Over the years, we’ve encountered myriad reasons why CISOs jump ship. So here, in a rough order of negative to positive grounds, are some of the most common reasons from our perspective.
This can take multiple different forms. Sometimes, a new CISO signed their new contract right on the cusp of disaster, a fact that may have been totally unbeknownst to them – and often the employer too! Alternatively, even with a capable CISO at the helm, an organisation’s approach to cybersecurity is simply a crisis waiting to happen.
This can happen for various reasons. Maybe the company doesn’t take security seriously enough, or simply doesn’t grasp how bad things really are. Maybe the CISO isn’t being given the power and autonomy to enact meaningful security change. Maybe the organisation is just burying their head in the sand. Or the employer might have a gung-ho attitude to wading into new projects and commitments without fully exploring the cyber risks first.
That’s not to say that the employer is necessarily being disingenuous here – sometimes they just don’t have a clue how bad things are!
Naturally, in what can be quite a close-knit space, any security employee wants to protect their reputation and future employability. But their employer just won’t correct course to avoid disaster. So if a breach seems inevitable, most CISOs will want to get out of there before the stuff hits the fan.
Sometimes, organisations begrudgingly see cybersecurity as something it needs to do in order to appease regulators or auditors. Other times, security is approached as a PR exercise, where the organisation can stand up and proclaim “Your money/data/matters are safe with us because we have an in-house security team which reduces our risk.” Sometimes, it can be a bit of both!
But however you slice it, this isn’t just unfair for the CISO – it cheapens the efforts of the whole security team. It makes security something that is there to keep regulators off the organisation’s back, or perhaps as a bit of marketing showmanship. Needless to say, this is a surefire way to make sure that the CISO’s work isn’t going to be taken seriously.
Obviously a swift kick by auditors, regulators, or a PR crisis sometimes shakes some sense into organisations around cybersecurity and they start taking it more seriously. But some sadly just don’t learn that lesson.
Some organisations consider cybersecurity as an annoying cost centre that slows down processes and only seems to scold and find fault. No matter how hard the security team works for the company, little progress is ever going to be made when the security department is seen as little more than an expensive, bossy spanner in the works.
This devalues the efforts of the whole security team, but the CISO will likely feel it most acutely. There’s only so many times they can hit their head against a brick wall before they simply have to jump ship!
Occasionally, a CISO will hit paydirt and get a great job with good autonomy and become a trusted leader amongst the board and its supporting characters. But then, something changes.
Sometimes, a new hire enters an organisation in a position of power and starts making wide-sweeping changes and perhaps brings in new people who are a cultural mismatch. Other times, an established member of the board might get a bee in their bonnet about a new way of doing things.
But whatever happens, it results in someone who doesn’t understand the costs and stakes associated with cybersecurity drawing fresh lines all over the org chart. It may even result in the CISO themselves getting moved further away from the board, or their influence getting drowned out with the addition of other voices.
Understandably, this kind of meddling can make the CISO’s lot rather miserable. But when the going gets tough, the CISO gets going – in this case, likely on to greener pastures elsewhere.
Many organisations know that they need a focus on cybersecurity, but they may not have the greatest track record with enacting change. Everyone wants to change until they actually have to put the work in to make that change actually happen! One of the most common gripes we hear from job-hopping CISOs is that the company didn’t offer them the support or autonomy they needed to create real, meaningful change.
This can happen for numerous reasons, which appear up and down this list. Maybe the company is inexperienced at having an infosec department and doesn’t know what to expect. Maybe there is a culture of mistrust within the organisation – especially around teams and concepts that are easily misunderstood or overly technical. Or they might just see security as a costly chore.
Whatever the reason, when a CISO’s steering falls on deaf ears, they’ll naturally want to move elsewhere in order to feel valued.
Having a CISO is essential for many organisations but being that CISO can be incredibly stressful. Even in relatively low-stress environments, there’s a heavy burden on security leaders’ shoulders, and sometimes that weight gets too much.
There’s still a great deal of stigma around things like stress, anxiety, and mental health matters as a whole, but they are very real and can be incredibly incapacitating. Sometimes, a CISO just needs a break.
Ah, the complex and often intractable matter of CISO reporting lines. Well-established roles like CFO and COO generally have a definite, set placement within the org chart. However, the role of CISO is a relative newcomer, and as such their placement isn’t always clear cut.
A confident and conscientious CISO will likely want to be as close to the board as possible – preferably on it. However, most CISOs report to the CTO or the CIO (especially in the UK) but this isn’t always a perfect pairing. CTOs can often have a gung-ho, can-do attitude towards new tech, whereas CISOs are there to identify the risks before taking action. A CIO/CISO alliance is a little more workable in my view as both roles are likely to have a good grasp on data and risk – but I think this relationship works much better when both roles wield equal power.
But sometimes, maybe due to inexperience or a lack of established technical departments, a CISO just gets put somewhere. This may be two or three steps away from the board, which withers their influence and their ability to act as an autonomous leader and decision-maker.
If the CISO isn’t placed somewhere where they can make their own strategic changes, they may well want to seek that power and autonomy elsewhere.
When a company suddenly grows very quickly, sometimes that change has happened at such a speed that established departmental pools of business culture and wisdom have simply been unable to form.
Amidst this swirling chaos it can be hard to stake your claim in any department and announce the kinds of changes to culture, operations, and habit-forming that a CISO needs to spearhead. Amidst the change, the CEO(s) who oversaw this growth will likely have their own learning, catching up, and occasional humbling to do.
This is not an impossible task for the right CISO with the right mindset, but it’s certainly not for the faint of heart!
The current lack of available cybersecurity talent is well documented. If a CISO is unable to build a dependable team under them, they are unable to effectively do their job. Finding the right cyber talent at any level of seniority can still feel a little like finding a needle in a haystack, especially if the employer hasn’t focused on creating an attractive employer brand .
When there aren’t enough butts in seats to maintain or improve a company’s security posture, constant firefighting ensues, often meaning there’s little time or effort left to proactively improve the organisation’s security posture. The CISO is the one who gets the blame when these shortcomings bear fruit. So, many leaders simply decide to move on.
The remote working revolution that was spurred on by COVID-19 caused many of us to reassess our work-life balance. And even as we emerge from the other side of the pandemic, it’s a trend that’s still helping workers spend more time with their loved ones and spend less time commuting with their face stuck in someone’s armpit on the train.
However, remote working has become a contentious topic of late. Some employers are now mandating that their workers come back into the office most or all of the time – which creates a problem for those who have relied on remote working to create a life that truly benefits them and their families.
We recognise that those in leadership positions like CISOs often do value some in-person, face-to-face time in the office with their teams, fellow leaders, and stakeholders. It builds rapport, and establishes them as a presence in the workplace that’s more than just a rectangle on Zoom. But the desire to work remotely has been the reasoning behind some of the recent conversations I’ve had with CISOs, so it makes this list!
Over time, our perspectives naturally change. And sometimes, those who work in contentious industries morally “fall out” with that industry. Industries like alcohol, gambling, tobacco, fossil fuels, meat, and fast fashion all have their critics.
If a leader’s heart is no longer fully behind the industry, it makes sense to take their expertise to a different industry that doesn’t keep them awake at night.
Working in critical infrastructure, especially in leadership, is a real “love it or hate it” experience. Some love the opportunity to enrich, and even save, lives by supporting emergency services, utilities, and healthcare. But for others, the strain of making decisions that could negatively impact swathes of people becomes too much to bear.
For example, if a breach happens to a bank, their chief risk is a loss of funds and data. Aside from regulatory fines, disruption to productivity, and unhappy customers, their insurance will generally be able to cover much of the financial fallout. However, an attack on certain critical infrastructure can affect thousands of people’s ability to function, and could even lead to loss of life.
The responsibility here is huge – some really relish it, others grow weary of the responsibility.
A CISO might feel the pull towards a different sector. They may have identified a bank of transferable skills that would take their career in a different or more rewarding direction. Or perhaps they’re keen to get to grips with a different industry’s unique foibles.
In other cases, “a change is as good as a rest”. Sometimes, CISOs have done a great job in their position, but they want to move on to new pastures. No hard feelings, no judgement, they’re just ready for their next challenge!
Moving towards contracting can be a great move for senior leaders of all stripes. The ability to work on multiple assignments simultaneously often makes the move more financially viable. They are generally removed from the dreaded company politics. They can work whenever and wherever they like as they’re their own boss. And they are often listened to more readily as they are an independent advisor who is charging a hefty daily rate!
The only disadvantage we can see is chiefly on the European side of the pond as notice periods for senior permanent positions can run up to three, sometimes even six months – putting a roadblock in the path of someone wanting a speedy journey to contracting.
Once a CISO has turned around a department, or embedded the best possible security, they might not want to simply coast in that environment. Transformation might be what lights their fire, so once they’ve embedded security, built a strong team, created secure processes – it’s time to be a security superhero somewhere else. Alternatively, a CISO may be looking towards retirement, potentially ready for a role as a Non-Executive Director.