Even essentially the most seasoned CISOs typically run into insurmountable roadblocks at their organizations. Regardless of their greatest efforts at constructing relationships, and even with their technical depth and enterprise acumen, they will’t garner the help wanted to guard their organizations — and themselves — from pending catastrophe.
Within the massive image, CISO roles are exhausting, and so the vast majority of CISOs swap jobs each two to 3 years or much less. Lack of help from senior management and lack of finances commensurate with the group’s dimension and trade are high causes for this CISO churn, in keeping with The life and instances of cybersecurity professionals report from the ISSA.
Extra particularly, CISOs go away on account of restricted board engagement, excessive accountability with inadequate authority, government misalignment, and ongoing obstacles to implementing danger administration and resilience, in keeping with an ISSA spokesperson.
Many of those roadblocks are widespread throughout industries, so how does a CISO know when it’s time to maneuver on?
They search for the flags.
Purple flag: Enjoying lip service
A standard crimson flag and motive CISO’s go away their jobs is as a result of management is paying “lip service” to auditors, prospects and opponents, says FinTech CISO Marius Poskus, a preferred blogger on safety management who posted an essay about resigning from “safety‑theater roles.”
So, even earlier than signing onto a brand new job, Poskus suggests searching for current occasions continuing the group hiring its first-ever CISO. “I see this typically. Often after an impactful breach, they negotiate fines down by saying they’ll rent their first CISO. Actually, a buddy in New Zealand reached out to me in the present day with simply such a narrative,” he tells CSO.
Different indicators that executives are taking part in lip service to safety embody fixed useful resource denials, lack of danger possession, and failure to log off on recognized dangers on the high stage, leaving the CISO susceptible. To this finish, Poskus shared a safety government constitution that outlines obligations of senior executives’ accountability across the cybersecurity program.
And, since lack of entry to the board is a top-cited motive for leaving, Poskus says to search for problematic reporting strains that block entry to executives, similar to via a boss who refuses to report points and requests to executives.
Purple flag: Cognitive disconnect
Lack of entry to executives and the board comes up repeatedly in Cybersecurity Ventures reviews as a high motive CISO’s resolve to depart their jobs, in keeping with Steve Morgan, founding father of Cybersecurity Ventures. He cites lack of help as one other high motive CISO’s go away.
Splunk’s 2025 CISO report discovered 29% of respondents had sufficient finances in comparison with 41% of boards who felt cybersecurity budgets have been sufficient.
This cognitive disconnect was clear in Nawab Kabir’s case. He declined on the prospect of taking a full-time CISO function to turn into a fractional CISO after a merger left him reporting to an IT director relatively than the CEO as he beforehand had reported to. “One of many key crimson flags for CISO’s is that if their boss, normally the CIO or CTO, repeatedly blocks makes an attempt to escalate missions to the CEO by downplaying the true danger, asking the CISO to just accept that danger, and saying that the CEO merely doesn’t care. So, the danger by no means will get talked about in government management conferences,” Kabir says.
After the merger, the initiatives and intervention methods he developed by no means obtained previous the director of IT (who got here from the merger) to government management. So, Kabir knew it was time to depart. “That’s one of many causes I grew to become a fractional cybersecurity chief, which I really like as a result of now I’m being employed to make a distinction at my shopper corporations.”
Purple Flag: Pushing moral boundaries
Above all these, the largest crimson flag is when management pushes in opposition to your skilled and private ethics. For instance, when a CEO or board desires to hide compliance gaps, cowl up reportable breaches, and refuse to log off on duty for gaps and reporting failures they’ve been made conscious of. “This occurs extra typically than we all know as a result of most CISOs gained’t make public what occurred behind the scenes that made them give up, particularly once they’re searching for new jobs,” Poskus explains. “Your integrity is your most essential asset, in order that’s the largest crimson flag after we discuss leaving a task relatively than staying and combating.”
In a lot of these eventualities, the CISO seemingly lacks vital allies throughout the group. Acknowledge this sense of vulnerability, Poskus advises, as a result of it’s an enormous crimson flag. Human assets and authorized groups in these conditions gained’t assist as a result of they owe their loyalty to the enterprise, he provides.
Such was the case with former Uber CISO Joe Sullivan who was thrown below the bus by Uber’s shady management after a 2016 breach. In distinction, SolarWinds CISO Tim Brown felt totally supported after a historic provide chain hack in 2020 unfold to 18,000 enterprise purchasers via its Orion community administration product patch replace system.
“Joe was in such a tough state of affairs. The corporate was aggressive in the direction of him, which was so completely different from my expertise at SolarWinds,” says Brown, who had responded to the breach.
Inexperienced flag: They’ve your again
In distinction to Sullivan’s employer, Brown shares that everybody concerned in responding to the SolarWinds breach — from IT responders to communications, authorized, and executives — felt the identical manner he did by way of making issues proper for purchasers and regulators. “My state of affairs was tough, however manageable in some ways due to that help from my workforce. From day one, we had no query about doing the best factor. We selected transparency to our prospects all through the SEC filings,” Brown explains.
Whilst a brand new CEO got here onboard below a deliberate transition shortly after the breach, and because the SEC charged SolarWinds and Brown with fraud for certifying compliance with SolarWinds safety shortly earlier than the delicate supply-chain hack occurred, Brown has felt ongoing help.
Given his entry to the board and CEO, Brown knew effectively earlier than the breach that the corporate had his again. He additionally factors to a different inexperienced flag: The corporate’s dedication to tabletop workout routines of impactful breaches. All through the apply eventualities, groups labored collectively below a customer-centric mandate that advocated transparency and training, the identical playbook that they adopted within the 2020 breach.
Finally, the SEC dropped its prices in opposition to Brown, and in November, he attended a digital toast in his honor to have a good time the SEC dropping the case in opposition to him “with out prejudice.” Greater than 200 CISOs of high corporations joined, together with co-host Joe Sullivan. Finally, as Brown had hoped, the whole expertise supplied teachable moments to assist push the CISO function up the maturity curve.
Altering inside mindsets
As CISOs burn out or go away below tense circumstances, many flip to fractional work as Kabir has. And, in his case, working with new purchasers provides him loads of alternatives to show crimson flags into inexperienced flags.
For instance, he factors to lack of board entry and assets. In lots of instances he steps into, the previous cybersecurity leaders didn’t perceive the enterprise and talked technically over their executives’ heads. Because of this, he’s needed to convert fatigued, resistant government groups that don’t wish to repeat these experiences with a brand new cybersecurity chief.
For these purchasers, he likes to name “all arms” to a gathering and conduct what he calls interactive “enterprise continuity stress exams” in table-top eventualities that influence a revenue-generating exercise. “Take manufacturing, if this machine is down for six to eight hours what could be our income prices related to this downtime? That will get consideration,” Kabir says. “Then finance begins speaking inside their groups and it goes past that to the CEO as a result of now it’s seen as a enterprise problem.”
CISOs, then, can change tradition to show a crimson flag right into a inexperienced flag. However figuring out when and the way to take action will depend on the symptoms talked about. Even with a fractional function, CISOs ought to nonetheless anticipate a few of their purchasers to try to compromise ethics by protecting up findings for instance. Luckily, that crimson flag normally reveals itself early within the audit, when the executives and enterprise items seem afraid to reply questions as if making an attempt to cover one thing.
“A variety of crimson flags need to do with lack of safety tradition or mismatch in understanding the danger tolerance of the corporate and what the precise dangers are. This crimson flag goes past: In the event that they don’t wish to be questioned about what they’ve completed thus far, that could be a big crimson flag that they’re protecting one thing up,” Kabir explains.
To be protected, he carries indemnity insurance coverage and retains his personal authorized counsel — as ought to all CISO’s with massive sufficient salaries who’re reporting to the board and C-suite. As a result of, as within the case with Joe Sullivan and plenty of different examples that go unreported, CISO’s can’t depend on their organizations to have their backs legally or professionally ought to the large one hit — particularly if these executives, by advantage of their unresponsiveness and lack of help, are the reason for it.
