Cybersecurity risk now sits with corporate boards, who face real consequences when trust, reputation, and business continuity fail after a breach.
Bradley Schagrin, Sales Director at ObserveID, describes how the CISO role has expanded and why boards must take responsibility for giving security leaders the resources to succeed.
Schagrin points to active engagement, structural support, and an assume-the-breach mindset as the path to meaningful accountability and stronger organizational resilience.
Cybersecurity risk ownership has shifted from the IT department to the boardroom. Once dismissed as a routine line item, security now carries the weight of trust, reputation, and shareholder value every time a breach occurs. Boards are beginning to recognize that protecting the organization is a core fiduciary duty, not a technical footnote, and that real accountability requires more than nodding through a briefing. It demands informed, active leadership that treats security as the business enabler it has become.
Bradley Schagrin is a senior director with extensive experience in the cybersecurity, SaaS, and cloud sectors. Now Sales Director at identity security platform ObserveID, Schagrin has built and led global partner programs for major technology firms like OpenText, Micro Focus, and HP. For Schagrin, the path to true digital resilience begins with a pragmatic understanding of where accountability ultimately lies.
"If the board doesn't give the CISO the necessary tools and he or she can't do their job, it's the board's responsibility. They need to pay attention," Schagrin says. In his view, the old mindset of treating security as a cost center is a thing of the past. Instead, the CISO's role is evolving into a three-dimensional leader who must translate technical risk into business objectives and evangelize a security-first culture, Schagrin explains. Today, that pressure is a direct symptom of boards failing to provide adequate support. "Companies spend more on their internal coffee bill than they do on their security products," he says.
An 18-month tour: Meanwhile, the accountability gap can create immense pressure as a result. Often, that prompts CISOs to adopt a high-risk, pragmatic mindset, Schagrin says. "Many CISOs say the job feels like stepping in each morning knowing you might be shown the door by nightfall. With an eighteen month average tenure, they understand that risk the moment they step into the role."
Acknowledgment vs. acceptance: As the CISO’s responsibilities expand, the board's role must grow in tandem, Schagrin says. That requires active engagement and a willingness to ask tough questions. "If the CISO lays out the reality and the board visibly reacts, they get it. If the response is simply, 'Well, that's very nice to know,' they didn't."
But this commitment can't just be talk, Schagrin says. Boards must reflect it structurally, too. A board can show its support by formally elevating the security function to be a true peer to other core business units.
A place at the table: Such a tangible move helps build the internal trust a CISO needs to succeed. "If you have a security silo that's viewed as the same size and category as financial, legal, and operational, then that CISO is going to feel very comfortable because he or she will know they have that board support," Schagrin explains. "And you're going to see that culture filter down."
A two-way street: However, communication is a shared responsibility, Schagrin says. "The CISO doesn't necessarily need to be a master communicator because the board has to take responsibility in understanding as well. But the CISO does need to be the translator and own the responsibility of turning security into a benefit, not a cost."
Assume the breach: Meanwhile, the entire movement is happening against the backdrop of a threat environment that has grown increasingly dangerous and sophisticated. The roster of adversaries has expanded from rogue hackers to include sophisticated nation-states, and the rise of AI has created a threat domain unlike anything seen before. That new reality requires a new mindset for leadership, Schagrin explains. "You have to assume that you are going to be breached. That's the fiduciary responsibility and why it goes all the way to a board level. You have to assume that."
Schagrin’s last piece of advice to executives is simple: you cannot manage a risk you don't understand. "Plenty of breaches sit inside a company long before anyone notices. On the surface everything feels normal, but the damage is already underway," he concludes. It falls to the board to confront that reality with clarity and act before the damage becomes irreversible.
