Even the most seasoned CISOs sometimes run into insurmountable roadblocks at their organizations. Despite their best efforts at building relationships, and even with their technical depth and business acumen, they can’t garner the support needed to protect their organizations — and themselves — from pending disaster.
In the big picture, CISO roles are hard, and so the majority of CISOs switch jobs every two to three years or less. Lack of support from senior leadership and lack of budget commensurate with the organization’s size and industry are top reasons for this CISO churn, according to The life and times of cybersecurity professionals report from the ISSA.
More specifically, CISOs leave on account of limited board engagement, high accountability with insufficient authority, executive misalignment, and ongoing barriers to implementing risk management and resilience, according to an ISSA spokesperson.
Many of these roadblocks are common across industries, so how does a CISO know when it’s time to move on?
They look for the flags.
Red flag: Playing lip service
A common red flag and reason CISO’s leave their jobs is because leadership is paying “lip service” to auditors, customers and competitors, says FinTech CISO Marius Poskus, a popular blogger on security leadership who posted an essay about resigning from “security‑theater roles.”
So, even before signing onto a new job, Poskus suggests looking for recent events proceeding the organization hiring its first-ever CISO. “I see this often. Usually after an impactful breach, they negotiate fines down by saying they’ll hire their first CISO. In fact, a friend in New Zealand reached out to me today with just such a story,” he tells CSO.
Other indicators that executives are playing lip service to security include constant resource denials, lack of risk ownership, and failure to sign off on identified risks at the top level, leaving the CISO vulnerable. To this end, Poskus shared a security executive charter that outlines responsibilities of senior executives’ accountability around the cybersecurity program.
And, since lack of access to the board is a top-cited reason for leaving, Poskus says to look for problematic reporting lines that block access to executives, such as through a boss who refuses to report issues and requests to executives.
Red flag: Cognitive disconnect
Lack of access to executives and the board comes up repeatedly in Cybersecurity Ventures reports as a top reason CISO’s decide to leave their jobs, according to Steve Morgan, founder of Cybersecurity Ventures. He cites lack of support as another top reason CISO’s leave.
Splunk’s 2025 CISO report found 29% of respondents had adequate budget compared to 41% of boards who felt cybersecurity budgets were adequate.
This cognitive disconnect was clear in Nawab Kabir’s case. He declined on the prospect of taking a full-time CISO role to become a fractional CISO after a merger left him reporting to an IT director rather than the CEO as he previously had reported to. “One of the key red flags for CISO’s is if their boss, usually the CIO or CTO, repeatedly blocks attempts to escalate missions to the CEO by downplaying the real risk, asking the CISO to accept that risk, and saying that the CEO simply doesn’t care. So, the risk never gets mentioned in executive leadership meetings,” Kabir says.
After the merger, the initiatives and intervention strategies he developed never got past the director of IT (who came from the merger) to executive leadership. So, Kabir knew it was time to leave. “That’s one of the reasons I became a fractional cybersecurity leader, which I love because now I’m being hired to make a difference at my client companies.”
Red Flag: Pushing ethical boundaries
Above all these, the biggest red flag is when leadership pushes against your professional and personal ethics. For example, when a CEO or board wants to conceal compliance gaps, cover up reportable breaches, and refuse to sign off on responsibility for gaps and reporting failures they’ve been made aware of. “This happens more often than we know because most CISOs won’t make public what happened behind the scenes that made them quit, especially when they’re looking for new jobs,” Poskus explains. “Your integrity is your most important asset, so that’s the biggest red flag when we talk about leaving a role rather than staying and fighting.”
In these types of scenarios, the CISO likely lacks critical allies within the organization. Acknowledge this sense of vulnerability, Poskus advises, because it’s a huge red flag. Human resources and legal teams in these situations won’t help because they owe their loyalty to the business, he adds.
Such was the case with former Uber CISO Joe Sullivan who was thrown under the bus by Uber’s shady leadership after a 2016 breach. In contrast, SolarWinds CISO Tim Brown felt fully supported after a historic supply chain hack in 2020 spread to 18,000 business clients through its Orion network management product patch update system.
“Joe was in such a difficult situation. The company was aggressive towards him, which was so different from my experience at SolarWinds,” says Brown, who had responded to the breach.
Green flag: They have your back
In contrast to Sullivan’s employer, Brown shares that everyone involved in responding to the SolarWinds breach — from IT responders to communications, legal, and executives — felt the same way he did in terms of making things right for clients and regulators. “My situation was difficult, but manageable in many ways because of that support from my team. From day one, we had no question about doing the right thing. We decided on transparency to our customers all the way through the SEC filings,” Brown explains.
Even as a new CEO came onboard under a planned transition shortly after the breach, and as the SEC charged SolarWinds and Brown with fraud for certifying compliance with SolarWinds security shortly before the sophisticated supply-chain hack occurred, Brown has felt ongoing support.
Given his access to the board and CEO, Brown knew well before the breach that the company had his back. He also points to another green flag: The company’s commitment to tabletop exercises of impactful breaches. Throughout the practice scenarios, teams worked together under a customer-centric mandate that advocated transparency and education, the same playbook that they followed in the 2020 breach.
Ultimately, the SEC dropped its charges against Brown, and in November, he attended a virtual toast in his honor to celebrate the SEC dropping the case against him “without prejudice.” More than 200 CISOs of top companies joined, including co-host Joe Sullivan. Ultimately, as Brown had hoped, the entire experience provided teachable moments to help push the CISO role up the maturity curve.
Changing internal mindsets
As CISOs burn out or leave under stressful circumstances, many turn to fractional work as Kabir has. And, in his case, working with new clients gives him plenty of opportunities to turn red flags into green flags.
For example, he points to lack of board access and resources. In many cases he steps into, the former cybersecurity leaders didn’t understand the business and talked technically over their executives’ heads. As a result, he’s had to convert fatigued, resistant executive teams that don’t want to repeat those experiences with a new cybersecurity leader.
For these clients, he likes to call “all hands” to a meeting and conduct what he calls interactive “business continuity stress tests” in table-top scenarios that impact a revenue-generating activity. “Take manufacturing, if this machine is down for six to eight hours what would be our revenue costs associated with this downtime? That gets attention,” Kabir says. “Then finance starts talking within their teams and it goes beyond that to the CEO because now it’s seen as a business issue.”
CISOs, then, can change culture to turn a red flag into a green flag. But knowing when and how to do so depends on the indicators mentioned. Even with a fractional role, CISOs should still expect some of their clients to try and compromise ethics by covering up findings for example. Fortunately, that red flag usually reveals itself early in the audit, when the executives and business units appear afraid to answer questions as if trying to hide something.
“A lot of red flags have to do with lack of security culture or mismatch in understanding the risk tolerance of the company and what the actual risks are. This red flag goes beyond: If they don’t want to be questioned about what they’ve done so far, that is a huge red flag that they’re covering something up,” Kabir explains.
To be safe, he carries indemnity insurance and retains his own legal counsel — as should all CISO’s with large enough salaries who are reporting to the board and C-suite. Because, as in the case with Joe Sullivan and many other examples that go unreported, CISO’s can’t count on their organizations to have their backs legally or professionally should the big one hit — especially if those executives, by virtue of their unresponsiveness and lack of support, are the cause of it.
No Responses