What CISOs can and should be doing: The situation isn’t hopeless; there are steps CISOs can and should take to help avoid defections. It’s a matter of making staff a priority. PayNearMe’s Hobson says CISOs need to ask themselves whether functional security leaders are wearing too many hats with too few opportunities to advance, and if they are doing enough to nurture and retain them.”CIOs should be asking tough questions about leadership pipelines, succession planning, and the cultural dynamics within their security teams,” she says. “If we want to build sustainable security leadership, we need to understand, and address, why so many are eyeing the exit.”Retention should be thought of as a program that requires additional operating model iterations, rather than something static, according to Malik. She suggests that CISOs implement a responsible, accountable, consulted, and informed (RACI) project management tool and give functional security leads authority over their systems.They should also be given career paths that include promotions rubrics and “sponsorship, not mentorship, at the executive level, with visibility and board-facing opportunities,” Malik says.A portion of compensation should be tied to risk contributions, for example, stats for time to patch, instead of audit fail/success factors, she adds. There also needs to be “tool and telemetry sanity,” which would require CISOs to consolidate vendors and implement a “quarterly kill-switch: If your tool is not reducing MTTR/false positives by date and tool objectives “¦ retire or re-scope the tool as per worst-case expectations.”Centric Consulting’s Fisher thinks success should be tracked by prevention of downtime and system protection, rather than reacting to an incident. At one company he worked at, when the security team started posting data on risk reduction on its dashboards, engagement increased and turnover declined.”It increased the visibility of work, which renewed the motivation within teams,” he says, adding that it is not often security professionals will leave due to pressure. “They abandon due to the disappearance of their results behind the lack of crisis.” They would more likely feel invested if prevention was used as a metric, Fisher says, “and make security a quantifiable growth aspect rather than an unspoken background role.”
Is the CISO role something to aspire to?: Asking functional leaders to do more “is a direct reflection of the CISO’s own struggle for influence,” Fisher observes. When a CISO sits under an unreceptive CIO or COO and does not have a seat at the executive table, they cannot effectively advocate for their team’s needs, he says.”This powerlessness trickles down. Managers are left to enforce policy and execute on a strategy they had no input on, with a team that is understaffed and under-equipped for the task,” Fisher says. “They carry the responsibility for failure without the authority or resources to ensure success.”Perhaps the most critical issue is that “ambitious security managers are looking up the ladder and seeing a role they do not want,” he adds. “They see their CISO, buried in a 24/7 cycle of stress, personally liable without the same protections as other executives, and struggling to find time for the strategic thought leadership the role demands.”What’s worse is that many see a leadership bottleneck, Fisher says. He believes there is a propensity to promote the best technical experts into the CISO role.”While their hands-on experience is valuable,” he acknowledges, “many lack the strategic perspective, business acumen, and leadership skills to build a mature security program and mentor the next generation of leaders. For the aspiring manager who wants to grow into a business-aligned strategist, this creates a career ceiling. Why stay and fight an uphill battle for a midlevel salary that doesn’t match the required experience, only to report to a leader who cannot pave the way for meaningful career progression?”Career progression in cybersecurity likely needs to be redefined, Hobson agrees. “It’s not just about climbing a narrow ladder toward the CISO role, there are limited seats at that level, and the field is evolving too quickly for that to be the only path.”There are “multiple rewarding paths beyond the traditional CISO path,” she says, in areas including AI governance, architecture, and risk. Lateral growth through deep specialization in areas like privacy, threat modeling, and AI governance can be just as valuable and fulfilling, Hobson says.
Help functional leaders see meaning in their work: To prevent an exodus, CISOs must fundamentally shift their focus.It’s not enough to recognize that functional leaders are overextended, Hobson says. “CISOs need to restructure workloads, prioritize development, and empower their teams to influence the organization strategically,” she says. “The high-stress role needs to be balanced with professional engagement.”Like Malik, Hobson says CISOs should also “delegate meaningfully” to prevent burnout and give functional leaders real autonomy. “Nothing burns out a strong leader faster than being reduced to a messenger.”The CISO’s role is to cultivate resilience, belonging, and knowledge in different pathways so leaders see meaning in their work and remain engaged, Hobson says.”That starts with clarity, helping functional leaders understand how their responsibilities directly support business strategy and reinforcing that security should be a strategic advantage for every company,” she says.”Our primary job is not just to manage risk, but to build a resilient, sustainable organization,” Fisher stresses. “That begins with protecting our people from burnout, championing the business value of security in the boardroom to secure necessary resources, and actively mentoring our managers into becoming the strategic leaders this industry needs.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4094734/the-cisos-greatest-risk-department-leaders-quitting.html
