evolve past being the trolls under the bridge that come out to wave a policy club at wayfaring users and start to treat users as partners.” Colleagues should feel that the CISO views them as part of the solution – people to be empowered with knowledge and tools – rather than potential intruders. In practice, this means encouraging employees to report threats or mistakes without fear of reprisal, and rewarding good security behaviors. A healthy security environment is collaborative: employees feel comfortable raising concerns or admitting an error, knowing the CISO’s team will respond by fixing the problem, not blaming the individual . When users are engaged and appreciated as partners, they are far more likely to buy into the security program and uphold it.
  • Security Culture Builder: A good CISO proactively cultivates a security-aware culture across the organization. This involves continuous education, practical training, and integration of security into daily workflows. Crucially, the CISO ensures that security policies are robust but also user-friendly – they should not needlessly hinder productivity . Effective CISOs provide regular training that goes beyond annual check-the-box modules, making it relevant and engaging so that employees truly internalize best practices . They might establish “security champions” in different departments or incentivize reporting of phishing emails, etc. By embedding security into the company’s DNA – from onboarding to everyday procedures – the CISO turns safe behavior into second nature for employees . Over time, this reduces the friction between security and work: when everyone understands why a policy exists and sees that leadership follows it too, compliance becomes much more natural.
  • Preventive and Supportive Leadership: Finally, an effective CISO focuses on preventing incidents through smart planning and support, rather than just reacting after the fact. They implement the right mix of controls and make sure those controls are practical for users. For instance, if multi-factor authentication (MFA) is deployed, a good CISO monitors user feedback and tries to make the process as smooth as possible (like single sign-on solutions), so that it doesn’t grind workflow to a halt. They pay attention to areas where security friction is high and seek to streamline processes without sacrificing protection. Additionally, they provide the organization with tools and resources to work securely – for example, a secure file-sharing platform that is as easy to use as any consumer app, so employees won’t feel tempted to use unauthorized ones. In essence, the CISO supports colleagues by giving them safe ways to do what they need to do, and by being responsive to their frustrations. If employees complain that a security rule impedes an important task, a good CISO listens and tries to find a better way (or at least explains the rationale, so people feel heard). This supportive stance prevents the buildup of resentment that leads to rule-breaking. It also boosts morale: when the workforce sees the security team as helpers and advisors, not hall monitors, they are more likely to cooperate and even champion security initiatives.

Guardians and Guides

Today’s threat landscape demands that CISOs be both guardians and guides. The contrast between the CISO who is a rigid gatekeeper and the one who is a collaborative enabler couldn’t be more stark. The research is clear that an overly restrictive, “block-everything” mentality can undermine security by driving employees to unsafe behaviors out of sheer frustration . In contrast, the most successful CISOs build bridges – aligning security with business goals, treating employees as valued partners in defense, and fostering a culture where doing the secure thing is also the easy thing. Such CISOs don’t just prevent breaches; they enable their companies to innovate and grow safely. By being solution-oriented, communicative, and people-focused, a good CISO turns the organization’s humans from a potential vulnerability into its greatest defense asset . In the end, the best security leaders recognize that security is a team sport: when every colleague is engaged and supported in protecting the company, the whole enterprise becomes more resilient.

← Back to Newsroom