{"id":5245,"date":"2025-10-07T07:00:00","date_gmt":"2025-10-07T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5245"},"modified":"2025-10-07T07:00:00","modified_gmt":"2025-10-07T07:00:00","slug":"is-the-ciso-chair-becoming-a-revolving-door","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5245","title":{"rendered":"Is the CISO chair becoming a revolving door?"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

CISO tenures average three years these days, according to co-founder of cybersecurity recruitment firm Icebergs Tom Chapman and based on the candidates he has placed. In a profession where the stakes are sky-high and the fallout from a single mistake can be career-defining, it raises a critical question: are CISOs leaving faster than ever before, and why?<\/p>\n

Fighting the three-year itch<\/h2>\n

It does differ from industry to industry, according to Chapman who points out, for example, that a CISO at a startup, who most often wears multiple hats and oversees more than just security, tend to have a shorter stint of 18 months to two years.<\/p>\n

He says the reasons vary, but burnout is often a common denominator. \u201cIn the startup space, it is very fast paced,\u201d Chapman says. \u201cThere\u2019s also often not a lot of systems in place already for CISOs to work off, so they have to build from scratch, and usually not with the largest budgets in the world. Startups often go, \u2018Oh, we can just hire one person to do everything\u2019, and then we\u2019ll be secure. But that\u2019s obviously not the case.\u201d<\/p>\n

By contrast, CISOs in larger organizations that have a few thousand employees globally, bigger budgets, and more resources tend to stay on longer.<\/p>\n

\u201cCISOs come into those organizations with a plan. Over two to three years they\u2019ll implement their changes, hire people, set up new teams, and really build out security within the organization,\u201d Chapman says. \u201cBut by year three \u2026 it reaches a stage of BAU and there\u2019s none of that stuff that excites them \u2026 and they are looking around because they have achieved what they want to do. Then, they say they want to go and do that again for another organization.\u201d<\/p>\n

For the biggest organizations such as global investment banks, retailers, e-commerce companies, CISO tenures can extend further. \u201cThose folks at the much larger firms have teams that are two or three hundred people strong. There\u2019s a lot more going on, more responsibilities, so they tend to stay longer because there\u2019s more to do,\u201d Chapman says.<\/p>\n

Is the stress worth the sacrifice?<\/h2>\n

For others in the CISO role, including Fullpath CISO Shahar Geiger Maor, the issue is less about boredom and more about the constant strain. \u201cAt any time there may be a breach. You live under the assumption that something is going to go wrong, and it\u2019s very stressful,\u201d he says.<\/p>\n

Geiger Maor also described the job as fundamentally adversarial, pointing out that beyond the technical risk that CISOs face, the soft skills needed in the role and company politics that CISOs often face can also weigh heavily.<\/p>\n

\u201cA CISO is interacting with a lot of interfaces, and you need to have soft skills and communicate well with others. In many cases, you need to drive others to take action, and that\u2019s super tedious. It\u2019s very difficult to keep doing it over time,\u201d Geiger Maor says. \u201cIn many cases, you\u2019re in direct conflict with company goals and your goals. You\u2019re like a salmon fish going upstream against everybody else. This makes it very difficult to keep a long tenure.\u201d<\/p>\n

Even downtime is elusive. Geiger Maor says that even when he\u2019s on vacation, he takes his laptop and never disconnects from the company\u2019s Slack channels. \u201cThat\u2019s so basic for me,\u201d he says. \u201cWhen you go on vacation you can\u2019t really disconnect. You \u2013 or at least part of you \u2013 needs to be back at work at all times because something can go wrong. It\u2019s difficult, but it\u2019s part of the role.\u201d<\/p>\n

Liability risk versus reward<\/h2>\n

That constant exposure to risk and blame is another reason some CISOs hesitate to take the role in the first place, according to Rona Spiegel, senior manager, security and trust, mergers and acquisitions at Autodesk and former cloud governance leader at Wells Fargo and Cisco.<\/p>\n

\u201cThe bad guys, especially now with AI and automation, they\u2019re getting more sophisticated, and they only have to be right once, but the CISO has to be right all day every day. They only have to be wrong once, and they get blamed \u2026 you\u2019re an operational cost centre no matter what because you\u2019re not bringing in revenue, so if something goes wrong \u2026 all roads lead to the CISO,\u201d Spiegel says.<\/p>\n

Spiegel highlights this is a residual risk that CISOs have long known about but are beginning to question, which is ultimately impacting on their tenure. A BlackFog survey<\/a> revealed that 70% of CISOs said that hearing <\/a>stories of CISOs<\/a> being held personally liable for cybersecurity incidents has negatively affected their opinion of the role.<\/p>\n

\u201cWhat we do in cybersecurity is manage risk, so what CISOs do is share with the board, audit committee, the executive team, the likelihood and impact of an incident occurring and then recommend mitigating controls to offset that,\u201d she says. \u201cThen CISOs have to determine if the residual risk is something that they can accept because ultimately all the advice CISOs give is all forgotten when an incident occurs, even though it\u2019s not intentional.\u201d<\/p>\n

Unsurprisingly, as Chapman notes, CISOs also factor in whether their salary is sometimes worth the risky position they put themselves in. \u201cIn London in particular, salaries are good for CISOs but not compared to the US. And then you weigh up: is it really worth it? That comes down to the individual, their risk appetite, and what drives them,\u201d he says.<\/p>\n

It\u2019s more than just about the CISO title<\/h2>\n

Not everyone who leaves the CISO role does so because they are worn out though. For many, it\u2019s a matter of fit, motivation, and career direction. \u201cI don\u2019t believe in being a CISO for too long in a single place, because you become dull, your instincts are not that sharp,\u201d Geiger Maor says. \u201cLeading under continuous threat keeps you sharper.\u201d<\/p>\n

He also sees CISOs pivoting into related fields. \u201cA career change can be that maybe you join a security vendor and be a salesperson or move into management roles. Others grow into larger CISO roles step by step. But I do see some colleagues that have just had enough. They\u2019d rather earn less but live more.\u201d<\/p>\n

Chapman is also seeing a rise in fractional CISOs<\/a>, brought in part-time to set up frameworks or oversee specific projects. \u201cIt really comes down to the individual,\u201d he says. \u201cSome want that top seat, speaking to the board, communicating risk. But I am also seeing some say, \u2018It doesn\u2019t have to be a CISO role.\u2019\u201d<\/p>\n

Spiegel adds that for some, the secret is knowing when to move. \u201cYou need to get out when it\u2019s not the right place to be. It\u2019s just a matter of fit.\u201d<\/p>\n

The evolving role of a CISO<\/h2>\n

One trait that has emerged as a decisive factor in whether a CISO thrives or burns out in the role is communication. \u201cIt\u2019s amazing how many clients tell me their biggest requirement is communication,\u201d Chapman says. \u201cCan this person communicate to the board, to other executives, to teams across the business? Communication is probably the number one trait they look for.\u201d<\/p>\n

At the same time, Spiegel argues that scars from incidents can be valuable. \u201cFrankly, suffering a breach can be a badge of honour, and you learn a lot. If you\u2019re hiring a CISO with a completely clean record, as far as you know, are they more experienced than those who have sat in the chair? Ultimately if you haven\u2019t responded to a real incident, you\u2019re not less valuable, but you\u2019re not less valuable either of knowing how to respond.\u201d<\/p>\n

Despite the revolving door perception, Spiegel believes the profession is still maturing. \u201cWorking in this space, people are very supportive, and the competitive factor is relatively limited. People really want everyone and CISOs to be successful. We want to create some stability and standardisation around the space, so the industry, companies and customers we\u2019re protecting know what they\u2019re signing up for and can feel confident that it is a consistent and stable practice.\u201d<\/p>\n

So, are CISO tenures getting shorter? The answer is both yes and no. Across the board, CISOs face relentless responsibility, exposure to risk, and the sense that no amount of preparation can fully shield against blame. For some, that\u2019s enough reason to walk away. For others, it\u2019s fuel to take on the next challenge.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

CISO tenures average three years these days, according to co-founder of cybersecurity recruitment firm Icebergs Tom Chapman and based on the candidates he has placed. In a profession where the stakes are sky-high and the fallout from a single mistake can be career-defining, it raises a critical question: are CISOs leaving faster than ever before, […]<\/p>\n","protected":false},"author":0,"featured_media":5228,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5245","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5245"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5245"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5245\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5228"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}