I left my last CISO role after twenty-two months. The month I left, two peers I’d known for years also stepped down — one from a major insurer, one from a logistics firm. All three of us had what looked from the outside like stable, well-resourced programmes. All three of us hit the same wall.
The wall isn’t burnout in the conventional sense, though burnout is a symptom. The wall is a specific governance structure that makes the CISO role impossible to perform with integrity, and the industry’s collective response has been to treat this as a personal resilience problem rather than a structural design failure.
What the Role Actually Is
The CISO is, in most organisations, the person who is accountable for outcomes they do not control. They do not control the software purchasing decisions that create the attack surface. They do not control the cloud migration timelines that determine exposure windows. They do not control the staffing levels that affect patching velocity. They frequently do not control whether a recommended security control gets funded.
What they do control is the reporting. They write the risk register. They present the board update. They sign off the audit findings. And when a breach occurs, their name is on the programme that was supposed to prevent it.
This is not a job description. It is a liability arrangement.
The technical term in risk management is “accountability without authority.” It is well understood in governance theory as a condition that produces predictable failure modes: the person with accountability but without authority will either pretend to have more control than they do (producing optimistic risk reporting), or they will report accurately and find themselves rapidly at odds with the organisation (producing conflict, then departure).
Both outcomes are common in the CISO role. Both lead to the same 18-to-26-month tenure.
Why Boards Don’t Fix It
Board members understand accountability and authority. In every other part of the business, the principle is applied consistently: the CFO controls the finance function, the CMO controls the marketing function, the COO controls operations. The scope of accountability matches the scope of authority.
The CISO is different because the CISO’s accountability encompasses things every other executive controls. Fixing the misalignment would require giving the CISO authority over decisions that currently belong to the CTO, the CIO, the CPO, and the business unit heads. That is politically difficult. It is also the only structural fix that works.
What boards do instead is give the CISO a seat at the table, a slightly larger budget, and a direct reporting line to the CEO or board audit committee. These are improvements in visibility, not improvements in authority. The CISO still cannot require the CTO to delay a product launch because the security review isn’t complete. They can recommend. They can escalate. They can document the risk acceptance. But if the launch happens, the risk is on the CISO’s scorecard.
The Personal Liability Acceleration
This situation was already difficult. It has gotten significantly worse since regulators began pursuing individual liability for security failures. SEC enforcement actions, FCA guidance, NIS2 personal accountability provisions — the regulatory environment is systematically increasing the personal consequences for CISOs while doing nothing to increase their authority.
The result is predictable: experienced CISOs are pricing the liability into their decision about whether to take the role at all, or under what conditions. The best candidates are negotiating for meaningful authority as a condition of appointment or declining roles where the governance structure makes success impossible. Organisations that won’t offer that authority are selecting for people who either haven’t yet understood the risk or are willing to accept it. Neither produces good security outcomes.
What Would Actually Help
The CISOs I’ve seen succeed — genuinely succeed, not just survive — share one characteristic: a CEO or board chair who had decided, before the CISO arrived, that security decisions would carry real weight in the organisation. Not “we take security seriously.” A demonstrated willingness to delay a product, decline a partnership, or absorb a commercial cost when the CISO said the risk was unacceptable.
This doesn’t happen because the CISO is persuasive. It happens because the board has internalised that security risk is business risk and that the person they hired to manage it needs to be able to manage it.
The organisations that run stable, effective security programmes aren’t the ones with the best CISO talent pipeline. They’re the ones where the governance model made it possible for a good CISO to stay.
Until the industry is willing to say that clearly — that the tenure problem is a board governance problem, not a talent problem — we’ll keep running the same search, paying the same recruiters, and losing the same people at the same rate.
I speak from recent experience.