Gartner’s three pillars describe the surface of the job. They do not describe the fault lines underneath it.

The modern CISO role has split in half, and most leaders are failing at the seam.On one side, you have the political CISO the one in board meetings, translating SOC metrics into business risk, negotiating budget against a CFO who treats security like cost-of-goods, building relationships with general counsel and the audit committee. This is the role Gartner’s “influence” pillar describes.
On the other side, you have the technical CISO the one who has to actually understand what their SOC analyst means when they say “we saw lateral movement off a service account at 0247 and the EDR didn’t fire.” The one who has to know whether their PAM rollout actually closed the gap, or whether the vendor demo was theater. The one who can read a Splunk query and tell the difference between a real alert and a tuning artifact.
Gartner treats these as a continuum. They are not. They are two different jobs, and most CISOs are good at one and pretending at the other.
The political CISO who can’t read a packet capture eventually gets played by their vendors and outsmarted by their attackers. The technical CISO who can’t speak to a board eventually loses budget, loses headcount, and loses the political air cover that lets the technical work happen at all.
The leadership question isn’t “how do I become more influential?” It’s “which half of this job am I weaker at, and what am I doing this quarter to close that gap?” That is a question Gartner will never ask you, because the honest answer is uncomfortable and doesn’t fit on a slide.
If you want a place to start: pick one technical domain you’ve stopped touching personally identity, detection engineering, network telemetry, whichever, and force yourself back into it for an hour a week. Read the actual alerts. Sit with your analysts. Or, if you came up technical, pick one business unit leader you’ve never had a coffee with and book it. The CISOs who survive this decade are the ones who refuse to specialize away from either half of the job.

There is no Gartner pillar called “don’t get sold to.”
There should be.
I have sat through hundreds of vendor demos. I have watched colleagues — smart, accomplished CISOs — buy products that solved problems they didn’t have, integrated badly with stacks they already owned, and required headcount they couldn’t hire. I have watched procurement processes turn into theater where the decision was made before the RFP was written.
Vendor truth is the discipline of looking at a product, a category, an analyst quadrant, and asking: what does this actually do, what does it cost me operationally, and what is the marketing layer hiding? It is the discipline of knowing the difference between a feature, a capability, and a deployment.
Concrete example from my own desk this year. We’re standing up Protective DNS at the institution. The procurement category is crowded Infoblox, Cisco Umbrella, DNSFilter, Cloudflare Gateway, half a dozen others and every one of them will tell you they’re the leader. The Gartner Magic Quadrant won’t help you here, because the question that matters is “will this integrate with my Infoblox Trinzic appliance, my Palo Alto firewalls, my existing SIEM, and not require a new full-time engineer to operate?” That answer doesn’t live in an analyst report. It lives in the deployment notes of CISOs who already tried it, and in a brutally honest three-week proof of concept.
The CISOs who lead well in 2026 are the ones who have built a personal network of peers they can call and ask “what’s it actually like to run this thing?”  and who treat that signal as more reliable than any quadrant. The Global CISO Forum exists for exactly this reason. So does every good ISAC, every regional CISO dinner, every back-channel Signal thread. None of it shows up in a leadership framework. All of it determines whether your stack is real or aspirational.

Gartner mentions burnout. Briefly. As a risk factor. As if it’s weather.
It is not weather. It is the central HR challenge of cybersecurity leadership in 2026, and it determines whether everything else in the framework actually executes.
The data has been consistent for five years now: SOC analyst turnover is brutal, alert fatigue is real, and the people most likely to leave are the ones you can least afford to lose your senior detection engineers, your incident commanders, the analyst who knows where the bodies are buried in your network because they put half of them there.
The leadership move isn’t “address burnout.” It’s:

• Cut alert volume by 30% before you add a single new tool. Every new platform you bring in is an alert generator. If you haven’t tuned what you have, you’re not adding capability you’re adding noise that someone has to triage at 2 a.m.
• Pay your senior analysts what they’re worth, or stop being surprised when they leave. The market for a strong detection engineer is brutal. If you are paying 2022 salaries in 2026, the market has already made your retention decision for you.
• Build trust by giving real ownership. A SOC analyst who can mark an alert as false positive without three layers of approval is an analyst who is still in the seat in eighteen months. A SOC analyst who can’t is one who is updating their LinkedIn right now.
• Make career progression legible. Most security teams have no real promotion ladder past Tier 3. People leave because they can’t see the next step. Draw the ladder. Even an imperfect one.

This is the kind of work that doesn’t show up in a leadership framework because it isn’t strategic-sounding. It is small, operational, and unglamorous. It is also the difference between a SOC that works and a SOC that exists.

Gartner has AI in there agentic AI oversight, AI in IAM, GenAI in awareness training. Each one is treated as a discrete trend with discrete recommendations.
That framing is wrong.
AI is not a trend you can address with a workstream. It is a solvent that is dissolving every category boundary in your program at once.
It dissolves the boundary between insider and outsider, because a compromised LLM API key inside your environment now produces something that looks like an insider with infinite patience. It dissolves the boundary between phishing and pretexting, because a voice clone from three seconds of LinkedIn audio is not a phishing email it’s something we don’t have a clean name for yet. It dissolves the boundary between “managed by IT” and “shadow IT,” because every employee with a ChatGPT account is now operating their own unmanaged data pipeline to a foreign processor.
It also and this is the part nobody wants to say out loud dissolves the boundary between your security team and the AI vendor’s security team. Every time you adopt Microsoft Copilot, or Google’s security AI, or a SOC co-pilot, you are accepting that some portion of your detection logic, your data, and your investigative trail now lives somewhere you can’t fully audit. That isn’t necessarily wrong. It is a strategic choice with second-order consequences, and the leadership skill is being honest with yourself about which consequences you’ve accepted.
The right leadership question isn’t “how do I govern AI?” It’s “which of my existing controls are still load-bearing in a world where AI has dissolved their assumptions, and what is the order of operations for replacing them?” That is a much harder question and it cannot be delegated to a working group.

If this is the part that hit hardest, I’ve written a full hub on AI Governance for CISOs that goes deeper into the operating model.

The thing Gartner mentions but does not sit with: the personal liability is real, and it changes how you should be doing the job.
SEC disclosure rules. NIS2 in the EU. State-level breach laws stacking on top of federal expectations. The SolarWinds CISO indictment, regardless of how it ultimately resolves, was a signal flare to every CISO in America that the legal exposure has changed.
Most leadership frameworks treat this as a “governance” topic. It is not. It is a personal-decisions topic.
It means you need a documented record of every material risk decision you have escalated, who you escalated it to, and what they decided. Not because you’re trying to dodge blame because if something goes wrong in three years and you’re deposed, the memory of a meeting is not evidence. The email is. The Jira ticket is. The signed-off risk register is.
It means you need personal indemnification language in your contract, and if your employer won’t give it to you, that tells you something about how they will treat you after an incident.
It means you need outside counsel you trust personally, separate from your company’s general counsel, because in a serious breach scenario your interests and your employer’s interests will diverge faster than you think.
None of this is paranoid. All of it is what the senior CISOs I talk to are doing in 2026. Gartner is not going to put “find your own lawyer” on a leadership slide. I will.

These tensions don’t resolve. They are not problems to solve. They are tensions to manage, every day, for as long as you hold the role. That is the actual job.

Want to Go Deeper?

If this argument resonated, here’s where to keep reading — and where to find the long-form version of everything I’ve argued here.