Has CISO become the least desirable role in business?

After nine years as CSO and senior vice president of IT at Sumo Logic, George Gerchow had had enough. The job was stressful and he was burnt out. So, after some soul searching, he took a different job — as head of trust — at MongoDB. Not long after he arrived, the CISO quit, “which is a pattern that I’m seeing over and over again,” Gerchow says.

Then, Gerchow became the interim CISO.

“It reinspired me to have the job,” Gerchow recalls. “All my juices started flowing again.” But it took Gerchow a few months to realize that being a CISO was what he still wanted to do; a view he says not many of his peers shared.

“I’ve never seen more of my colleagues leave the role … within past two years,” he says.

Being a CISO today is not for the faint of heart. To paraphrase Rodney Dangerfield, CISOs (some, anyway) get no respect.

You’d think in a job where perpetual stress over the threat of a cyberattack is the norm, there would be empathy for security leaders. Instead, they face the growing challenge of trying to elicit support across departments and managing security threats, according to a recent report from WatchGuard.

To add insult to injury, “As regulatory and policy demands grow, including requirements for the CISO to personally certify the cybersecurity integrity of their business, they will face greater personal accountability and legal risk in 2025 and beyond,” the report notes.

The tensions of the job don’t stop there. Like Gerchow experienced, CISOs are facing increased burnout. They also have the heightened pressure of trying to reduce turnover and finding qualified candidates willing to tackle the role. It begs the question, has the CISO role become the least desirable job in business?

For Gerchow, the answer is unequivocally, yes.

Structurally underpowered

A lot of the problems CISOs encounter have to do with the reporting structure, and the fact that the role is “buried layers below” others in the C-suite, Gerchow notes.

“I’ll never report to a CTO or CFO again. I have to have seat at the table,” he says emphatically. Otherwise, he says, you become frustrated “because you’re not in control of your own destiny. You’re parsing everything to this other person who’s a leader in the company — and you potentially have the riskiest job in the entire organization.”

Maggie Myers, a managing consultant at Korn Ferry, recently spoke with a CISO who told her the pressure has never been higher and the control has never felt lower. “I think in many cases [the CISO role has] become unsustainable,” Myers says.

Echoing Gerchow, she adds, “The reason why has a lot to do with how it’s structured. I think that’s the real issue here. The script is changing a little bit,” but CISOs are still expected to manage risk.

It’s no secret CISOs are under tremendous pressure. “They’ve got the regulatory scrutiny, they’ve got public visibility,” along with the increasing complexity of threats, and “AI is just adding to that fire, and the mismatch between the accountability and the authority,” says Myers, who wrote “The CISO Dilemma,” which explores CISO turnover rates and how companies can change that moving forward.

Often, CISOs don’t have the mandate to influence the business systems or processes that are creating that risk, she says. “I think that’s a real disconnect and that’s what’s really driving the burnout and turnover.”

For Amit Basu, vice president, CIO, and CISO of International Seaways, the problem is that “CISOs often lack formal indemnification, clear governance authority, or tailored [directors and officers] protection,” he says. “In many cases, the CISO is tasked with managing enterprise risk while remaining structurally underpowered to influence it fully.”

It is this imbalance that is driving burnout, turnover, and growing reluctance among senior cybersecurity leaders to step into or remain in these roles, Basu believes.

A lack of support

On the flip side, Corey Nachreiner, CISO/CSO at WatchGuard, doesn’t believe the CISO is the most undesirable role. Yet, he adds, being a CISO “can often feel like trying to win a game of dodgeball with one arm tied behind your back. You’re expected to thwart every cybersecurity threat without always having the resources or support to do so effectively.”

Nachreiner cites a survey from Nominet that finds 91% of CISOs suffer moderate to high stress. “The job involves a perpetual cycle of stress, knowing a cybersecurity incident could hit anytime,” he says. “Threat actors grow more cunning, and even nation states take aim at civilian companies. Yet, the true challenge lies in how businesses often see cybersecurity as a necessary evil rather than a top priority. It’s as if the CISO’s motto is, ‘All risk, little reward.’” 

Gerchow says another factor making the job undesirable is that the CISO is being asked to do more than ever. For example, in addition to other regulations, CISOs must now ensure their organizations comply with the Digital Operational Resilience Act (DORA), an EU regulation focused on strengthening financial entities’ digital resilience.

The added scrutiny of DORA, Gerchow says, is “crushing companies.”

Human vs. position problem

Some CISOs are stepping back from operational roles into more advisory ones. Patricia Titus, who recently took a position as a field CISO at startup Abnormal AI after 25 years as a CISO, does not think the CISO role has become less desirable. “The regulatory scrutiny has been there all along,” she says. “It’s gotten a light shined on it. … Regulators may be getting smarter and asking more direct questions.” 

Titus attributes the increased burnout to the fact that “we’re not doing a good job of balancing. That to me is a human problem versus a position problem.”

This is an issue in other C-level positions as well, she notes. “The question in my mind is, Are CISOs at the point where the position needs to be elevated to the right level,” with the “right support from your leadership?”

Titus has seen burnout occur when there isn’t good succession planning and “people are hoarding the power versus sharing the responsibility.” She recalls one security job she was in that caused “stress-induced eczema, and my health was a hot mess, and I had to make some conscious decisions about what to do about that.”

In her dealings with another leader at the time, Titus says she “tried everything in my bag of tricks to make the relationship better, stronger, and healthier.” But it got to the point where “I felt this person and I aren’t going to see eye to eye and that’s where you agree to disagree.” Ultimately, she left the company and found “a better job.”

If you’re running a strong security program, Titus says, the CISO should be able to say where the strengths and weaknesses are.

“I believe this job is an exciting job and requires a person who is multidisciplined. You have to use critical thinking skills, you have to understand the business,” she says. “It’s not the CISO job of 20 years ago. It’s an evolving field and position.”

Her role is to bring her expertise to help customers with problems in an advisory capacity.
Although Titus no longer has operational responsibility, she says she still feels “very wed to making sure that we’re protecting customer data” and helping the newly hired CISO.

The company also has a second field CISO and a total of four people who are security professionals. “To me, that’s the best of all worlds.”

She believes the CISO role is undesirable in companies that have seen a lot of job cuts coupled with the economic downturn and financial struggles. When the CISO also has to let people go, that can create an extremely stressful situation, she says.

“That’s where I could see CISOs say, ‘I have to get out of here,’” Titus says. “Have I been in positions where I feel I have been set up for failure? If I said no that would be a lie.”

While companies focus on their core business operations, a savvy CISO will aim to support that with minimal risk, WatchGuard’s Nachreiner says. “But the Catch-22 is that tackling this requires money and human capital, which are often in short supply,” he says. “As budgets tighten, security becomes the proverbial belt to be tightened further.”

Like Titus, Nachreiner says cybersecurity is fundamentally a human challenge, and all employees must do their part. “Yet, motivating them can feel like herding cats, particularly when their plates are already full. Lack of collaboration can sap morale faster than a data breach.”

An association for CISOs

The fact that there is discussion about the CISO role becoming the least desirable in business today reflects a growing tension many CISOs are feeling, observes International Seaways’ Basu. “While the role has never been more critical to an enterprise, it has also never carried more personal risk, pressure, or ambiguity,” he says.

With the evolution of the CISO from a back-office technical guardian into a strategic risk leader has come increased visibility, but also “disproportionate scrutiny and lack of protection,” Basu maintains. “CISOs now face the prospect of personal liability, criminal exposure, and reputational damage for decisions made within complex, often under-resourced environments, many of which fall outside their direct control.”

Recent enforcement actions and legal precedents have made it clear that regulators are no longer satisfied with corporate accountability and are holding individuals responsible, he adds.

“But the answer is not to undermine the position; it requires formalizing legal protections, defining authority and reporting lines, and recognizing cybersecurity leadership as a profession — complete with accreditation, ethical codes, standard operating procedures, and peer support,” Basu says.

“A CISO with standards, accreditation, legal backing, and a professional community is an enterprise asset, but a CISO without protection is a vulnerability.”

Furthermore, the CISO role “remains inconsistently defined across industries, and in far too many organizations, CISOs are held accountable without being granted the requisite authority, resources, or legal protections,” he says.

For those reasons, Basu is helping to establish a professional association for CISOs modeled on entities like the Bar Association or the Society of CPAs. It is calledThe Professional Association of CISOs (PAC), and the goal is to formalize the profession through standardized accreditation, advocate for legal protections, and foster a strong, supportive peer network.

“It’s time this critical leadership role is afforded the structure and recognition it rightfully deserves,” Basu says.

The CISO role is not becoming undesirable because it lacks relevance, he says. “On the contrary, it is vital to the future of enterprise trust and resilience. It is undesirable only when we fail to match responsibility with protection. If we want to attract and retain top talent in these roles, we must build the guardrails that allow CISOs to operate with authority, integrity, and confidence.”

The silver lining

These issues aren’t insurmountable, says WatchGuard’s Nachreiner. “Realizing that the CISO role is more human-centric and political than technical is key. It’s not just about wizardry with network defenses; it’s convincing the board to greenlight projects that don’t immediately boost profits, rallying department heads to embrace security measures, and nudging employees to tweak their everyday habits,” he says.

If you thrive in an environment where your curiosity is never satisfied, you’re always thinking a step ahead, and every day is different, the CISO role remains ideal, says Abnormal AI’s Titus. “Every day you’re learning new things about the field and every day there’s constant innovation happening, making my job better and faster,” she says.

“At the end of the day, while the CISO role is demanding, with the right mindset and approach, it remains a critical and rewarding position filled with potential to drive meaningful change,” agrees Nachreiner.