Dr Maiendra Moodley, senior analyst at Wikistrat. The rapid proliferation of roles such as chief information security officer, chief privacy officer, chief risk officer and chief trust officer in one firm has created overlapping mandates that blur accountability lines. This was the word from Dr Maiendra Moodley, senior analyst at Wikistrat, delivering a presentation at ITWeb Security Summit 2026 this week. His talk, titled: “Too many chiefs: The rise of (in)security”, examined how the rapid expansion of executive security roles is creating both opportunity and confusion within organisations.While these roles are intended to strengthen governance, he warned that without precise definitions, they can slow down response times and open exploitable gaps in organisational defence.A key concern raised was how structural complexity becomes an advantage for attackers. In his view, adversaries do not need superior capability − only organisational delay and ambiguity. “The attackers do not need to necessarily be ahead of the curve. All they have to do is to ensure there's enough confusion which is created naturally by the organisation and the chaos. “There's a gap to exploitation because instead of being agile, you spend most of your effort being responsive in terms of governance.”This delay, he argued, is not incidental but systemic. As issues move through multiple committees and competing executive domains, organisations become more reactive than agile, prioritising governance process over operational response. The result is a structural vulnerability embedded within decision-making itself.Moodley highlighted that organisations often respond to uncertainty by creating additional leadership roles, but this can worsen the problem. He described how unclear accountability leads to duplication and functional overlap, particularly in security-related domains where mandates frequently intersect. In many cases, he noted, even internal stakeholders struggle to distinguish responsibilities between key roles.“In your organisation, all of you deal with customer data. We all agree if there's a breach of their customer data, who deals with it: the chief security officer or the chief information security officer. “In one example, it was somebody in marketing who was in charge of it, because apparently the database problem is now a marketing problem too. So even the chief marketing officer gets involved in that problem, not knowing how they got into the problem other than it involves customers. Now you can see how this problem can quite frankly proliferate.”The consequence of this role overlap, he argued, is delayed response, diluted accountability and ultimately execution failure − even in organisations with strong tools and frameworks. Technology investment alone, he warned, cannot compensate for structural ambiguity.Beyond organisational design, Moodley also addressed the cultural and operational fatigue created by constant security escalation.He noted that repeated requests for funding and escalating threat narratives can lead to disengagement at executive level, particularly from CFOs who become desensitised to security risk conversations. “Some organisations have what I call security fatigue financially, where your CFO has heard every story and every excuse you have come up with and has decided that the next best thing to do when they see you is to take a tea break. “Because every time you come and see them, you want money and you tell them about a threat that they have yet to see. So, unfortunately at that point in time, you land up a situation where there's diminishing returns in terms of what you spend and what you get back.”Moodley then shifted his focus to the issue of modernising security leadership through better-aligned operating models and more disciplined use of emerging technologies such as artificial intelligence (AI). He cautioned against adopting AI without first establishing clarity on organisational needs and constraints, stressing that technology cannot compensate for structural ambiguity.“Now, how do we resolve these leadership challenges? What we've got to do is to be able to get to a point where we have clear intelligence around what is going on to be able to predict outcomes of what is done. There is a role for AI, but what AI solution works for each organisation varies. And you have to appreciate what your organisation's challenges are before you implement AI.”He concluded that the core failure in many organisations is not technological but strategic, with unclear definitions of security purpose leading to fragmented execution and misaligned expectations. Without a coherent operating model, even well-funded programmes struggle to deliver measurable outcomes, he noted.