CISO tenures average just 18 to 26 months, compared with nearly five years for the broader C-suite, according to CISO Workforce and Headcount 2023 Report from Cybersecurity Ventures. In a profession where the stakes are sky-high and the fallout from a single mistake can be career-defining, it raises a critical question: are CISOs leaving faster than ever before, and why?
Fighting the three-year itch
Tom Chapman, co-founder of cybersecurity recruitment firm Icebergs, has a bird’s-eye view of CISO career trajectories. Based on the candidates he has placed, he says three years is about the average tenure for CISOs these days.
It does differ from industry to industry, according to Chapman who points out, for example, that a CISO at a startup, who most often wears multiple hats and oversees more than just security, tend to have a shorter stint of 18 months to two years.
He says the reasons vary, but burnout is often a common denominator. “In the startup space, it is very fast paced,” Chapman says. “There’s also often not a lot of systems in place already for CISOs to work off, so they have to build from scratch, and usually not with the largest budgets in the world. Startups often go, ‘Oh, we can just hire one person to do everything’, and then we’ll be secure. But that’s obviously not the case.”
By contrast, CISOs in larger organizations that have a few thousand employees globally, bigger budgets, and more resources tend to stay on longer.
“CISOs come into those organizations with a plan. Over two to three years they’ll implement their changes, hire people, set up new teams, and really build out security within the organization,” Chapman says. “But by year three … it reaches a stage of BAU and there’s none of that stuff that excites them … and they are looking around because they have achieved what they want to do. Then, they say they want to go and do that again for another organization.”
For the biggest organizations such as global investment banks, retailers, e-commerce companies, CISO tenures can extend further. “Those folks at the much larger firms have teams that are two or three hundred people strong. There’s a lot more going on, more responsibilities, so they tend to stay longer because there’s more to do,” Chapman says.
Is the stress worth the sacrifice?
For others in the CISO role, including Fullpath CISO Shahar Geiger Maor, the issue is less about boredom and more about the constant strain. “At any time there may be a breach. You live under the assumption that something is going to go wrong, and it’s very stressful,” he says.
Geiger Maor also described the job as fundamentally adversarial, pointing out that beyond the technical risk that CISOs face, the soft skills needed in the role and company politics that CISOs often face can also weigh heavily.
“A CISO is interacting with a lot of interfaces, and you need to have soft skills and communicate well with others. In many cases, you need to drive others to take action, and that’s super tedious. It’s very difficult to keep doing it over time,” Geiger Maor says. “In many cases, you’re in direct conflict with company goals and your goals. You’re like a salmon fish going upstream against everybody else. This makes it very difficult to keep a long tenure.”
Even downtime is elusive. Geiger Maor says that even when he’s on vacation, he takes his laptop and never disconnects from the company’s Slack channels. “That’s so basic for me,” he says. “When you go on vacation you can’t really disconnect. You – or at least part of you – needs to be back at work at all times because something can go wrong. It’s difficult, but it’s part of the role.”
Liability risk versus reward
That constant exposure to risk and blame is another reason some CISOs hesitate to take the role in the first place, according to Rona Spiegel, senior manager, security and trust, mergers and acquisitions at Autodesk and former cloud governance leader at Wells Fargo and Cisco.
“The bad guys, especially now with AI and automation, they’re getting more sophisticated, and they only have to be right once, but the CISO has to be right all day every day. They only have to be wrong once, and they get blamed … you’re an operational cost centre no matter what because you’re not bringing in revenue, so if something goes wrong … all roads lead to the CISO,” Spiegel says.
Spiegel highlights this is a residual risk that CISOs have long known about but are beginning to question, which is ultimately impacting on their tenure. A BlackFog survey revealed that 70% of CISOs said that hearing stories of CISOs being held personally liable for cybersecurity incidents has negatively affected their opinion of the role.
“What we do in cybersecurity is manage risk, so what CISOs do is share with the board, audit committee, the executive team, the likelihood and impact of an incident occurring and then recommend mitigating controls to offset that,” she says. “Then CISOs have to determine if the residual risk is something that they can accept because ultimately all the advice CISOs give is all forgotten when an incident occurs, even though it’s not intentional.”
Unsurprisingly, as Chapman notes, CISOs also factor in whether their salary is sometimes worth the risky position they put themselves in. “In London in particular, salaries are good for CISOs but not compared to the US. And then you weigh up: is it really worth it? That comes down to the individual, their risk appetite, and what drives them,” he says.
It’s more than just about the CISO title
Not everyone who leaves the CISO role does so because they are worn out though. For many, it’s a matter of fit, motivation, and career direction. “I don’t believe in being a CISO for too long in a single place, because you become dull, your instincts are not that sharp,” Geiger Maor says. “Leading under continuous threat keeps you sharper.”
He also sees CISOs pivoting into related fields. “A career change can be that maybe you join a security vendor and be a salesperson or move into management roles. Others grow into larger CISO roles step by step. But I do see some colleagues that have just had enough. They’d rather earn less but live more.”
Chapman is also seeing a rise in fractional CISOs, brought in part-time to set up frameworks or oversee specific projects. “It really comes down to the individual,” he says. “Some want that top seat, speaking to the board, communicating risk. But I am also seeing some say, ‘It doesn’t have to be a CISO role.’”
Spiegel adds that for some, the secret is knowing when to move. “You need to get out when it’s not the right place to be. It’s just a matter of fit.”
The evolving role of a CISO
One trait that has emerged as a decisive factor in whether a CISO thrives or burns out in the role is communication. “It’s amazing how many clients tell me their biggest requirement is communication,” Chapman says. “Can this person communicate to the board, to other executives, to teams across the business? Communication is probably the number one trait they look for.”
At the same time, Spiegel argues that scars from incidents can be valuable. “Frankly, suffering a breach is a candy badge of honour, and you learn a lot. If you’re hiring a CISO with a completely clean record, as far as you know, are they more experienced than those who have sat in the chair? Ultimately if you haven’t responded to a real incident, you’re not less valuable, but you’re not less valuable either of knowing how to respond.”
Despite the revolving door perception, Spiegel believes the profession is still maturing. “Working in this space, people are very supportive, and the competitive factor is relatively limited. People really want everyone and CISOs to be successful. We want to create some stability and standardisation around the space, so the industry, companies and customers we’re protecting know what they’re signing up for and can feel confident that it is a consistent and stable practice.”
So, are CISO tenures getting shorter? The answer is both yes and no. Across the board, CSIOs face relentless responsibility, exposure to risk, and the sense that no amount of preparation can fully shield against blame. For some, that’s enough reason to walk away. For others, it’s fuel to take on the next challenge.