It’s a familiar refrain: too much work and not enough compensation and recognition. Yet, while CISOs have seen their role grow in prominence and responsibility, the same cannot be said of functional security leaders who are being asked to do more — but are not reaping the benefits.
Unsurprisingly, this is causing increased job dissatisfaction with career progression and more readiness to exit. For CISOs, this presents a significant risk: If midlevel security managers feel overburdened and under-recognized, the ripple effects can undermine resilience, continuity, and innovation. At a time when cyberattacks continue to grow increasingly more sophisticated and trickier to remediate, CISOs cannot risk functional leader defection.
“An increased expectation is being placed on functional cyber leaders because they are not only being asked to protect systems but also enable business outcomes — all while managing new regulatory demands, complex technology stacks, and limited resources,’’ says Carole Lee Hobson, CISO of PayNearMe.
This includes an expanded attack surface with cloud, SaaS, and AI, leaving functional cyber leaders accountable for risks in their third-party dependencies they can’t fully control, Hobson notes. “Combine that with the 24/7 nature of the job and hybrid work environments, and it’s no surprise burnout is escalating.”
Some 66% of cybersecurity professionals say their role is more stressful now than five years ago, with 63% citing the complex threat landscape as their top stressor, according to ISACA’s latest State of Cybersecurity Report. Further, more than half (55%) of cybersecurity teams are understaffed, and 65% have unfilled cybersecurity positions, the survey found.
Systemic issues continue
The trend of talented and dedicated functional security leaders quietly eyeing the exit is not an anomaly — it’s a predictable outcome of systemic issues that have been building within the profession for years, says Brandyn Fisher, V-CISO capability lead at Centric Consulting.
“As CISOs, we are seeing our most critical layer of management, our directors and senior managers, burn out,’’ Fisher says. “This isn’t happening in a vacuum. It’s the result of a dangerous convergence of unrealistic expectations, resource starvation, and a fundamentally broken career model.”
Security leaders operate on an unsustainable premise, Fisher says. “We expect our leaders to be right every single time, while an attacker only needs to be right once. This creates a culture of hyper-vigilance that is simply not sustainable 24/7/365.”
Teams are expected to be on-call through holidays and weekends, often without commensurate pay, and because a major incident can mean a four- to six-week response, personal lives are put on hold, he notes.
Monika Malik, lead data/AI software engineer at AT&T, doesn’t hold back on why functional leaders may be looking to defect. Too often, they are held accountable for projects, yet not given autonomy to make roadmap, staffing, and budget decisions, she says.
“Security leaders experience burnout when they own the risk and have no roadmap,’’ Malik says. On top of that, there is chronic stress and “breach panic, pager fatigue, and breach aftermath dumpster fires, [which] lead to burnout quicker than compensation can mitigate,’’ Malik says.
Fisher agrees: “This immense pressure is compounded by a lack of control. A security leader is often the scapegoat for failures originating elsewhere in the organization — a single clicked link by a user, a vulnerability pushed by a development team, or a poor decision by a high-level executive.”
Functional security leaders are held accountable for defending against threats within environments where they have limited visibility, he says. This means they are “fighting an invisible war on behalf of stakeholders who often don’t understand the stakes.”
Another issue is tool creep, with 40-plus security tools managing the same alerts and poor integrations, Malik says. There is also “role overload and context switching” on projects, as well as relentless audit cycles, reviews, and meetings, which Malik says leaves little time for career development. “Many organizations have a CISO plus a flat layer of ‘heads of X’” who don’t always have a clear path to moving into higher levels, she says.
And CISOs are constantly asking their leaders to do more with less, Fisher adds. “As cybersecurity is still widely viewed as a cost center rather than a business enabler, budgets are the first to be slashed while the threat landscape grows exponentially,’’ he says. “This places managers in the impossible position of being responsible for mitigating enterprise-level risk without the necessary funding for tools or talent.”
What CISOs can and should be doing
The situation isn’t hopeless; there are steps CISOs can and should take to help avoid defections. It’s a matter of making staff a priority. PayNearMe’s Hobson says CISOs need to ask themselves whether functional security leaders are wearing too many hats with too few opportunities to advance, and if they are doing enough to nurture and retain them.
“CIOs should be asking tough questions about leadership pipelines, succession planning, and the cultural dynamics within their security teams,’’ she says. “If we want to build sustainable security leadership, we need to understand — and address — why so many are eyeing the exit.”
Retention should be thought of as a program that requires additional operating model iterations, rather than something static, according to Malik. She suggests that CISOs implement a responsible, accountable, consulted, and informed (RACI) project management tool and give functional security leads authority over their systems.
They should also be given career paths that include promotions rubrics and “sponsorship — not mentorship — at the executive level, with visibility and board-facing opportunities,’’ Malik says.
A portion of compensation should be tied to risk contributions, for example, stats for time to patch, instead of audit fail/success factors, she adds. There also needs to be “tool and telemetry sanity,” which would require CISOs to consolidate vendors and implement a “quarterly kill-switch: If your tool is not reducing MTTR/false positives by date and tool objectives … retire or re-scope the tool as per worst-case expectations.”
Centric Consulting’s Fisher thinks success should be tracked by prevention of downtime and system protection, rather than reacting to an incident. At one company he worked at, when the security team started posting data on risk reduction on its dashboards, engagement increased and turnover declined.
“It increased the visibility of work, which renewed the motivation within teams,’’ he says, adding that it is not often security professionals will leave due to pressure. “They abandon due to the disappearance of their results behind the lack of crisis.” They would more likely feel invested if prevention was used as a metric, Fisher says, “and make security a quantifiable growth aspect rather than an unspoken background role.”
Is the CISO role something to aspire to?
Asking functional leaders to do more “is a direct reflection of the CISO’s own struggle for influence,” Fisher observes. When a CISO sits under an unreceptive CIO or COO and does not have a seat at the executive table, they cannot effectively advocate for their team’s needs, he says.
“This powerlessness trickles down. Managers are left to enforce policy and execute on a strategy they had no input on, with a team that is understaffed and under-equipped for the task,’’ Fisher says. “They carry the responsibility for failure without the authority or resources to ensure success.”
Perhaps the most critical issue is that “ambitious security managers are looking up the ladder and seeing a role they do not want,’’ he adds. “They see their CISO, buried in a 24/7 cycle of stress, personally liable without the same protections as other executives, and struggling to find time for the strategic thought leadership the role demands.”
What’s worse is that many see a leadership bottleneck, Fisher says. He believes there is a propensity to promote the best technical experts into the CISO role.
“While their hands-on experience is valuable,” he acknowledges, “many lack the strategic perspective, business acumen, and leadership skills to build a mature security program and mentor the next generation of leaders. For the aspiring manager who wants to grow into a business-aligned strategist, this creates a career ceiling. Why stay and fight an uphill battle for a midlevel salary that doesn’t match the required experience, only to report to a leader who cannot pave the way for meaningful career progression?”
Career progression in cybersecurity likely needs to be redefined, Hobson agrees. “It’s not just about climbing a narrow ladder toward the CISO role — there are limited seats at that level, and the field is evolving too quickly for that to be the only path.”
There are “multiple rewarding paths beyond the traditional CISO path,’’ she says, in areas including AI governance, architecture, and risk. Lateral growth through deep specialization in areas like privacy, threat modeling, and AI governance can be just as valuable and fulfilling, Hobson says.
Help functional leaders see meaning in their work
To prevent an exodus, CISOs must fundamentally shift their focus.
It’s not enough to recognize that functional leaders are overextended, Hobson says. “CISOs need to restructure workloads, prioritize development, and empower their teams to influence the organization strategically,” she says. “The high-stress role needs to be balanced with professional engagement.”
Like Malik, Hobson says CISOs should also “delegate meaningfully” to prevent burnout and give functional leaders real autonomy. “Nothing burns out a strong leader faster than being reduced to a messenger.”
The CISO’s role is to cultivate resilience, belonging, and knowledge in different pathways so leaders see meaning in their work and remain engaged, Hobson says.
“That starts with clarity — helping functional leaders understand how their responsibilities directly support business strategy and reinforcing that security should be a strategic advantage for every company,’’ she says.
“Our primary job is not just to manage risk, but to build a resilient, sustainable organization,’’ Fisher stresses. “That begins with protecting our people from burnout, championing the business value of security in the boardroom to secure necessary resources, and actively mentoring our managers into becoming the strategic leaders this industry needs.”
No Responses