The great CISO resignation according to CISOs

We talk with dozens of CISOs every week. They share their plans, frustrations and ideas with us and we’re often the first to know when they are leaving a job or looking for a new one. We think we have a pretty good thumb on the pulse of what CISOs are worried about.

That’s why we were pretty surprised to read “The great CISO resignation isn’t what it looks like” by Ross Haleliuk (@ventureinsecurity). This excellent, data-driven article uses the best public data available to analyze how many F500 CISOs have actuallyresigned over the last few years. The article is well worth reading, but the data conflicted with our perception that “the great CISO resignation” is very real.

Here’s why we were surprised.

Not long ago, we started seeing several articles explaining why CISOs were resigning in droves so we shared one of them on LinkedIn and the post immediately attracted lots of comments.  

We had CISOs coming out of the woodwork to comment on the post and give us their two cents on this topic.

When this happens, we sit up and pay attention.

We got such a strong response that we put together a quick survey to try to figure out how many CISOs were really considering resigning. Just over 100 CISOs, mostly from U.S. based organizations responded, and the results was surprising.

We knew that many CISOs are frustrated, but we were surprised to learn that over three quarters of those who responded were actively considering leaving.

We also asked about the reasons behind the dissatisfaction fueling the decision to move.

We realize that many of these factors are interrelated, and they vary for each CISO depending on what is happening inside their companies when they responded.  

However, between the survey results and from our conversations with thousands of CISOS we think that the single biggest issue for CISOs who are actively looking for a new position is the lack of support from senior management and the board.

CISOs have always been ultimately responsible for the security posture of the organization but the decisions that affect security complexity and risk are made by the entire management team and the board.  

In the past, CISOs have grudgingly accepted this but they have never agreed with it (note that in the responses below exactly zero percent say the CISO should be responsible, and we’re not surprised about that either).

What CISOs are telling us is that the risk/reward equation in the job of CISO has fundamentally changed over the last couple of years.

The recent Wells notices from the SEC to the CISO and CEO of SolarWinds and the prosecution of the former CISO of Uber are part of the new risk calculus. This is especially notable when you consider that the majority of CISOs we’ve talked to don’t have the E&O insurance other company officers routinely receive.

When you look at these factors from the CISOs point of view (and there are many other findings we haven’t touched on) no one should be surprised that a lot of CISOs are actively looking for a new gig. 

After all, how many CEOs and CFOs would be willing to continue in their current positions if they face the risk of lawsuits or prosecution that could impact their home and family for business decisions that are made collectively?