Cybersecurity is often discussed in terms of tools, threats, and technical mitigation strategies. But after decades in the field—serving as a Chief Information Security Officer, an executive leader, and now as a board member—what I've come to believe is this:
Cybersecurity is a form of ethical leadership. It's not just about defending systems. It's about protecting people. It's about safeguarding trust. And ultimately, it's about doing the right thing—even when it's uncomfortable.
At its core, cybersecurity is an act of stewardship. We are entrusted with protecting the most vulnerable parts of an organization—often the very things that can't protect themselves.
That includes personal data, proprietary information, and the systems that power healthcare, finance, and energy. But it also includes people—employees, customers, communities—who rely on those systems to live and thrive.
In every security leadership role I've held—at companies like DocuSign, US Bank, OneLogin, and others—I've seen how a breach or misstep doesn't just result in financial loss. It can damage relationships, erode credibility, and destabilize the very foundation of a company.
When I was at DocuSign, we were in a hyper-growth phase, preparing for an IPO. Security wasn't a background function—it was front and center. It had to be. We were asking customers to entrust us with their most sensitive agreements. We couldn't afford to be anything less than trustworthy.
There's a powerful lesson in that: Security is not just risk mitigation; it's a value proposition.
We didn't build trust by promising perfection. We built it by being accountable—owning our issues, fixing them quickly, and communicating transparently. That's what ethical leadership looks like in cybersecurity: not hiding behind jargon or PR spin, but leaning into the hard conversations, even when it's uncomfortable.
At one point in my career, I was asked by a superior to present inaccurate information to the board—essentially to downplay a known issue. I said no.
That decision was instinctive, but it reflects a systemic problem: too many security leaders are pressured to tell boards what they want to hear, not what they need to know.
This isn't just about individual integrity; it's about structural misalignment. In many organizations, CISOs report into the CIO—the very person responsible for the systems the CISO is expected to critique. It puts security leaders in a political and ethical bind, where raising a red flag can feel like insubordination.
It's time for boards to recognize that where cybersecurity reports matters just as much as what gets reported. An independent line to the board—or to a relevant board committee—isn't just good governance. It's a signal to the entire organization that integrity and transparency matter.
As a board member, I now bring this perspective into the room. I've chaired a Cyber and Tech Risk Committee. I've seen how this topic is evolving—not just monitoring threats, but helping define the company's strategic and ethical posture in a digital world.
Cybersecurity touches everything: customer trust, data privacy, operational resilience, even ESG. It's not just a technical conversation—it's a governance conversation.
Boards must move beyond compliance checklists and ask deeper questions:
Do we really believe cybersecurity is important to the success of the business?
Are we protecting the people and communities we serve?
Is our cybersecurity strategy aligned with our mission and values?
Does the Board have the accurate view of the cybersecurity risks and challenges?
Not every act of stewardship makes headlines. But that's the point. The best security is often invisible. It prevents harm before it happens. It protects those who may never even know they were at risk. It creates the conditions for people, businesses, and ecosystems to grow—safely.
In a world that's increasingly digital, interconnected, and complex, cybersecurity must be more than a technical function. It must be an ethical one.
And those of us in positions of leadership—on boards, in C-suites, and across industries—must carry that responsibility with care, clarity, and courage.
This article originally appeared originally on LinkedIn here.