Tell Me What You Do
I ask almost every CISO (Chief Information Security Officer, for the non-security folks) I meet the same question.
“Tell me what you do — but explain it like you’re talking to some random stranger walking down the street. Not to me.”
Then I wait.
More often than not, within 30 seconds, I stop them.
“You’ve already lost me.”
The look I get is hard to describe. Half puzzled. Half offended. Like I just told them their fly was down in front of a crowd.
That reaction tells me everything.
Because I’m not being difficult. I’m not trying to embarrass anyone. I’m just asking a grown professional to explain their job in plain language.
And they can’t do it.
Here’s what a CISO does:
A CISO consults an organization to make good information security risk decisions and implements those decisions.
That’s it.
One sentence. No acronyms. No frameworks. No slide deck. A stranger on the street gets it. Your grandmother gets it. The board member who’s been nodding along for years while understanding almost nothing — they get it.
If you’re a CISO and that sentence stings, pay attention to that.
The inability to explain what you do simply isn’t a communication problem.
It’s an understanding problem.
Real expertise — the kind earned through years of doing hard things, being wrong, and doing it again — strips complexity away. It doesn’t add more. The deeper you actually understand something, the clearer you can make it for someone who doesn’t.
That’s the work most people skip.
It’s easier to learn the language of a profession than to master the profession itself. Easier to stack acronyms than to earn the knowledge behind them. Easier to hide inside complexity than to stand in the open and say something true and simple and defensible.
Complexity is often a costume. And this industry has been wearing it for a long time.
But this isn’t just a cybersecurity problem.
Ask a doctor to explain a diagnosis without medical jargon. Ask a lawyer to explain a contract in plain English. Ask a financial advisor what you should actually do with your money.
The great ones answer straight. The ones performing greatness add more complexity.
That’s the tell.
Every profession has people who’ve mastered the appearance of expertise without doing the work to earn it. They speak the language. They carry the credentials. They know how to be in the room.
But ask them a simple question and watch what happens.
There’s another piece to this that doesn’t get said enough.
Real experts don’t boast.
The most genuinely talented people I’ve met in 30+ years — in security and outside of it — are rarely the loudest ones in the room. They don’t lead with their certifications. They say “I don’t know” without flinching, because they’re secure enough in what they do know that the gap doesn’t threaten them.
Confidence doesn’t announce itself.
It just shows up and does the thing.
When someone needs you to know how impressive they are, that need is the signal. The boasting gives it away every time.
Back to the CISOs.
I don’t ask that question to be cruel. I ask it because the answer matters. If the person responsible for helping an organization make good security decisions can’t explain what they do to a stranger on the street, how are they explaining it to a board? To a CEO? To the people whose decisions they’re supposed to be shaping?
The answer is: they’re not. Not really.
They’re performing. The board is nodding. Nobody’s actually communicating. And somewhere in that gap, bad decisions get made — or no decisions get made — and the organization is worse off for it.
That’s the job failing in real time.
So here’s the question — and it applies no matter what you do for a living.
Can you explain your job to a random stranger on the street in under 30 seconds?
Not your title. Not your credentials. What you actually do and why it matters.
If you can’t — that’s not the stranger’s problem.
That’s yours.
