The position of CISO is relatively new. It came into being in response to federal regulations, the burgeoning security industry, and the ever-increasing cyber-threats facing the modern enterprise. The CISO is responsible for establishing a credible economic basis for information security investments, assessing corporate risk as it relates to information security, and effectively communicating his or her findings to corporate executives. But many CISOs seem to be struggling in the position. This is due to several factors, some structural and some cultural.