Enterprise CISOs are increasingly willing — and eager — to jump ship, with some frustrated enough to want to leave cybersecurity entirely.
A recent survey of security leaders from IANS Research and Artico Search found that 69% of security executives “are open to making a career move within the next year, often targeting CISO roles at a larger company or in a different industry, but also other non-CISO roles such as CTO, CIO, board member, or a second-in-command security leadership role at a larger company,” according to the report.
Cybersecurity analysts and consultants attributed this shift to a variety of issues based on what they’ve seen and heard from CISOs.
“It’s not so much about chasing a slightly better or higher title. The sheer exhaustion, organizational misalignment, and a growing sense that the job, as it is currently structured in many organizations, is not sustainable” is the primary cause, says Erik Avakian, technical counselor at Info-Tech Research Group.
“CISOs live in a world of constant urgency. Unexpected incidents, routine audits, board updates, third-party vendor challenges, and regulatory deadlines are part of the daily grind and come without any real off-ramps,” he says. “At the same time, many are still perceived internally in their organizations as the security person rather than as a true business leader executive. That gap between responsibility and influence wears people down, particularly if the influence doesn’t grow over time.”
Such patterns have become ingrained in the enterprise over many years, making this a challenging issue for organizational executives to fix.
“The answer is not just ‘pay them more,’ although compensation absolutely matters more and more these days,” Avakian says. “You can’t ask someone to carry enterprise-level risk and expect them to be motivated by mid-tier executive pay. But money alone doesn’t fix a structurally broken role.”
The fix begins with giving “enterprise-level standing” to those accountable for enterprise security, he says. “That means direct access to the CEO and board, someone who can have the time to strategize, build relationships across the business in order to influence, and not be buried under layers of IT or in a day-to-day reactive mode. It means authority that matches responsibility, real influence over cybersecurity budgets, architecture, third-party posture, and overall risk decisions.”
Avakian adds that this goes well beyond the typical disgruntled executive.
“Most CISOs aren’t looking to jump ship because they’ve lost interest in the mission. Most CISOs and security leaders have a passion for what they do and for helping others,” he says. “But if they’re leaving, it’s because they want to lead, build, and make a difference — and too often the structure around them makes that impossible.”
Organizations fix this by “reshaping the role so that thought leadership, team leadership, and positive influence is actually possible,” he adds.
A ‘systemic vulnerability’
Sanchit Vir Gogia, chief analyst at Greyhound Research, says the issue goes beyond mere job-switching: “We’re staring down a slow-motion talent exodus,” he says.
“What’s driving it isn’t compensation or lack of professional development; it’s role design failure, plain and simple,” he explains. “Enterprises have engineered a position that asks security leaders to carry outsized responsibility for risks they can’t fully control, with inadequate authority, patchy board support, and a high probability of becoming the designated scapegoat when something goes wrong.”
Moreover, the emotional pressures of the CISO role have continually gotten worse. “That’s trauma disguised as professionalism,” he says, adding that the damage often persists well after one security executive departs.
“When a CISO leaves, the aftershocks ripple fast. High-performing lieutenants often follow within months. Projects get frozen. Strategic security programs lose momentum. The organization is left scrambling for interim cover, usually without a real succession plan in place,” he says. “This is more than a retention issue. It’s a systemic vulnerability. Yet most boards haven’t treated it as one.”
Worse, CISOs who leave their positions are often walking away from the role entirely, Gogia notes.
“Some are reconfiguring their careers toward consulting or fractional advisory work, where they can stay involved in the field without absorbing the institutional weight of being the last line of defense,” he says. “Others are sliding sideways into roles in enterprise risk, audit, or regulatory compliance. These are functions where decision rights and accountability are better aligned.”
The best way to stem the tide of CISO departures, Gogia suggests, is to give CISOs the power they need to do their jobs.
“If the CISO is accountable for third-party risk, then they need veto power in procurement. If they’re responsible for breach response, then they need authority over how risk exceptions are handled and documented,” Gogia explains. “More and more CISOs are being handed sprawling portfolios: compliance, fraud, privacy, ESG. But without matching headcount, budget, or political backing. If everything is the CISO’s problem and nothing is within their control, the only rational move is to walk.”
CISO as single point of failure
Zach Lewis, CISO at the University of Health Sciences and Pharmacy in St. Louis, believes the portion of CISOs looking to exit is even higher than the IANS findings.
“I think it absolutely is higher than that. Every CISO I know now is open [to leaving]. They are all heavily looking. They want something new,” Lewis says, though he notes a difference in whether a CISO works for private enterprise versus a publicly held one.
“Ever since the SEC started looking at charging CISOs, those [SEC] comments are making them skittish. They want to remain a CISO but not in a publicly traded company,” Lewis says.
Cybersecurity consultant Brian Levine, a former federal prosecutor who today serves as executive director of FormerGov, has also seen heightened concern from CISOs at public companies.
“When breach liability becomes personal and board support feels performative, CISOs start asking: ‘Is this worth it?’ Increasingly, the answer is ‘no,’” Levine says. “If boards want to retain top cyber talent, they need to stop treating CISOs like risk absorbers and start treating them like strategic enablers. Influence, budget, and legal protection aren’t perks: They’re prerequisites. That disconnect is driving some of the best out the door.”
Levine also finds fault with the lack of meaningful CISO succession plans at many enterprises.
“We need to build deputy pipelines and rotate talent. Right now, too many CISOs are single points of failure and they know it,” he says.