The rush toward new technology often pulls cybersecurity leaders away from the fundamentals that actually determine success.
Remy Faures, Global Head of Information Security at The World Bank, explains that today’s role demands strategic judgment, not constant pursuit of the next tool.
He says leaders strengthen their impact by delegating technical work, focusing on disciplined execution, and using clear storytelling to guide decision-makers.
Cybersecurity loves its breakthroughs and bold new tools, but real success usually comes from something quieter: the steady discipline of doing the basics well. As the field continues to mature, leaders are expected to think in terms of business risk rather than technical novelty, and the work that truly moves the needle is rarely the work that makes headlines.
That’s the hard truth according to Remy Faures, the Global Head of Information Security at The World Bank. As an Information Security Executive with over a decade of experience leading global cybersecurity strategy, including pioneering the organization's Zero Trust Architecture program, Faures has a pragmatic perspective on what separates successful leaders from the rest. He suggests the industry's focus on new trends often distracts from the disciplined execution that truly matters.
"A lot of people look at this type of job as sexy. It's not sexy. You succeed because you do the basics right," says Faures. His back-to-basics mantra isn’t just a preference, it’s a direct response to a classic case of 'be careful what you wish for.' For years, many leaders campaigned for a seat at the executive table. Now, with cybersecurity treated as a primary boardroom concern influencing global cybersecurity trends, many discovered they were unprepared for the conversation.
Drumbeat dilemma: "For many years, people in this space were beating the drum on the message that cyber is a business problem, not an IT problem. That has finally caught up with us and, in a way, created a new problem," explains Faures. "Now that they have the attention of the board, many leaders may wish they had matured a little bit further along."
Two jobs, one title: Faures argues that the job comes with two very different expectations. "The CISO role varies greatly depending on an organization's maturity. In some, the CISO is still a technical operator, the head of IT security. In more mature firms, the CISO is a chief risk management executive who advises the board on business risk."
The pressure is especially visible in the current rush to adopt AI. The hype can cause organizations to abandon defined AI strategies and proper security controls and frameworks, empowering threat actors who are already launching more sophisticated cyberattacks. But for Faures, this is a familiar cycle that calls for steadier judgment, echoing the early days of the cloud when excitement surged long before the risks were understood.
Drunk on AI: "Everybody's completely drunk on AI. Business leaders are in a competition to adopt more AI before we can even figure out what it is, because of the fear of losing out. The hype cycle is so strong that we may suppress the rational decision-making that should follow technology adoption," says Faures.
Tread carefully: The past offers a reminder that enthusiasm can outrun understanding. "I remember the early days of the cloud. As an industry, we embraced the cloud long before we understood its implications, but we matured through it," he continues. "I'm sure the same will happen with AI, but there will be casualties along the way."
The pivot from technical operator to strategic advisor is widely seen as a notoriously difficult transition. The daily reality of the job can create a powerful gravitational pull back toward the technical weeds. He sees this as a major obstacle to strategic focus and lays out a practical approach to avoid it.
Escaping the trap: "My advice is to find very strong people to take care of the technical stuff so you don't have to. You have to distance yourself from it, because it's a trap and it's easy to fall into that comfort zone. Being supported by strong people is the key enabler." He says the only way to rise above the noise is to stop carrying every technical task yourself.
The solution, Faures says, isn’t technical at all. It boils down to a skill he believes is most important for a modern security executive. "The last piece, and possibly the most important, is storytelling. As an industry, we suck at this. In the end, it's all about making sense and being credible, and that's what sets apart successful executives from the less successful ones."
He argues that without this skill, even strong technical work fails to translate into real impact. "You have to take a step back and ask, 'How do I pitch a story that makes sense to decision-makers with limited attention?' For them, my problem is one out of 60. I have to be impactful," Faures concludes.
