CISO Turnover. PHOTO: Cybercrime Magazine.

Fortune 500 CISOs Play Musical Chairs

Burnout, culture, danger pay, and new opportunities contribute

David Braue

Melbourne, Australia – Aug. 27, 2021

Surging damages from cybercriminal attacks have driven the salaries of information security officers (CISOs) through the roof, with some companies offering seven-figure salaries to attract the right talent. So why is it so hard to keep CISOs in the job?

Study after study, after all, has shown that CISOs are job-hopping faster than most — with Cybersecurity Ventures recently finding that 24 percent of Fortune 500 CISOs have been working in their roles for just one year, on average.

Just 16 percent have been working in their current roles for two years, while 13 percent have lasted a whole three years.

Those “stunning” figures don’t say much about the longevity of CISOs, former White House CIO Theresa Payton told Cybercrime Magazine, but they raise bigger questions about just how companies can hope to defend their data while changing key security executives so frequently.

“The opportunity of a lifetime could be behind why so many CISOs are moving from job to job,” she said, noting that CISO salaries in the ultra-competitive U.S. job market are outpacing those in other countries.

Another key factor is burnout, noted Payton, presently CEO at Fortalice, a globally recognized cybersecurity company with offices in the U.S. and U.K.

Numerous studies have blamed high levels of stress amongst CISOs for the high turnover, with 65 percent of respondents in one recent survey admitting that they were considering leaving their jobs because of the extreme stress or burnout their jobs caused them over the last year.

Yet it doesn’t have to be that way, with some observers suggesting that bigger salary packages may be a symptom of the disease of burnout, rather than its cure.

Cybercrime Radio: Theresa Payton, Former White House CIO

Observations on Fortune 500 CISO turnover

Steeped in the omnipresent stress that today’s cybersecurity climate imposes on CISOs, festering cultural issues can rapidly balloon into major stressors that drive many security executives to run for the doors.

Jean-Christophe Gaillard, managing director and founder of management consultancy firm Corix Partners, believes many CISOs have suffered from a lack of role definition and support by company executives that are often all too happy to leave the CISO holding the bag when things go wrong.

“Many CISO positions were created in response to rampant cyber threats across the last decade in industries which never had such roles in place,” he argues.

“They were created tactically with the operational objective of preventing breaches, by senior executives who didn’t really understand the context and the transversal complexity involved in the cyber protection of large organizations.”

This had left CISOs fighting perpetually in reactive mode, and prevented them from developing the leadership and management skills needed to make the CISO role more strategic and high-level.

“Many CISOs struggled with limited resources and constant attacks, and never managed to build a meaningful narrative with management beyond mere firefighting,” Gaillard explains. “They were prevented from developing the softer skills, the personal gravitas, the political acumen, which are key to delivering complex initiatives in large firms.”

Think of it as danger pay

Stunted professional development and unending stress are hardly the kind of experiences that will keep CISOs anchored to their jobs, and chronically uncomfortable corporate relationships may well be a major contributor to CISOs’ seemingly low levels of company loyalty.

Another factor, of course, may be the eye-watering compensation packages that are being dangled in front of the top CISOs — with the average CISO salary in large U.S. companies pushing into the $500,000 to $1 million band.

Such high salaries reflect an expanding calculus on the part of risk-averse boards, who are rapidly coming to realize the potentially material financial losses that can be caused by a large-scale cybercrime attack.

Viewed through this ROI lens, it’s well worth paying million-dollar salaries to minimize the chances of an incident that could easily cost a hundred times as much.

Yet while high salaries may attract good talent, companies hoping to get their money’s worth still need to ensure their corporate culture recognizes and empowers CISOs to do the job they want to do — and not just the job that they manage to do between their superhuman efforts to just keep the lights on.

Companies that become known for CISO-unfriendly company cultures may actually struggle to compete in a job market where CISOs know there are numerous alternatives ready and willing to be far more supportive.

“If your company ends up being the victim of a cybercrime,” Payton explained, and “if indeed at some point you lose your CISO to go to another job, you may find it harder to attract the next CISO — and that pay and compensation package may be a bit of a shock.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.