The room that mattered

Written By Paolo Carner

One of my early clients replaced me.

Not because my work was wrong. The findings were sound, the framework was right, the controls I recommended were appropriate. They replaced me because my work never reached the person who needed to hear it.

I didn’t understand that until after I’d lost the engagement.

The CTO was my counterpart. Every vCISO engagement has one: the internal owner who approves, implements, and carries the security agenda forward inside the organisation. In this case, it was the CTO. Capable, engaged, genuinely committed to doing the right thing.

He was also, without either of us realising it, a filter.

Every conversation I had with him got translated before it reached the CEO. Security language became simplified summaries. Risk assessments became status updates. The nuance that would have connected compliance effort to business outcomes (revenue protection, enterprise deals, regulatory clearance) got lost somewhere between my report and the boardroom.

I was solving the room the CTO gave me. Not the room that mattered.

I noticed something on the occasions when the CTO wasn’t available. Those conversations with the CEO felt different. Not easier exactly, but more direct. There was no translation layer. I had to explain things in terms he already cared about, and when I did, something landed differently.

I just didn’t understand what I was observing until it was too late.

The firm that replaced me could speak that language fluently. They’d learned what I hadn’t yet: that the counterpart and the decision-maker are not always the same person. And when the CTO is acting as a buffer, even a well-meaning one, your best work never reaches the person whose conviction you actually need.

What changed after that engagement is harder to summarise than I’d like.

I pay attention to who’s in the room now. And more importantly, who isn’t. I ask myself whether I’m talking to the person who implements security or the person who has to believe in it. I try to frame everything in business language before I reach for security language; not as a translation exercise, but as a discipline.

I’m still on that journey. Awareness is the first step, but it’s not the last one.

What I know is this: losing that client was the most instructive engagement of my career. Not because of what I learned about security, but because of what I learned about the room I was actually being asked to walk into.

Paolo Carner
Next

Your Platform's Security Badge Might Be Decorative