The “great CISO resignation” isn’t what it looks like: a hype-free, data-driven, in-depth look at the evolution and challenges of security leaders
Looking at the CISO turnover at large enterprises, examining whether the “great CISO resignation” is real, and breaking down the trends defining what is actually happening in the CISO land
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Over the past several months, I have been seeing a growing number of articles and industry reports suggesting that security has a huge problem retaining security leaders. To me, something didn’t feel quite right: few CISOs in my network actually changed jobs, and most of those who did - did so in the course of regular and not unusual moves. I couldn’t find anyone who decided to leave their job as a full-time security leader and instead became a vCISO.
I recognized that my sample size is limited and there could be a lot more to it that I am not seeing. Yet, this mismatch between what everyone is talking about on social media and what I observed made me think: is the so-called CISO retention problem real, and if so - what’s the severity of the issue? Are we going to see all experienced leaders leave the industry in the next few years because of stress and the high demands of the job? Without pretending that there are objective answers to these questions, this piece offers a perspective of what the problem could be and what solutions we should be looking for.
Let the data do the storytelling: numbers behind the “great resignation” of security leadership
Looking at CISO tenure in F500 enterprises
To start, I decided to look at the numbers. Although going through thousands of organizations and trying to figure out the tenure of their security leaders wasn’t something I could do, taking a look at Fortune 500 companies was relatively doable.
Before I share the numbers, let me add several disclaimers:
1. I recognize that extrapolating trends in the industry based on what’s happening in F500 companies isn’t feasible. At the same time, I would argue that if the problem of CISOs leaving their jobs is so severe, it would make sense that it would manifest itself in the top largest enterprises in the country because that is where the stress is incredibly high, and:
the amount of money that can be lost is the highest
the environments are some of the most complex (think of a mix of on-prem and cloud-based infrastructure scattered across the globe, etc.)
the number of stakeholders involved in decisions is the highest, and as a result, politics are the most nuanced
the burden of dealing with multiple regulatory frameworks due to being publicly traded, international, some of the largest stores of data, etc. is the highest
2. The data does have gaps. LinkedIn data can be out of date, or not perfectly accurate, and at times, we even see fake CISO Profiles on LinkedIn targeting Fortune 500s. Some data is missing or may not be easy to obtain; I used “N/A” to mark the missing data.
3. As a baseline, I decided to use the list of Fortune 500 Chief Information Security Officers by Cybercrime Magazine. While it required some updates & and a lot of the information has changed since the list was created, it did provide a fantastic starting point. The problem I ran into is that after removing several duplicates from the list, I ended up with 497 companies. To get to the list of 500 companies, I decided to cross-check against another data source, namely the List of Fortune 500 companies and their websites. After doing this, I ended up with 526 companies but chose to leave it as is instead of trying to come up with a perfect F500 list.
4. Some people have only the most recent role listed on their profile which makes it hard to understand how long the person has actually been doing their job (was it the role they were hired for, or did they get recently promoted). This is especially important for those who have over a decade of experience as a CISO with the same company. To eliminate the possibility that high tenure will artificially drive the averages up, I decided to mark any CISO tenure over 10 years as N/A, unless it can be clearly seen that the person has either 1) held a different role with the same company and got promoted into a CISO job, or 2) have previously held a CISO role so was likely hired as a CISO by their current company.
5. Given the volume of data, it is inevitable that some details will not be current, and some will end up outright incorrect. To make it easier for readers to verify the data and suggest corrections, I initially considered leaving links to CISO profiles. After some consideration. I have decided against it as I know some unethical sales reps would use these to start spamming CISOs on LinkedIn. Although there are other databases on the internet, and the list of F500 CISOs isn’t exactly secret, I could not bear the thought that I could enable someone to spam 500+ security leaders. Making this decision will make it harder to find and correct mistakes in the data, but I am willing to accept this trade-off just so CISOs can get one spam message less.
Employee tenure with the current company
Employees at Fortune 500 stay with the company for a long amount of time - 8.4 years on average. The median is 5.8 years, which basically means that there are as many people who have worked more than 5.8 years than those who have stayed with their current organization less. I understand that from the perspective of someone who still remembers two or three-decade-long careers that might not be a long time, but for today, this is quite high. Also, it appears to be roughly in line or even slightly above the figures published by the US Department of Labor: “In January 2022, median employee tenure (the point at which half of all workers had more tenure and half had less tenure) for men held at 4.3 years. For women, the median tenure was 3.8 years in January 2022, little changed from the median of 3.9 years in January 2020…. Median employee tenure was generally higher among older workers than younger ones. For example, the median tenure of workers ages 55 to 64 (9.8 years) was more than three times that of workers ages 25 to 34 years (2.8 years).” The data I have about the F500 CISOs doesn’t include their age, although due to the nature of the role, it’s fair to assume that all or almost all will be above 34 years old.
Tenure as CISO with the current company
The number that matters most is the CISO’s tenure in their current role as a security leader at the current organization. On average, among the F500 companies I found data for, this number stands at 4.5 years (the median is 3.6 years). To understand whether this is high or low, it’s worth looking at the broader context. Data by the M&A Executive Search puts things into perspective: “For companies filling a vacant seat at their executive table, expect the ideal candidate to stick around for about five years. While this might sound short, there are several factors behind this figure and context for that length.
First, this is the aggregate average of all C-suite positions. Top company figureheads have tenures that skew higher—for example, 6.9 years for the CEO. Shorter executive tenures typically fall to positions in evolving fields. For example, the average tenure of a CMO is just 3.5 years, while CHRO positions last 3.7 years.
Second, there’s also a broad industry component to consider. C-suite members in the financial sector have a higher aggregate tenure across all positions (5.25 years) than those in the healthcare field (4.36 years). The nature of the business and the greater industry could impact the length of an executive’s stay.
Finally, the age of executives factors into their tenure. Younger executives tend to hold positions for a shorter period of time—whether they’re poached by other companies or choose to pursue new opportunities earlier. Older individuals tend to retain their C-suite position longer.”
The data appears to suggest that the average tenure of CISOs (4.5 years) is quite high or at least in line with other fields, given that cybersecurity is most definitely an “evolving profession”. The fact that CISOs, despite the incredible pressure and stress of their role aren’t quitting in droves, is impressive. In my view, it’s a testament to their dedication to the profession, a strong sense of mission and purpose, and the desire to do what needs to be done despite all the odds.
It’s worth highlighting that the missing data for companies that either recently lost a CISO or went through a reorganization, does skew the average tenure value towards a higher value; without that, both the average & the median would be different. However, for companies that saw a CISO recently depart, I would take into account the tenure of the security leader who left, for instance:
AmerisourceBergen: Former CISO, Alden Sutherland, stayed with the company for over 8.5 years
AT&T: Former CISO, Bill O'Hern, stayed with the company for 27 years, of which 7 years as a CISO
Walgreens Boots Alliance: Former CISO, Jim Cameli, stayed with the company for 6.5 years, of which 3.75 years as a CISO
Kroger: Former CISO, Karthik Swarnam, stayed with the company for 1.5 years
General Electric: Former CISO, Nancy Anderson, stayed with the company for 3 years, of which 3 years as a CISO. She has now retired.
Prudential Financial: Former CISO, Tom Doughty, stayed with the company for 25.5 years
Travelers: Former CISO Don Garvey retired after 5 years on the job and a long career as a security leader
Capital One Financial: Former CISO, Chris Betz, served for 3.5 years
Lennar: Max Boedder worked at the company for 5 years of which 2 years as a VP of Enterprise Security & Technology Operations
The median tenure of CISOs who left their roles stands at 4.7 years - even higher than the norm in the industry. As can be seen from the data, no CISO left without serving at least a year in their role, only 3 out of 36 (8.3%) served less than 2 years, and only 9 out of 36 (25%) served less than 3 years.
I think if we were to extrapolate this data and further expand beyond F500 companies, the results would not be drastically different. It is clear that despite what some reports suggest, CISOs at large companies aren’t quitting en masse. Instead, they are doing their work to safeguard companies and people’s data, despite all the stress and often less-than-ideal working conditions.
For anyone interested in seeing, verifying, or updating the raw data, here is the link to the F500 CISOs Tenure spreadsheet.
Employment status of the former CISO after departing from the role
In order to paint a more complete picture, it’s useful to take a look at the employment status of the former CISOs after departing from the role. Industry media, and even more so - vendor reports suggest that security leaders are exiting the industry “in droves”, while some say that CISOs are becoming security consultants.
The numbers don’t appear to support these assertions. Of the 36 F500 security leaders that I was able to verify left their jobs in 2023,
5 people (or 14%) did so to retire or transition to retirement
18 (or 50%) took a CISO or a security/IT leadership role at another company
2 (or 6%) have their LinkedIn status listed as “Open to work”
2 (or another 6%) became consultants, vCISOs, or advisors (although it is unclear if this is a permanent decision or a way to stay active and add value while looking for a new full-time role)
9 people (or 25%) did not share any updates that would make it possible to understand what their employment status is after leaving the CISO job
Even if we assume that all of those who are positioning themselves as consultants, those who are open to work, as well as those who haven’t shared any updates since leaving their job, have all decided to quit their CISO careers (which is highly unlikely), that only gives us 13 people (or 36%).
It is worth mentioning that this data doesn’t cover all F500 CISOs that left their full-time jobs, only those I was able to find online. That said, it is plausible that others would follow roughly the same distribution.
These numbers disprove the idea that security leaders are exiting the industry in large numbers, showing instead that people leave their jobs for different reasons (such as career change or retirement), and that at least 50% of those who depart, do so to join other organizations in the same (or similar) role.
To see the numbers in context, check out the “F500 CISO Departures” tab of the F500 CISO Tenure spreadsheet.
Examining CISO tenure at the top fastest-growing technology startups
It is entirely possible that CISOs in Fortune 500 companies have all the resources and all the support they need so they are happy to stay for a long time. After all, these organizations tend to be more mature and one might even say “stable” from the revenue, profit margins, and leadership perspectives.
To understand if this assumption holds, it would be good to have a look at the tenure of CISOs of fastest-growing technology startups - companies that are highly volatile, prone to more frequently replace their executive teams, etc. I recognize that they would not be representative of all other companies in the tech space. But in my view, similar logic would still stand: if the problem of CISOs leaving their jobs was as severe as some say, it would make sense that it would manifest itself in the top startups because
Since they are recognizable names, they are most definitely on the radar of the attackers (imagine the number of attackers trying to steal crypto from Coinbase or Robinhood, to name some)
Given that they are growing fast, their threat landscape must be rapidly evolving - new employees are frequently hired and terminated, new technologies are being built and shipped quickly, etc.
The pressure to attain and then maintain market leadership and ship new tech quickly and often creates the incentives to push security aside as something companies “can worry about tomorrow”
The amount of changes fast-growing startups go through doesn’t make it easy for executives to stick around for long unless they can continue challenging themselves and leveling themselves up
As I started to think about it more, I realized that combining data about CISO tenure in tech startups would result in stats that are not at all useful. There are several reasons why this is the case:
Small startups rarely have a dedicated CISO role - in most cases, the responsibility is assumed by a CTO, a VP of Engineering, or someone else on the team with an interest and passion for security.
The failure rate of startups is high, and it’s hard to discern when people lose their jobs because of layoffs, company dissolution, an M&A transaction, or because they choose to depart for other reasons.
The retention rate at small tech startups is influenced by a wide variety of factors including company performance, team culture, the ability for a person to continue growing in a direction that makes sense to them, etc. Although one might say that the same is true about any company, I would argue that in tech startups, these factors matter much more because employees accept lower cash compensation in exchange for other benefits such as equity and the potential for fast growth.
Employee retention at larger tech companies has been low. A report from back in 2018 (before the pre-pandemic layoffs, post-pandemic hiring, and 2022-2023 economic downturn reduction of force) revealed numbers that are by no measure impressive:
This makes it impossible to establish a baseline for comparison for startup CISOs and makes any attempts to aggregate data not useful.
Putting the “great CISO resignation” into a broader context
Although the numbers I’ve looked at do not suggest that CISOs are massively quitting their jobs (at least not in large enterprises, or not yet), we are indeed seeing many worrying signals of what could be coming. A 2022 study from cybersecurity company BlackFog found that 32% of CISOs in the US and UK have considered leaving and many planned to do so in just six months. As security is getting more and more complex, the number of attacks is increasing, the regulators are introducing new requirements, and prosecutors are trying to get CISOs charged for doing their very best in this uncertain environment, it is no wonder that a third of security leaders are tired of dealing with this reality. Yet, the bigger picture seems to be a bit more complex.
The tech industry as a whole has been going through a strong trend of people resigning from their jobs, leaving their employers for better opportunities, or to take a break from the constant grind. Here are some stats that put the great CISO resignation into a broader perspective:
Eighty-three percent of developers report suffering from burnout, and 81% say it’s gotten worse during the pandemic
StackOverflow data from the end of 2021 suggests that 75% of developers were either actively looking for a job or open to new opportunities
87% of software and DevOps professionals in the UK have either quit or considered quitting their job
Data scientists will switch employers every 1.7 years
In the past five years alone, 98% of data scientists have changed jobs at least once
In security, the stats are equally bad if not worse: 45% of cybersecurity professionals have considered quitting the industry due to stress, according to the Voice of SecOps Report. When looking at the broader picture, it becomes clear that it’s not just CISOs - nearly anyone who is working in the technology space is struggling to cope with constant stress. DevOps professionals or software engineers, who are forced to wake up at night from the sound of their pagers are suffering no less than security practitioners expected to respond to the incidents no matter when they happen.
Although the overall picture may be bleak, some numbers are being made to appear worse than they are. An example of such a statement is Gartner’s prediction that “nearly half of cybersecurity leaders will change jobs by 2025”. Let’s zoom in on it for a second by referring back to our old F500 CISO tenure spreadsheet:
There are 526 organizations listed on the sheet
The data is available for 492 IT and security leaders
The average tenure of CISOs in the role with their current company is 4.5 years
At least 180 CISOs on the list have already, as of today, been in their role for more than 4.5 years
The medium tenure of CISOs in the role with their current company is 3.6 years
At least 240 CISOs on the list have already, as of today, been in their role for more than 3.6 years
If you play with numbers, it becomes clear that by the end of the month, we can have ~50 CISOs from the F500 list get a new job and it will still be comparable with the usual tenure of leaders in areas such as marketing and human resources
While Gartner’s statement that “nearly half of cybersecurity leaders will change jobs by 2025” sounds like an absolute nightmare, it is well in line with the market data for executives from other fields.
The way the data is presented matters. For instance, it is true that in 2019, the number of people who were victims of homicide in the US was 25 times higher than the population of Vatican City. This statement, however horrific, misses the fact that the population of Vatican City is less than 800 people and that the actual number of people who died from homicide in the US during 2019 was 19,100 which is almost twice less than in 1991 (since the 1990s, the crime rate fell dramatically). As an industry, we can do better about spreading (or rather not spreading) FUD; not just when it comes to security capabilities and the ability of vendors to “stop all breaches”, but also when it comes to the trends in our field.
Although it’s not as bad as some would want us to believe, the industry is undeniably changing
Although the CISO tenure at large companies doesn’t look too bad, and the prediction that “nearly half of cybersecurity leaders will change jobs by 2025” isn’t nearly as scary as some would like it to sound, the truth is that the industry is indeed evolving.
We are seeing CISOs leaving their jobs, and becoming increasingly worried about the future of the profession. It does look like the resignations of CISOs are on the rise, more people are becoming vCISOs, and a large number of security leaders are starting to talk about the challenges of the profession on social media.
Before we look at the nature of these trends (and we have to because they aren’t always what they look like), it’s worth pausing to talk about the CISO role itself, and the rising expectations for security leaders.
Factors leading to the change of expectations for the CISO role: technology, business, and the government
The ever-growing technical complexity of security and the push for CISOs to stay current on new technologies
The rapidly changing technological landscape has been forcing security leaders to stay up to date with innovations. Be it cloud computing, blockchain, artificial intelligence, or machine learning, every new tool, approach, or framework the enterprise teams adopt needs to be properly configured, deployed, and secured. All this, combined with the ever-growing complexity of the enterprise environments, makes being CISO in 2023 undeniably much harder than it was, say, two decades ago.
One might argue that the same is true about other areas of tech, for instance, software engineering. Engineering leaders (CTOs, VPs, and Heads of Engineering, etc.) have had to stay updated on all the new advancements in their fields, and that has been a lot: from the way people organize their work (Waterfall to Agile), to the speed with which they ship code (annually, quarterly, weekly, and now continuously, 24/7), the way products are built (monolith vs. microservices), the expectations around scale and latency, the frequency with which developers rely on third-party packages, etc.
While that is true, CISOs are faced with several challenges that their engineering counterparts haven’t needed to worry about:
The overwhelming majority of engineering leaders have a background in software engineering, computer science, and other deeply technical fields that provide a solid engineering foundation to build upon. The backgrounds of security leaders are much more diverse - law enforcement, military, compliance, IT, policy, security engineering, incident response, and the like. Although each of these offers a unique perspective much needed in security, some provide a more solid technical foundation to get to the bottom of how a new technology works than others.
The feedback loops in security are much shorter, and the consequences of missing something important are much more imminent, even if not necessarily strategically impactful. For example, while an engineering leader is expected to stay up to date with industry developments, if they will be a year late with adopting a new approach, over time the company may lose a competitive edge against its rivals, but it can take years before it becomes obvious. On the other hand, if a security leader is a year late making sense of a new attack vector, the chances are high that feedback ( a security incident) will be imminent. Or, if they are six months late becoming compliant with a new regulatory framework, the regulators wouldn’t care that they were “busy with other things”. This creates a perception that no matter what CISOs do, they can never win in this game - a perception that is both demotivating and disempowering.
Companies are expecting CISOs to become functional leaders modern businesses need, quickly
The time when security leaders could focus solely on technical security measures is going away. A lot has been said about the need for security to transform from a “department of “no” to a business enabler, and we see it happening today. Among many changes required for this to become a reality, one stands out the most: CISOs are expected to be well-rounded, T-shaped leaders who aren’t just experts in their domain, but who understand how other parts of the company operate, be it marketing, sales, and engineering, to product, design, customer success, data science, and beyond. Understanding in itself isn’t enough: enterprises want their security leaders to speak the language of the business, and to make decisions with the business goals in mind.
Similar to the former trend (the expectation that CISOs will stay on top of emerging technologies), this one is not at all unique to security. The only reason we are discussing this as a security problem is because other fields, namely software engineering, have completed this transformation before. A few decades ago, technology leaders were focused on their own interests and needs, often choosing to pursue “cool tech” and build functionality that excited engineers but was of little value to customers. It has taken us over twenty years to get engineering leaders fully aligned with the needs of the business. The product management function was created largely to address this problem and ensure that developers will always focus on what is most valuable to the customers and the business.
As the expectations of CISOs are growing, so is the ability of security leaders to contribute beyond their domain. It has taken CISOs multiple decades to gain a voice at the executive table, and now the ever-growing number of organizations wants to hear what they have to say. This transformation was (and still is) partially driven by the reality that nearly every company is now a "software company" or at the very least, leveraging technology and software to deliver business value - all of which now need to be protected from cybersecurity threats. I am very optimistic about this trend and what it can bring to the industry.
The government has an opinion of what CISOs should be doing (but only after they've done it)
Although the former two factors accelerating the evolution of the CISO role have been equally impacting other fields, the last one, namely the role of the government, has been unique to security. As I’ve discussed before, the government plays a critical role in the cybersecurity space, creating markets, establishing minimum standards to strengthen the security posture across companies and industries, and facilitating intelligence-sharing, among others.
As it relates to security leadership, the track record of government involvement so far has been mixed at best. On one hand, government agencies have been hard at work creating and sharing useful materials such as CISA Tabletop Exercise Packages, providing resources to information sharing and analysis centers (ISACs), and briefing CISOs of strategic and nationally critical institutions about the threat landscape. On the other hand, the government has shown its inability to keep up with the speed of innovation and created an environment in which security leaders are becoming afraid to do their jobs. In particular, Uber’s former CISO, Joe Sullivan, has been convicted of federal charges for covering up a 2016 data breach that resulted in the personal information of 57 million Uber users being stolen.
Joe Sullivan was sentenced to serve a three-year term of probation and ordered to pay a fine of $50,000; the whole trial has been closely watched by the CISO community in the US and globally and has left many scars on security leaders. It sets a precedent when an individual can do their job, have a set of actions sanctioned by legal, finance, operations, and even the CEO, and then be held accountable for the outcomes of executing the plan. Uber’s CISO wasn’t the only one impacted by the wrath of the public servants: earlier this year, US Securities and Exchange Commission (SEC) staff recommended legal action against the CISO of SolarWinds. To understand how unusual this is, it’s worth reflecting on a couple of facts:
Corporate lawyers make mistakes, errors, and omissions but when the company they work for gets sued, they don’t go to jail.
When Meta allowed third parties, including the British political consultancy Cambridge Analytica, to access Facebook users' personal data, its product managers didn’t go to jail.
I can go on and on with this list; what matters is that suing CISOs is highly unusual, especially because it is being initiated by the government.
The root cause for Joe Sullivan’s conviction, in my view, is the absence of regulations that clearly define the boundaries of what’s allowed and what isn’t. Since the beginning of the 1990s, technology has been evolving at an incredible pace - first with the adoption of the Internet, then mobile, the cloud, blockchain, and now artificial intelligence, to name a few. The government understands that emerging technologies need to be regulated, but it lacks the technological fluency to do so. Moreover, the public sector has been unable to attract and retain technological talent which leads to regulation by individuals without the requisite experience and expertise. The regulator chooses to stay on the sidelines letting people do what they think is appropriate, and then coming back and punishing them selectively. No entrepreneur, security leader, or product person knows what the boundaries are; they have a sense of some gray areas but they don’t know how big these gray zones are, and what the lines between gray and black look like. Moreover, all innovation comes from operating in the gray - the uncharted, unregulated, unknown zones.
In my opinion, the absence of well-defined rules, the prosecution and sentencing of individual CISOs send two messages. First, it shows the failure of leadership on the government side, and its inability to set the boundaries for emerging technologies. I think we need to challenge the public servants to do better. Technology isn’t going away, and it is most certainly not slowing down. If we fail to change how we approach the regulation of emerging technologies now, in a few years we will likely be jailing those who are now working on artificial intelligence. Second, it shows that the government is sending a message to security leaders that they are being closely watched, and that missteps won’t be tolerated. I can appreciate the fact that cybersecurity is a critical part of a nation's defense, but we need to draw the line between corporate and personal responsibility. Sentencing CISOs who are doing their best (not to mention that CISOs' decisions are frequently overridden by CEOs), isn’t the best way to build goodwill and move the industry forward.
Factors causing what looks like a mass resignation of CISOs and the rise of vCISOs
CISOs are willing to leave the role if they don’t feel they are getting the support they need
The overwhelming majority of CISOs understand that security is a journey, not a destination, and that it takes a long time to get to a place where they can control the environment. Most CISOs aren’t simply looking to rotate jobs every year and a half; they want to see their security program through unless they run into major roadblocks. Life is dynamic so some security leaders do find new opportunities, or get offered substantially higher pay, while others relocate, choose not to go back to the office, or make a decision to pivot their career into consulting, to name a few. All these are absolutely normal in any other segment, especially in the technology space.
Although I’d challenge the statement that we have an endemic problem in the industry with CISOs “quitting in droves”, what is true is that security leaders are stressed, overworked, and frequently underappreciated. The latter, however, often depends on their ability to show the value they bring to the table since many other executives, such as heads of customer success, IT, or data science, can be in the same boat. Unfortunately, decades later, security is still often viewed as a blocker or friction among CISOs’ sales, engineering, and technology peers and generally avoided unless forced to engage with.
Another factor I’ve observed that makes CISOs leave is the inability to secure the support they need, in the form of buy-in, resources, and the like. This part is entirely understandable: seeing that a business doesn’t want to invest in security and instead hopes that just hiring a CISO will solve all the problems, doesn’t build a lot of confidence and most certainly doesn’t set CISOs up for success at the role. Now that security leaders know that they will be held accountable for any incidents and that they may even be asked to testify in a court of law (or worse yet, be tried personally), it’s reasonable for them to leave any organization that doesn’t understand the importance of security or isn’t committed to doing what it needs to improve its defenses.
Some CISOs are hired for a limited term
Some security leaders, often called “transformational CISOs”, are hired for a temporary assignment. The scope of their responsibility is time-bound and well-defined: to transform a company, achieve enterprise change, act as an interim CISO while the company is looking for someone long-term, establish a dedicated security function, or handle a post-breach recovery. From the outside, it is typically impossible to tell that someone was hired as a transformational CISO, so their departure can be mistakenly perceived as a “security leader leaving the company”.
CISOs are exploring ways to limit their liability
The public cases of security leaders being held responsible for security breaches and post-breach response, such as the above-mentioned trial of Joe Sullivan, raised concerns about the extent of CISO liability. It’s too easy to think of security leaders as just that - CISOs - but they are also people with bills to pay, kids to feed, and loved ones to take care of, as well as dreams and worries about their future.
Having seen how far the government can sometimes go in trying to prove a point or turn individual lives into precedents and cautionary tales for others, CISOs are rightfully looking to limit their liability. I don’t think there are many security leaders left who haven’t asked their peers what each is doing in this area, and many have taken to seek legal advice. I have been hearing that CISOs are reviewing their insurance coverage and looking for ways to increase policy limits. Some even go as far as to consider taking a vCISO (virtual CISO - essentially a contract) role in the hope that the absence of employee-employer relationships will help reduce their liability exposure.
Although I think it’s inevitable that some security leaders, especially those with decades of experience and strong networks of potential customers, can pull this off and become vCISOs, the vast majority won’t go that far. Being a vCISO is a different game, and the amount of time people who take this path have to spend doing sales and running their business can greatly outweigh the time they spend on doing security. At least in the short term, I don’t anticipate CISOs en masse becoming vCISOs.
Source of the biggest industry shift: a new generation of practitioners forging its path into security leadership
The biggest source of the so-called “CISO resignation”: practitioners breaking into a CISO role
Although the CISO role is relatively new, it has already seen many changes. One of the changes I have observed is the evolution of the understanding of what “a CISO” actually means. In the past, the title would come with a set of attributes - a security team, an ability to set the strategy and oversee the execution of the security program, ownership over the budget, and so on. Today, that may or may not be the case.
It used to be that only large enterprises would hire a dedicated security leader, so CISOs who would assume the position were expected to have a certain experience in the role. As more and more companies are realizing the need to have a dedicated person in charge of security on the team, I see that many CISOs being hired are in fact “one-person security teams”. When tech startups and SMBs are hiring CISOs, what they are often actually looking for is experienced technical security practitioners, capable of being hands-on, fully owning security and acting as a “one-person security team”, and interested in growing into a leadership role over time.
These are great opportunities for security practitioners with the ambition to later become CISOs in a larger organization:
It is hard to find a CISO role in a larger organization unless one has been a CISO before. Accumulating the necessary experience running security in a smaller company is a great way to get out of this catch-22 and supercharge the security career.
Startups and SMBs present a great learning opportunity: while their environments may not be overly complex, they are also typically unable to allocate a sizable budget to security. Security practitioners acting as CISOs in these organizations have to be creative and do what needs to be done with little resources.
Getting the CISO title opens a wide variety of opportunities for networking, speaking, building a personal brand, angel investing, and other facets of the industry critical to long-term professional growth.
The long-term outcome of these entry-level, first-time CISO roles depends on many factors:
Do they have the authority to make decisions?
Do they have the right levels of support to be successful?
Is the company growing, and subsequently - is there an opportunity for them to build a team and step into a more strategic, “real CISO” role?
Getting a CISO role in a small startup can be a fantastic career booster. But, it is often incredibly draining: CISOs who need to do everything on their own while being uncertain if they can grow their careers with the company burn out rather quickly. If the opportunity to grow with the business and hire a security team isn’t there, first-time CISOs tend to move on to a larger organization, and a better role. This typically happens after 1.5-2 years, after they get enough experience and can show that they’ve built a security program from scratch, collaborated with leaders of other departments, owned vendor evaluation and selection, negotiated contracts, etc. Another factor that motivates them to look for better opportunities is compensation: first-time CISOs are often paid at or slightly above an individual contributor or a manager level.
For all these reasons, first-time CISOs tend to have a much shorter tenure than repeat CISOs with well-established careers and solid compensation packages. However, what is, once again, a normal process in one's career trajectory on a path to a leadership role, from the outside looks like another sign of the “great CISO resignation”.
The biggest cause of the rise of vCISOs: practitioners breaking into a CISO role
Although CISOs aren’t all quitting their jobs to become vCISOs, some industry insiders assume that that’s exactly what is happening. They are not wrong to observe the rise of vCISOs, but I think they greatly misunderstand why this is the case, and where these new, on-demand security leaders are coming from.
Experienced security leaders rarely take the vCISO route, unless they are retired, nearing retirement, or are looking for a temporary break from the daily grind and the stress that comes with it. Many CISOs are indeed considering the vCISO role as a way to limit their liability and stress, but as of today, I don’t believe it is happening at scale. If we were to look closer at the growing number of vCISOs, it doesn’t take long to notice that the vast majority of them have not previously served as CISOs, with full responsibility for the company’s security strategy, and the team that comes with it. Instead, most virtual CISOs are former individual contributors - practitioners looking to get security leadership experience for their future career growth, consultants interested in establishing their own practice, and even professionals who have a full-time job but are passionate about helping small and mid-sized companies to strengthen their defenses on the side.
Many security practitioners see the vCISO responsibility as a stepping stone into a full-time CISO role. This is a great approach as it enables them to build the skills necessary to understand the business needs, think about security holistically and outside of their specific domain area, and build communication muscle. The market benefits from this take as well: many companies need someone to help with security but cannot afford a full-time experienced CISO hire.
In some cases, if the startup or the small business grows, the vCISO who worked with them can even get hired full-time, although that’s rarely the goal. I have also witnessed that many security practitioners underestimate the amount of effort they need to put into sales and running their business, thinking that customers will come on their own as soon as they make themselves available to take on work. When faced with this situation, some make it work and others struggle with sales and go back to their full-time jobs.
Image Source: Smithographic
Going into the future: three ideas to ponder
There is no denying that a CISO role is incredibly demanding and much more stressful than many other occupations in the technology space. It is also not untrue that security leaders are looking for ways to regain at least a resemblance of the work-life balance many lost years ago. However, I think that by making statements such as “CISOs are massively resigning because of stress”, we are not only oversimplifying the reality but also absolving ourselves from the responsibility as an industry.
People leave their jobs for different reasons: some are looking for new challenges, others realize that they have outgrown their current role, and some, after having spent many years with the same company, want to try something new. At times, it comes down to the compensation package, and needless to say, many are rightfully looking for less stress and the ability to spend more time with their loved ones. Some security leaders are retiring after several decades of service, others are relocating, and there are even CISOs looking to take a leap and start their own thing, be it a consulting company or a product startup. People’s situations are diverse and complex, but when vendors are incentivized to sell “magic solutions to all problems”, they would certainly like to picture CISOs as helpless and confused people. Some founders don’t want to think of themselves as providers of products, services, and plumbing that enable security programs to be implemented. Instead, they want to feel like saviors - and nothing makes them as good as “saving helpless, overwhelmed, confused and stressed CISOs”.
When I speak to security leaders, I don’t get the sense that they are feeling helpless. They know that the industry is maturing, and many are choosing to be proactive in adopting security-first, engineering-centered mindsets, implementing defense in depth and zero trust approaches, ensuring that when incidents inevitably happen they won’t take down the whole organization and will instead be contained and isolated effectively, and so on. It is true that there is a lot to handle, but both tenured and aspiring, first-time CISOs are, by and large, very capable of taking care of their organizations. And, they most definitely don’t need the industry to remind them that they are stressed and overworked.
CISOs are well capable of taking care of themselves and their business - they have formed strong peer networks and informal support groups, and are doing just fine. Yet, there are several challenges that we as an industry need to address.
I would like to leave readers with three ideas to ponder.
First, I think we as an industry have to stop being sensational and instead see a broader picture of what’s happening. Most problems in the space require broad, industry-level discussions devoid of FUD, and unscrupulous security vendors claiming that their products can solve any problems (yes, even reduce stress).
Second, we need to urge the government to develop a legal framework that sets the boundaries between corporate & personal responsibility of security professionals and leaders. There is not much good that will be done to the industry if CISOs are forced to become creative to reduce their personal liability exposure. On one hand, it makes sense that security leaders are being called to courts - that’s a sign that they have finally become a part of an executive team (CEOs, CFOs, and other senior leaders are used to this). There should most definitely be consequences for choosing not to disclose material information about breaches and breaking the law. And yet, if nothing except the growing liability exposure changes, I am worried that in many organizations, CISOs might become scapegoats operating within undefined, unclear legal boundaries - something we certainly don’t want to happen.
Third, we need to normalize the fact that CISOs are going to have breaches on their resume. With rising numbers of attacks, it’s almost inevitable that every security leader will be involved in an incident. The goal isn’t to prevent 100% of them (as it’s not possible), and not to avoid threat hunting so that they can be covered up; it is to be proactive, discover the incidents as soon as possible, reduce the impact when they happen, respond and recover quickly. The question shouldn’t be “Was the company breached during this person’s tenure?”; if it will, then security leaders will indeed become motivated to change jobs every 1.5 years, crossing their fingers that nothing happens (or gets found) before they leave. Instead, we need to be asking “What have you learned?”. Restricted by non-disclosure and other legal paperwork, CISOs can rarely go and publicly discuss what happened in their organizations. However, this conversation has to take place somewhere in the industry - be it ISACs, peer leadership groups, or in other safe spaces, devoid of sensationalism. Moreover, as ironic as it is, the industry needs experienced security leaders, and that very much includes people with experience handling incidents. If we make it so that CISOs whose organizations suffered breaches can’t find a new job, I think it will set the industry back decades, preventing the maturation of the profession and other achievements we as a field should be proud of.
Having covered so much ground, I know that a lot of what’s being referred to as “great resignation” is, in fact, much more complex, and a lot of what looks like the signs of CISOs “quitting in droves” are actually indicators of broader industry changes. Does all of this mean that security leaders are not resigning? No, I can’t say that. As a friend and an-ex CISO of one of the largest US retailers puts it, “The “great resignation” is happening, but it’s like cancer. It is not a sudden aggressive cancer, but a systemic cancer that has spread and whose impact is only now being seen and felt and will not easily be cured”.