From Unusual Path to the Top: What Tarah Wheeler's Career Tells Us About Who Gets to Lead in Cybersecurity

Tarah Wheeler is now a chief security officer at a firm that advises some of the highest-stakes organisations in the world. Her route there looked nothing like the standard playbook.

ThreatVectr Newsdesk· 3 min read
A sleek, modern corporate security operations room photographed from a low angle looking toward a large curved desk with multiple dark monitors displaying abstr
Share

Key points

  • Tarah Wheeler currently holds the role of Chief Information Security Officer (CISO) at TPO Group, a cybersecurity consultancy.
  • TPO Group works with organisations where security failures carry serious, real-world consequences.
  • Wheeler's path to the top did not follow the conventional career ladder most senior security leaders climb.
  • Her story raises pointed questions about who the security industry recruits, promotes, and listens to.

A Chief Information Security Officer, or CISO, is the most senior person responsible for keeping an organisation's systems and data safe. It is a title that usually comes after decades of narrowly technical work. Tarah Wheeler's story, covered by SecurityWeek, complicates that picture.

Wheeler is the CISO at TPO Group, a consultancy hired by organisations where a security breach could mean something worse than a damaged share price. Think hospitals, critical infrastructure operators, and government-adjacent bodies. The stakes at clients like these are not abstract.

Her background, though, broke from the expected mould.

How do people usually reach this level, and why does Wheeler's path matter?

Most CISOs arrive through a tight corridor: computer science degree, network engineering, then a climb through security operations. Wheeler did not take that corridor. Her route was wider and less linear, drawing on work that crossed policy, research, and public advocacy alongside technical practice.

That matters for two reasons.

First, it signals that the skills a top security leader actually needs, things like communicating risk to a board, engaging with regulators, and thinking about how people behave inside a system, are not always built by a purely technical route. They are built by people who have had to explain hard ideas to non-technical audiences, argue a position under scrutiny, and work across disciplines.

Second, the security industry has a well-documented shortage of qualified people. A 2023 workforce study by ISC2, the organisation that issues the Certified Information Systems Security Professional qualification, estimated a global gap of 4 million unfilled security roles. Expanding the accepted definition of a valid career path is one direct way to close that gap.

None of this is to say technical grounding does not matter. It does. But Wheeler's career suggests that grounding can be built in more than one way, and that organisations willing to look for it in unconventional places may find stronger leaders than those who hire strictly by credential checklist.

For ordinary people, the relevance is straightforward. Every organisation that handles your medical records, your bank details, or your personal data needs someone like a CISO making the right calls. Whether that person got there by an orthodox route or an unusual one matters far less than whether they are genuinely good at the job.

Wheeler appears to be making the case, through her career rather than just her words, that the industry should judge on that basis alone.

© 2026 Threat Vectr