Even essentially the most seasoned CISOs typically run into insurmountable roadblocks at their organizations. Regardless of their greatest efforts at constructing relationships, and even with their technical depth and enterprise acumen, they will’t garner the assist wanted to guard their organizations — and themselves — from pending catastrophe.
Within the huge image, CISO roles are laborious, and so nearly all of CISOs swap jobs each two to a few years or much less. Lack of assist from senior management and lack of price range commensurate with the group’s dimension and trade are high causes for this CISO churn, in line with The life and occasions of cybersecurity professionals report from the ISSA.
Extra particularly, CISOs go away on account of restricted board engagement, excessive accountability with inadequate authority, govt misalignment, and ongoing limitations to implementing danger administration and resilience, in line with an ISSA spokesperson.
Many of those roadblocks are frequent throughout industries, so how does a CISO know when it’s time to maneuver on?
They search for the flags.
Purple flag: Taking part in lip service
A typical pink flag and purpose CISO’s go away their jobs is as a result of management is paying “lip service” to auditors, prospects and rivals, says FinTech CISO Marius Poskus, a well-liked blogger on security management who posted an essay about resigning from “security‑theater roles.”
So, even earlier than signing onto a brand new job, Poskus suggests on the lookout for current occasions continuing the group hiring its first-ever CISO. “I see this usually. Often after an impactful breach, they negotiate fines down by saying they’ll rent their first CISO. In actual fact, a buddy in New Zealand reached out to me as we speak with simply such a narrative,” he tells CSO.
Different indicators that executives are enjoying lip service to security embody fixed useful resource denials, lack of danger possession, and failure to log off on recognized dangers on the high stage, leaving the CISO weak. To this finish, Poskus shared a security govt constitution that outlines tasks of senior executives’ accountability across the cybersecurity program.
And, since lack of entry to the board is a top-cited purpose for leaving, Poskus says to search for problematic reporting traces that block entry to executives, comparable to by means of a boss who refuses to report points and requests to executives.
Purple flag: Cognitive disconnect
Lack of entry to executives and the board comes up repeatedly in Cybersecurity Ventures reviews as a high purpose CISO’s determine to go away their jobs, in line with Steve Morgan, founding father of Cybersecurity Ventures. He cites lack of assist as one other high purpose CISO’s go away.
Splunk’s 2025 CISO report discovered 29% of respondents had satisfactory price range in comparison with 41% of boards who felt cybersecurity budgets have been satisfactory.
This cognitive disconnect was clear in Nawab Kabir’s case. He declined on the prospect of taking a full-time CISO position to grow to be a fractional CISO after a merger left him reporting to an IT director slightly than the CEO as he beforehand had reported to. “One of many key pink flags for CISO’s is that if their boss, often the CIO or CTO, repeatedly blocks makes an attempt to escalate missions to the CEO by downplaying the true danger, asking the CISO to just accept that danger, and saying that the CEO merely doesn’t care. So, the danger by no means will get talked about in govt management conferences,” Kabir says.
After the merger, the initiatives and intervention methods he developed by no means obtained previous the director of IT (who got here from the merger) to govt management. So, Kabir knew it was time to go away. “That’s one of many causes I grew to become a fractional cybersecurity chief, which I like as a result of now I’m being employed to make a distinction at my consumer corporations.”
Purple Flag: Pushing moral boundaries
Above all these, the largest pink flag is when management pushes in opposition to your skilled and private ethics. For instance, when a CEO or board desires to hide compliance gaps, cowl up reportable breaches, and refuse to log off on duty for gaps and reporting failures they’ve been made conscious of. “This occurs extra usually than we all know as a result of most CISOs received’t make public what occurred behind the scenes that made them stop, particularly once they’re on the lookout for new jobs,” Poskus explains. “Your integrity is your most vital asset, in order that’s the largest pink flag after we discuss leaving a job slightly than staying and combating.”
In a majority of these situations, the CISO possible lacks essential allies throughout the group. Acknowledge this sense of vulnerability, Poskus advises, as a result of it’s an enormous pink flag. Human sources and authorized groups in these conditions received’t assist as a result of they owe their loyalty to the enterprise, he provides.
Such was the case with former Uber CISO Joe Sullivan who was thrown below the bus by Uber’s shady management after a 2016 breach. In distinction, SolarWinds CISO Tim Brown felt absolutely supported after a historic provide chain hack in 2020 unfold to 18,000 enterprise shoppers by means of its Orion community administration product patch replace system.
“Joe was in such a troublesome scenario. The corporate was aggressive in direction of him, which was so completely different from my expertise at SolarWinds,” says Brown, who had responded to the breach.
Inexperienced flag: They’ve your again
In distinction to Sullivan’s employer, Brown shares that everybody concerned in responding to the SolarWinds breach — from IT responders to communications, authorized, and executives — felt the identical method he did by way of making issues proper for shoppers and regulators. “My scenario was troublesome, however manageable in some ways due to that assist from my crew. From day one, we had no query about doing the proper factor. We selected transparency to our prospects during the SEC filings,” Brown explains.
At the same time as a brand new CEO got here onboard below a deliberate transition shortly after the breach, and because the SEC charged SolarWinds and Brown with fraud for certifying compliance with SolarWinds security shortly earlier than the subtle supply-chain hack occurred, Brown has felt ongoing assist.
Given his entry to the board and CEO, Brown knew properly earlier than the breach that the corporate had his again. He additionally factors to a different inexperienced flag: The corporate’s dedication to tabletop workouts of impactful breaches. All through the follow situations, groups labored collectively below a customer-centric mandate that advocated transparency and schooling, the identical playbook that they adopted within the 2020 breach.
In the end, the SEC dropped its fees in opposition to Brown, and in November, he attended a digital toast in his honor to have a good time the SEC dropping the case in opposition to him “with out prejudice.” Greater than 200 CISOs of high corporations joined, together with co-host Joe Sullivan. In the end, as Brown had hoped, all the expertise offered teachable moments to assist push the CISO position up the maturity curve.
Altering inner mindsets
As CISOs burn out or go away below hectic circumstances, many flip to fractional work as Kabir has. And, in his case, working with new shoppers provides him loads of alternatives to show pink flags into inexperienced flags.
For instance, he factors to lack of board entry and sources. In lots of instances he steps into, the previous cybersecurity leaders didn’t perceive the enterprise and talked technically over their executives’ heads. Consequently, he’s needed to convert fatigued, resistant govt groups that don’t need to repeat these experiences with a brand new cybersecurity chief.
For these shoppers, he likes to name “all fingers” to a gathering and conduct what he calls interactive “enterprise continuity stress exams” in table-top situations that impression a revenue-generating exercise. “Take manufacturing, if this machine is down for six to eight hours what can be our income prices related to this downtime? That will get consideration,” Kabir says. “Then finance begins speaking inside their groups and it goes past that to the CEO as a result of now it’s seen as a enterprise difficulty.”
CISOs, then, can change tradition to show a pink flag right into a inexperienced flag. However realizing when and the way to take action is determined by the indications talked about. Even with a fractional position, CISOs ought to nonetheless count on a few of their shoppers to try to compromise ethics by masking up findings for instance. Thankfully, that pink flag often reveals itself early within the audit, when the executives and enterprise models seem afraid to reply questions as if making an attempt to cover one thing.
“A variety of pink flags need to do with lack of security tradition or mismatch in understanding the danger tolerance of the corporate and what the precise dangers are. This pink flag goes past: In the event that they don’t need to be questioned about what they’ve carried out up to now, that may be a large pink flag that they’re masking one thing up,” Kabir explains.
To be secure, he carries indemnity insurance coverage and retains his personal authorized counsel — as ought to all CISO’s with giant sufficient salaries who’re reporting to the board and C-suite. As a result of, as within the case with Joe Sullivan and plenty of different examples that go unreported, CISO’s can’t rely on their organizations to have their backs legally or professionally ought to the massive one hit — particularly if these executives, by advantage of their unresponsiveness and lack of assist, are the reason for it.
