A Tale of Two CISOs: Why An Engineering-Focused CISO Can Be a Liability

Steven

A Tale of Two CISOs: Why An Engineering-Focused CISO Can Be a Liability

Summary

David Schwed distinguishes two CISO archetypes: the engineering-focused CISO who treats security primarily as an engineering problem, and the holistic CISO who integrates people, process and technology into a broader risk and resilience strategy. Schwed warns that an engineering-first approach often shifts risk into less-observed areas — glue code, deployment pipelines and human workflows — which attackers routinely exploit. He points to 2025’s surge in crypto thefts, including the Bybit $1.5bn incident, and rising AI supply-chain issues as evidence that prevention-only thinking is brittle.

The holistic CISO, by contrast, widens the threat model, asks who can change critical code and credentials, and builds for resilience: segmentation, blast-radius reduction, integrity checks, monitoring and rehearsed incident response.

Key Points

  • There are two common CISO archetypes: the engineer CISO (technology-first) and the holistic CISO (systems-first).
  • Engineer CISOs focus on preventative controls and neat architectures, but frequently relocate risk to pipelines, glue code and human processes.
  • Real-world incidents (e.g. the Bybit theft) show attackers bypass strong cryptography by targeting operations and infrastructure, not the maths.
  • AI and crypto systems amplify these weaknesses: prompt injection, permissions, and supply-chain exposures are typically the weakest links.
  • Holistic CISOs expand the threat model to include who can change code, approvals, deployment workflows and credential management.
  • Resilience — segmentation, reduced blast radius, integrity checks and tested incident response — is as important as prevention.

Why should I read this?

Short version: if you’re hiring a CISO or rely on crypto/AI systems, this is the hire-that-saves-or-breaks-you argument. Schwed keeps it blunt — an engineer-only CISO might look great on diagrams and to auditors, but attackers love the bits you didn’t harden. Read this if you want to avoid a costly false economy when recruiting security leadership.

Context and relevance

In 2025 there’s a global rush to hire CISOs across AI labs, crypto exchanges and finance. With record losses in digital assets and novel AI threats, choosing the wrong leadership model can leave organisations brittle. The article is particularly relevant to boards, hiring managers and security teams deciding role priorities: deep technical chops matter, but without a systemic view that includes governance, deployment controls and incident rehearsals, organisations remain exposed.

Author style: punchy — Schwed deliberately sharpens the contrast to force hiring and governance discussions toward resilience rather than reassuring architecture diagrams.

Source

Source: https://www.darkreading.com/cyber-risk/why-an-engineering-focused-ciso-can-be-a-liability