Isn't there a practical way to resolve this structural irrationality?
When a CEO or CISO is newly appointed, how about conducting an 'Initial Independent Security Posture Review' through an independent body early in their tenure to assess the organization’s overall security? 

This is a process in which a newly appointed CEO or CISO objectively reviews the organization’s security posture through an external independent body early in their tenure and leaves the results as an official record. 

Looking at overseas practices, this direction is quite practical and persuasive. EY explains that in a new CISO's first-year strategy, the company's current security posture should be reviewed first, and that as a starting point, an independent assessment of cybersecurity posture is important. The key is to look not only at vulnerability scans but also at policies, procedures, technology, and overall organizational operations.

Why is such a process necessary?
The reason is simple. When people go to a new hospital, they get a basic checkup first. Companies are no different. When a new leader takes charge of an organization, it is only natural to first confirm the current security posture. 

Yet in reality, things often move in the opposite direction. That is because the moment a problem is officially identified, both accountability for explanation and responsibility for improvement arise. So in some organizations, “not looking too closely” can seem like the easier choice. But pretending not to know does not make the risk disappear. It simply goes unrecorded.

This issue becomes even sharper in the CISO role. According to surveys, the average CISO tenure is about 18 to 26 months, much shorter than the 4.9-year average for general C-level roles. Another Heidrick & Struggles survey found that the biggest personal risks cited by CISOs were stress at 71% and burnout at 54%, and 29% feared they could lose their jobs after a breach. What these figures clearly show is that a CISO is not simply someone skilled in technology, but a role that bears both uncertain risk and responsibility at once. If so, even more reason is needed for a formal mechanism to confirm exactly what state was inherited.

Recent changes in overseas regulations also support this awareness.
The U.S. Securities and Exchange Commission (SEC) adopted its final 2023 cybersecurity disclosure rule. Listed companies must disclose cyber incidents within four business days after determining them to be material. Annual reports must explain the cyber risk management, strategy, and governance framework. This means a structure has been created in which management must explain to investors and the market how security is being managed. Security is no longer solely the job of an internal operations team; it has become a matter of management accountability.

Europe has gone a step further. The Network and Information Systems Directive 2 (NIS2) explicitly requires management and governing bodies to approve cybersecurity risk management measures and oversee their implementation. It also establishes a significant administrative penalty regime for violations. The Digital Operational Resilience Act (DORA) likewise makes the full and ultimate responsibility of the governing body for ICT risk management in finance explicit. 

In other words, the notion that “security is something the IT team handles” no longer holds institutionally, and the trend is that management accountability is being strengthened.