{"id":3427,"date":"2025-06-03T09:00:00","date_gmt":"2025-06-03T09:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3427"},"modified":"2025-06-03T09:00:00","modified_gmt":"2025-06-03T09:00:00","slug":"53-of-cyber-department-leaders-eyeing-the-exit","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3427","title":{"rendered":"53% of cyber department leaders eyeing the exit"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security department heads \u2014 those directly reporting to the CISO \u2014 are decidedly looking to leave their posts. But various factors, including a weak economy, are delaying their exoduses, which could give CISOs time to change their minds.<\/p>\n

According to the 2025 IANS Cybersecurity Staff Compensation Benchmark Report<\/a>, the majority of functional department heads (53%) are contemplating a change of employment in the near future, versus 46% of middle managers and 40% of staff.\u00a0<\/p>\n

\u201cWhile these considerations do not always translate directly into actual attrition, they signal potential motivational challenges and underlying dissatisfaction with certain aspects of the job,\u201d IANS wrote in its report.<\/p>\n

\u201cThere\u2019s a lot of pent-up interest in changing jobs out there and getting ahead of the situation can help to prevent an exodus when more opportunities are available in the marketplace,\u201d said Nick Kakolowski, senior research director at IANS, noting that broad dissatisfaction is being met by a job market sufficiently slow to prevent significant movement.<\/p>\n

\u201cThis makes now a prime time to make lower-cost investments in retention to boost satisfaction and secure the loyalty of high performers to avoid the high costs of recruiting new talent when the market eventually opens up,\u201d he said.<\/p>\n

Ravi de Silva, CEO of compliance consulting firm de Risk Partners, argues that CISOs must adjust their thinking if they want to retain their direct reports in 2025.\u00a0<\/p>\n

\u201cIf you want to keep [those department heads], think like a founder, not a function. Give them ownership, not just oversight. People stay when they\u2019re building something that matters, not just protecting something that might break,\u201d\u00a0said de Silva, who until last year was the global head of compliance testing at Citi, a role he held for seven years. \u201cRetention isn\u2019t about perks. It\u2019s about purpose. If your team has no voice in shaping security culture, don\u2019t be surprised when they find a company that gives them one. They want agency, not just direction.\u201d<\/p>\n

Although burnout is often seen as a driving force behind job dissatisfaction<\/a>, de Silva disagrees.\u00a0<\/p>\n

\u201cThe problem isn\u2019t burnout. It\u2019s the bottleneck beneath the CISO. Mid-levels are carrying risk without being allowed to lead. If the only way forward is more pressure with no growth, they\u2019ll leave,\u201d de Silva said. \u201cDrop your top performers into cloud, fraud, or ops. It signals trust, builds range, and keeps them engaged. Boredom is a bigger flight risk than burnout.\u201d<\/p>\n

Moreover, Kakolowski notes that IANS research shows enterprise CISOs are staying in their roles much longer these days, leaving deputies with ambitions for the top security executive spot having to wait longer or look elsewhere for their shot.<\/p>\n

Unique challenges to the security lead role<\/h2>\n

Mike Piekarski notes that a typically overlooked element for retaining department leads is cybersecurity group camaraderie, as teammates are often a key reason to enjoy the job. \u201cThey want to stay for each other. Encouraging them to explore things together, that builds a team vibe,\u201d said Piekarski, who prior to running cybersecurity consulting firm BreachCraft led the security engineering team at Disney and held a similar role with Comcast.\u00a0<\/p>\n

\u201cI had a cyber team lead who was responsible for herding cats in our SOC and being a lead engineer on technical projects. He revealed that he did not like the managing of resources, but did like mentoring them and teaching them technical skills. And many of his engineering tasks became repetitive over time so he started feeling stagnant,\u201d Piekarski said. \u201cThat [leader] revealed to me that he had an interest in forensics and incident response so we put together a plan and budget to get him SANS training and a GCFA [GIAC Certified Forensic Analyst] where we carved out responsibilities for him to lead incident response processes.\u201d<\/p>\n

Piekarski said the move helped open an ongoing dialogue that resulted in shifting administrative duties to another resource to manage, while keeping the lead as a senior technical mentor for the team.<\/p>\n

\u201cI also began soliciting his input for internal strategies, to make him more included in leadership decisions and processes, even bouncing project plans off of him to vet them, which would not be a traditional part of his role but I believe demonstrated to him I valued his input and expertise,\u201d he said.<\/p>\n

Jay Bavisi, president of security certs and training company EC-Council, cautions that, as a retention strategy, training can sometimes have an adverse effect.<\/p>\n

\u201cTraining in cybersecurity usually improves retention if it\u2019s part of a broader talent development strategy,\u201d he said. But \u201cdone in isolation, it can backfire by making employees more marketable without giving them reasons to stay.\u201d<\/p>\n

One way to reduce dissatisfaction among functional heads is to avoid role creep, said Marcos Alves, CEO of AI cybersecurity vendor Hal-AI.\u00a0<\/p>\n

\u201cIt\u2019s common for team members to be assigned responsibilities that go well beyond their official job descriptions. This leads not only to financial dissatisfaction, but also to professional frustration \u2014 because when they succeed, it\u2019s not formally recognized. But when they make a mistake, well, you know how it goes,\u201d Alves said.<\/p>\n

\u201cAlways ensure alignment between official job roles and the actual responsibilities being carried out,\u201d he advised. \u201cIf necessary, meet with the professional and update their employment contract to reflect the expanded scope of their duties.\u201d<\/p>\n

Ed Skoudis, president of SANS Technology Institute, sees a related problem: \u201cSecurity professionals are being promoted into leadership roles where they feel unequipped, unsupported, or simply disinterested \u2014 yet there\u2019s little room for advancement elsewhere.\u201d\u00a0<\/p>\n

Worse, business directions, over which department heads have no say or control, can bring additional dissatisfaction to the role.<\/p>\n

\u201cBudget freezes, M&A events, offshoring, shifting board priorities. None of these had anything to do with performance, yet they constantly loom over the role,\u201d said Colin Caird, founder of an AI app development firm called Numbers Station. \u201cIt\u2019s hard to turn \u2018nothing bad happened this quarter\u2019 into a compelling case for a raise or a promotion.\u201d<\/p>\n

Making that worse is the constant threat of key roles being outsourced, Caird said. \u201cEven at traditionally in-house-heavy Fortune 500s, there\u2019s growing pressure to hand off cybersecurity functions to MDR providers. That erodes both influence and job security for internal teams.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security department heads \u2014 those directly reporting to the CISO \u2014 are decidedly looking to leave their posts. But various factors, including a weak economy, are delaying their exoduses, which could give CISOs time to change their minds. According to the 2025 IANS Cybersecurity Staff Compensation Benchmark Report, the majority of functional department heads (53%) […]<\/p>\n","protected":false},"author":0,"featured_media":3417,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3427","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3427"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3427"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3427\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3417"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3427"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3427"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}