{"id":5917,"date":"2025-11-24T07:00:00","date_gmt":"2025-11-24T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5917"},"modified":"2025-11-24T07:00:00","modified_gmt":"2025-11-24T07:00:00","slug":"the-cisos-greatest-risk-department-leaders-quitting","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5917","title":{"rendered":"The CISO\u2019s greatest risk? Department leaders quitting"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

It\u2019s a familiar refrain: too much work and not enough compensation and recognition. Yet, while CISOs have seen their role grow in prominence and responsibility<\/a>, the same cannot be said of functional security leaders who are being asked to do more \u2014 but are not reaping the benefits.<\/p>\n

Unsurprisingly, this is causing increased job dissatisfaction with career progression and more readiness to exit. For CISOs, this presents a significant risk: If midlevel security managers feel overburdened and under-recognized, the ripple effects can undermine resilience, continuity, and innovation. At a time when cyberattacks continue to grow increasingly more sophisticated and trickier to remediate, CISOs cannot risk functional leader defection<\/a>.<\/p>\n

\u201cAn increased expectation is being placed on functional cyber leaders because they are not only being asked to protect systems but also enable business outcomes \u2014 all while managing new regulatory demands, complex technology stacks, and limited resources,\u2019\u2019 says Carole Lee Hobson<\/a>, CISO of PayNearMe.<\/p>\n

This includes an expanded attack surface with cloud, SaaS, and AI, leaving functional cyber leaders accountable for risks in their third-party dependencies they can\u2019t fully control, Hobson notes. \u201cCombine that with the 24\/7 nature of the job and hybrid work environments, and it\u2019s no surprise burnout is escalating.\u201d<\/p>\n

Some 66% of cybersecurity professionals say their role is more stressful now than five years ago, with 63% citing the complex threat landscape as their top stressor, according to ISACA\u2019s latest State of Cybersecurity Report<\/a>. Further, more than half (55%) of cybersecurity teams are understaffed, and 65% have unfilled cybersecurity positions, the survey found.<\/p>\n

Systemic issues continue<\/h2>\n

The trend of talented and dedicated functional security leaders quietly eyeing the exit is not an anomaly \u2014 it\u2019s a predictable outcome of systemic issues that have been building within the profession for years, says Brandyn Fisher<\/a>, V-CISO capability lead\u00a0at Centric Consulting.<\/p>\n

\u201cAs CISOs, we are seeing our most critical layer of management, our directors and senior managers, burn out,\u2019\u2019 Fisher says. \u201cThis isn\u2019t happening in a vacuum. It\u2019s the result of a dangerous convergence of unrealistic expectations, resource starvation, and a fundamentally broken career model.\u201d<\/p>\n

Security leaders operate on an unsustainable premise, Fisher says. \u201cWe expect our leaders to be right every single time, while an attacker only needs to be right once. This creates a culture of hyper-vigilance that is simply not sustainable 24\/7\/365.\u201d<\/p>\n

Teams are expected to be on-call through holidays and weekends, often without commensurate pay, and because a major incident can mean a four- to six-week response<\/a>, personal lives are put on hold, he notes.<\/p>\n

Monika Malik<\/a>, lead data\/AI software engineer at AT&T, doesn\u2019t hold back on why functional leaders may be looking to defect. Too often, they are held accountable for projects, yet not given autonomy to make roadmap, staffing, and budget decisions, she says.<\/p>\n

\u201cSecurity leaders experience burnout when they own the risk and have no roadmap,\u2019\u2019 Malik says. On top of that, there is chronic stress and \u201cbreach panic, pager fatigue, and breach aftermath dumpster fires, [which] lead to burnout quicker than compensation can mitigate,\u2019\u2019 Malik says.<\/p>\n

Fisher agrees: \u201cThis immense pressure is compounded by a lack of control. A security leader is often the scapegoat for failures originating elsewhere in the organization \u2014 a single clicked link by a user, a vulnerability pushed by a development team, or a poor decision by a high-level executive.\u201d<\/p>\n

Functional security leaders are held accountable for defending against threats within environments where they have limited visibility, he says. This means they are \u201cfighting an invisible war on behalf of stakeholders who often don\u2019t understand the stakes.\u201d<\/p>\n

Another issue is tool creep<\/a>, with 40-plus security tools managing the same alerts and poor integrations, Malik says. There is also \u201crole overload and context switching\u201d on projects, as well as relentless audit cycles, reviews, and meetings, which Malik says leaves little time for career development. \u201cMany organizations have a CISO plus a flat layer of \u2018heads of X\u2019\u201d who don\u2019t always have a clear path to moving into higher levels, she says.<\/p>\n

And CISOs are constantly asking their leaders to do more with less<\/a>, Fisher adds. \u201cAs cybersecurity is still widely viewed as a cost center rather than a business enabler, budgets are the first to be slashed while the threat landscape grows exponentially,\u2019\u2019 he says. \u201cThis places managers in the impossible position of being responsible for mitigating enterprise-level risk without the necessary funding for tools or talent.\u201d<\/p>\n

What CISOs can and should be doing<\/h2>\n

The situation isn\u2019t hopeless; there are steps CISOs can and should take to help avoid defections. It\u2019s a matter of making staff a priority. PayNearMe\u2019s Hobson says CISOs need to ask themselves whether functional security leaders are wearing too many hats with too few opportunities to advance, and if they are doing enough to nurture<\/a> and retain them.<\/p>\n

\u201cCIOs should be asking tough questions about leadership pipelines, succession planning, and the cultural dynamics within their security teams,\u2019\u2019 she says. \u201cIf we want to build sustainable security leadership, we need to understand \u2014 and address \u2014 why so many are eyeing the exit.\u201d<\/p>\n

Retention should be thought of as a program that requires additional operating model iterations, rather than something static, according to Malik. She suggests that CISOs implement a responsible, accountable, consulted, and informed (RACI)<\/a> project management tool and give functional security leads authority over their systems.<\/p>\n

They should also be given career paths that include promotions rubrics and \u201csponsorship \u2014 not mentorship \u2014 at the executive level, with visibility and board-facing opportunities,\u2019\u2019 Malik says.<\/p>\n

A portion of compensation should be tied to risk contributions, for example, stats for time to patch, instead of audit fail\/success factors, she adds. There also needs to be \u201ctool and telemetry sanity,\u201d which would require CISOs to consolidate vendors and implement a \u201cquarterly kill-switch: If your tool is not reducing MTTR\/false positives by date and tool objectives \u2026 retire or re-scope the tool as per worst-case expectations.\u201d<\/p>\n

Centric Consulting\u2019s Fisher thinks success should be tracked by prevention of downtime and system protection, rather than reacting to an incident. At one company he worked at, when the security team started posting data on risk reduction on its dashboards, engagement increased and turnover declined.<\/p>\n

\u201cIt increased the visibility of work, which renewed the motivation within teams,\u2019\u2019 he says, adding that it is not often security professionals will leave due to pressure. \u201cThey abandon due to the disappearance of their results behind the lack of crisis.\u201d They would more likely feel invested if prevention was used as a metric, Fisher says, \u201cand make security a quantifiable growth aspect rather than an unspoken background role.\u201d<\/p>\n

Is the CISO role something to aspire to?<\/h2>\n

Asking functional leaders to do more \u201cis a direct reflection of the CISO\u2019s own struggle for influence,\u201d Fisher observes. When a CISO sits under an unreceptive CIO or COO<\/a> and does not have a seat at the executive table, they cannot effectively advocate for their team\u2019s needs, he says.<\/p>\n

\u201cThis powerlessness trickles down. Managers are left to enforce policy and execute on a strategy they had no input on, with a team that is understaffed and under-equipped for the task,\u2019\u2019 Fisher says. \u201cThey carry the responsibility for failure without the authority or resources to ensure success.\u201d<\/p>\n

Perhaps the most critical issue is that \u201cambitious security managers are looking up the ladder and seeing a role they do not want<\/a>,\u2019\u2019 he adds. \u201cThey see their CISO, buried in a 24\/7 cycle of stress, personally liable without the same protections as other executives, and struggling to find time for the strategic thought leadership the role demands.\u201d<\/p>\n

What\u2019s worse is that many see a leadership bottleneck, Fisher says. He believes there is a propensity to promote the best technical experts into the CISO role.<\/p>\n

\u201cWhile their hands-on experience is valuable,\u201d he acknowledges, \u201cmany lack the strategic perspective, business acumen, and leadership skills to build a mature security program and mentor the next generation of leaders. For the aspiring manager who wants to grow into a business-aligned strategist<\/a>, this creates a career ceiling. Why stay and fight an uphill battle for a midlevel salary that doesn\u2019t match the required experience, only to report to a leader who cannot pave the way for meaningful career progression?\u201d<\/p>\n

Career progression in cybersecurity likely needs to be redefined, Hobson agrees. \u201cIt\u2019s not just about climbing a narrow ladder toward the CISO role \u2014 there are limited seats at that level, and the field is evolving too quickly for that to be the only path.\u201d<\/p>\n

There are \u201cmultiple rewarding paths beyond the traditional CISO path,\u2019\u2019 she says, in areas including AI governance, architecture, and risk. Lateral growth through deep specialization in areas like privacy, threat modeling, and AI governance can be just as valuable and fulfilling, Hobson says.<\/p>\n

Help functional leaders see meaning in their work<\/h2>\n

To prevent an exodus, CISOs must fundamentally shift their focus.<\/p>\n

It\u2019s not enough to recognize that functional leaders are overextended, Hobson says. \u201cCISOs need to restructure workloads, prioritize development, and empower their teams to influence the organization strategically,\u201d she says. \u201cThe high-stress role needs to be balanced with professional engagement.\u201d<\/p>\n

Like Malik, Hobson says CISOs should also \u201cdelegate meaningfully<\/a>\u201d to prevent burnout and give functional leaders real autonomy. \u201cNothing burns out a strong leader faster than being reduced to a messenger.\u201d<\/p>\n

The CISO\u2019s role is to cultivate resilience, belonging, and knowledge in different pathways so leaders see meaning in their work and remain engaged, Hobson says.<\/p>\n

\u201cThat starts with clarity \u2014 helping functional leaders understand how their responsibilities directly support business strategy and reinforcing that security should be a strategic advantage for every company,\u2019\u2019 she says.<\/p>\n

\u201cOur primary job is not just to manage risk, but to build a resilient, sustainable organization,\u2019\u2019 Fisher stresses. \u201cThat begins with protecting our people from burnout, championing the business value of security in the boardroom to secure necessary resources, and actively mentoring our managers into becoming the strategic leaders this industry needs.\u201d\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

It\u2019s a familiar refrain: too much work and not enough compensation and recognition. Yet, while CISOs have seen their role grow in prominence and responsibility, the same cannot be said of functional security leaders who are being asked to do more \u2014 but are not reaping the benefits. Unsurprisingly, this is causing increased job dissatisfaction […]<\/p>\n","protected":false},"author":0,"featured_media":5918,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5917","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5917"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5917"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5917\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5918"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5917"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5917"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5917"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}