{"id":14401,"date":"2025-07-07T07:07:05","date_gmt":"2025-07-07T07:07:05","guid":{"rendered":"https:\/\/newestek.com\/?p=14401"},"modified":"2025-07-07T07:07:05","modified_gmt":"2025-07-07T07:07:05","slug":"has-ciso-become-the-least-desirable-role-in-business","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14401","title":{"rendered":"Has CISO become the least desirable role in business?"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n
\n

After nine years as CSO and senior vice president of IT at Sumo Logic, George Gerchow had had enough. The job was stressful and he was burnt out. So, after some soul searching, he took a different job \u2014 as head of trust \u2014 at MongoDB. Not long after he arrived, the CISO quit, \u201cwhich is a pattern that I\u2019m seeing over and over again,\u201d Gerchow says.<\/p>\n

Then, Gerchow became the interim CISO.<\/p>\n

\u201cIt reinspired me to have the job,\u201d Gerchow recalls. \u201cAll my juices started flowing again.\u201d But it took Gerchow a few months to realize that being a CISO was what he still wanted to do; a view he says not many of his peers shared.<\/p>\n

\u201cI\u2019ve never seen more of my colleagues leave the role \u2026 within past two years,\u201d he says.<\/p>\n

Being a CISO today is not for the faint of heart. To paraphrase Rodney Dangerfield, CISOs (some, anyway) get no respect.<\/p>\n

You\u2019d think in a job where perpetual stress over the threat of a cyberattack is the norm, there would be empathy for security leaders. Instead, they face the growing challenge of trying to elicit support across departments and managing security threats, according to a recent report<\/a> from WatchGuard.<\/p>\n

To add insult to injury, \u201c<\/strong>As regulatory and policy demands grow, including requirements for the CISO to personally certify the cybersecurity integrity of their business, they will face greater personal accountability and legal risk in 2025 and beyond,\u201d the report notes.<\/p>\n

The tensions of the job don\u2019t stop there. Like Gerchow experienced, CISOs are facing increased burnout<\/a>. They also have the heightened pressure of trying to reduce turnover<\/a> and finding qualified candidates willing to tackle the role. It begs the question, has the CISO role become the least desirable job in business?<\/p>\n

For Gerchow, the answer is unequivocally, yes.<\/p>\n

Structurally underpowered<\/h2>\n

A lot of the problems CISOs encounter have to do with the reporting structure<\/a>, and the fact that the role is \u201cburied layers below\u201d others in the C-suite, Gerchow notes.<\/p>\n

\n
\n

George Gerchow, CSO, Bedrock Security<\/p>\n<\/figcaption><\/figure>\n

George Gerchow \/ Bedrock Security<\/p>\n<\/div>\n

\u201cI\u2019ll never report to a CTO or CFO again. I have to have seat at the table,\u201d he says emphatically. Otherwise, he says, you become frustrated \u201cbecause you\u2019re not in control of your own destiny. You\u2019re parsing everything to this other person who\u2019s a leader in the company \u2014 and you potentially have the riskiest job in the entire organization.\u201d<\/p>\n

Maggie Myers, a managing consultant at Korn Ferry, recently spoke with a CISO who told her the pressure has never been higher and the control has never felt lower<\/a>. \u201cI think in many cases [the CISO role has] become unsustainable,\u201d Myers says.<\/p>\n

Echoing Gerchow, she adds, \u201cThe reason why has a lot to do with how it\u2019s structured. I think that\u2019s the real issue here. The script is changing a little bit,\u201d but CISOs are still expected to manage risk.<\/p>\n

It\u2019s no secret CISOs are under tremendous pressure. \u201cThey\u2019ve got the regulatory scrutiny, they\u2019ve got public visibility,\u201d along with the increasing complexity of threats, and \u201cAI is just adding to that fire, and the mismatch between the accountability and the authority,\u201d says Myers, who wrote \u201cThe CISO Dilemma<\/a>,\u201d which explores CISO turnover rates and how companies can change that moving forward.<\/p>\n

Often, CISOs don\u2019t have the mandate to influence the business systems or processes that are creating that risk, she says. \u201cI think that\u2019s a real disconnect and that\u2019s what\u2019s really driving the burnout and turnover.\u201d<\/p>\n

For Amit Basu, vice president, CIO, and CISO of International Seaways, the problem is that \u201cCISOs often lack formal indemnification, clear governance authority, or tailored [directors and officers<\/a>] protection,\u201d he says. \u201cIn many cases, the CISO is tasked with managing enterprise risk while remaining structurally underpowered to influence it fully.\u201d<\/p>\n

It is this imbalance that is driving burnout, turnover, and growing reluctance among senior cybersecurity leaders to step into or remain in these roles, Basu believes.<\/p>\n

A lack of support<\/h2>\n

On the flip side, Corey Nachreiner, CISO\/CSO at WatchGuard, doesn\u2019t believe the CISO is the most undesirable role. Yet, he adds, being a CISO \u201ccan often feel like trying to win a game of dodgeball with one arm tied behind your back. You\u2019re expected to thwart every cybersecurity threat without always having the resources or support to do so effectively.\u201d<\/p>\n

Nachreiner cites a survey from\u00a0Nominet<\/a> that finds 91% of CISOs suffer moderate to high stress. \u201cThe job involves a perpetual cycle of stress, knowing a cybersecurity incident could hit anytime,\u201d he says. \u201cThreat actors grow more cunning, and even nation states take aim at civilian companies. Yet, the true challenge lies in how businesses often see cybersecurity as a necessary evil rather than a top priority. It\u2019s as if the CISO\u2019s motto is, \u2018All risk, little reward.\u2019\u201d\u00a0<\/p>\n

\n
\n

Corey Nachreiner, CISO\/CSO, WatchGuard<\/p>\n<\/figcaption><\/figure>\n

WatchGuard<\/p>\n<\/div>\n

Gerchow says another factor making the job undesirable is that the CISO is being asked to do more than ever<\/a>. For example, in addition to other regulations, CISOs must now ensure their organizations comply with the Digital Operational Resilience Act (DORA)<\/a>, an EU regulation focused on strengthening financial entities\u2019 digital resilience.<\/p>\n

The added scrutiny of DORA<\/a>, Gerchow says, is \u201ccrushing companies.\u201d<\/p>\n

Human vs. position problem<\/h2>\n

Some CISOs are stepping back from operational roles into more advisory ones. Patricia Titus, who recently took a position as a field CISO at startup Abnormal AI after 25 years as a CISO, does not think the CISO role has become less desirable. \u201cThe regulatory scrutiny has been there all along,\u201d she says. \u201cIt\u2019s gotten a light shined on it. \u2026 Regulators may be getting smarter and asking more direct questions.\u201d\u00a0<\/p>\n

Titus attributes the increased burnout to the fact that \u201cwe\u2019re not doing a good job of balancing. That to me is a human problem versus a position problem.\u201d<\/p>\n

This is an issue in other C-level positions as well, she notes. \u201cThe question in my mind is, Are CISOs at the point where the position needs to be elevated to the right level,\u201d with the \u201cright support from your leadership?\u201d<\/p>\n

Titus has seen burnout occur when there isn\u2019t good succession planning and \u201cpeople are hoarding the power versus sharing the responsibility.\u201d She recalls one security job she was in that caused \u201cstress-induced eczema, and my health was a hot mess, and I had to make some conscious decisions about what to do about that.\u201d<\/p>\n

In her dealings with another leader at the time, Titus says she \u201ctried everything in my bag of tricks to make the relationship better, stronger, and healthier.\u201d But it got to the point where \u201cI felt this person and I aren\u2019t going to see eye to eye and that\u2019s where you agree to disagree.\u201d Ultimately, she left the company and found \u201ca better job.\u201d<\/p>\n

If you\u2019re running a strong security program, Titus says, the CISO should be able to say where the strengths and weaknesses are.<\/p>\n

\u201cI believe this job is an exciting job and requires a person who is multidisciplined. You have to use critical thinking skills, you have to understand the business,\u201d she says. \u201cIt\u2019s not the CISO job of 20 years ago. It\u2019s an evolving field and position.\u201d<\/p>\n

Her role is to bring her expertise to help customers with problems in an advisory capacity.
Although Titus no longer has operational responsibility, she says she still feels \u201cvery wed to making sure that we\u2019re protecting customer data\u201d and helping the newly hired CISO.<\/p>\n

The company also has a second field CISO and a total of four people who are security professionals. \u201cTo me, that\u2019s the best of all worlds.\u201d<\/p>\n

She believes the CISO role is undesirable in companies that have seen a lot of job cuts coupled with the economic downturn and financial struggles. When the CISO also has to let people go, that can create an extremely stressful situation, she says.<\/p>\n

\u201cThat\u2019s where I could see CISOs say, \u2018I have to get out of here,\u2019\u201d Titus says. \u201cHave I been in positions where I feel I have been set up for failure? If I said no that would be a lie.\u201d<\/p>\n

While companies focus on their core business operations, a savvy CISO will aim to support that with minimal risk, WatchGuard\u2019s Nachreiner says. \u201cBut the Catch-22 is that tackling this requires money and human capital, which are often in short supply,\u201d he says. \u201cAs budgets tighten, security becomes the proverbial belt to be tightened further.\u201d<\/p>\n

Like Titus, Nachreiner says cybersecurity is fundamentally a human challenge, and all employees must do their part. \u201cYet, motivating them can feel like herding cats, particularly when their plates are already full. Lack of collaboration can sap morale faster than a data breach.\u201d<\/p>\n

An association for CISOs<\/h2>\n

The fact that there is discussion about the CISO role becoming the least desirable in business today reflects a growing tension many CISOs are feeling, observes International Seaways\u2019 Basu. \u201cWhile the role has never been more critical to an enterprise, it has also never carried more personal risk, pressure, or ambiguity,\u201d he says.<\/p>\n

With the evolution of the CISO<\/a> from a back-office technical guardian into a strategic risk leader has come increased visibility, but also \u201cdisproportionate scrutiny and lack of protection,\u201d Basu maintains. \u201cCISOs now face the prospect of personal liability, criminal exposure, and reputational damage for decisions made within complex, often under-resourced environments, many of which fall outside their direct control.\u201d<\/p>\n

Recent enforcement actions and legal precedents have made it clear that regulators are no longer satisfied with corporate accountability and are holding individuals responsible<\/a>, he adds.<\/p>\n

\u201cBut the answer is not to undermine the position; it requires formalizing legal protections, defining authority and reporting lines, and recognizing cybersecurity leadership as a profession \u2014 complete with accreditation, ethical codes, standard operating procedures, and peer support,\u201d Basu says.<\/p>\n

\n
\n

Amit Basu, VP, CIO, and CISO, International Seaways<\/p>\n<\/figcaption><\/figure>\n

International Seaways<\/p>\n<\/div>\n

\u201cA CISO with standards, accreditation, legal backing, and a professional community is an enterprise asset, but a CISO without protection is a vulnerability.\u201d<\/p>\n

Furthermore, the CISO role \u201cremains inconsistently defined across industries, and in far too many organizations, CISOs are held accountable without being granted the requisite authority, resources, or legal protections,\u201d he says.<\/p>\n

For those reasons, Basu is helping to establish a professional association for CISOs modeled on entities like the Bar Association or the Society of CPAs. It is calledThe Professional Association of CISOs (PAC)<\/a>, and the goal is to formalize the profession through standardized accreditation, advocate for legal protections, and foster a strong, supportive peer network.<\/p>\n

\u201cIt\u2019s time this critical leadership role is afforded the structure and recognition it rightfully deserves,\u201d Basu says.<\/p>\n

The CISO role is not becoming undesirable because it lacks relevance, he says. \u201cOn the contrary, it is vital to the future of enterprise trust and resilience. It is undesirable only when we fail to match responsibility with protection. If we want to attract and retain top talent in these roles, we must build the guardrails that allow CISOs to operate with authority, integrity, and confidence.\u201d<\/p>\n

The silver lining<\/h2>\n

These issues aren\u2019t insurmountable, says WatchGuard\u2019s Nachreiner. \u201cRealizing that the CISO role is more human-centric and political than technical is key. It\u2019s not just about wizardry with network defenses; it\u2019s convincing the board to greenlight projects that don\u2019t immediately boost profits, rallying department heads to embrace security measures, and nudging employees to tweak their everyday habits,\u201d he says.<\/p>\n

If you thrive in an environment where your curiosity is never satisfied, you\u2019re always thinking a step ahead, and every day is different, the CISO role remains ideal, says Abnormal AI\u2019s Titus. \u201cEvery day you\u2019re learning new things about the field and every day there\u2019s constant innovation happening, making my job better and faster,\u201d she says.<\/p>\n

\u201cAt the end of the day, while the CISO role is demanding, with the right mindset and approach, it remains a critical and rewarding position filled with potential to drive meaningful change,\u201d agrees Nachreiner.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

After nine years as CSO and senior vice president of IT at Sumo Logic, George Gerchow had had enough. The job was stressful and he was burnt out. So, after some soul searching, he took a different job \u2014 as head of trust \u2014 at MongoDB. Not long after he arrived, the CISO quit, \u201cwhich is a pattern that I\u2019m seeing over and over again,\u201d… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14401","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14401","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14401"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14401\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14401"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14401"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14401"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}