Built to fail: the structural indicators that doom CISOs
If nearly a quarter of Fortune 500 chief information security officers last just one year in the role, we need to stop asking what’s wrong with CISOs—and start asking what’s wrong with how we set them up.
The narrative around CISO failure follows a familiar pattern: breach happens, heads roll, organisation brings in a “better” security leader. Rinse and repeat. But when 24 per cent of Fortune 500 CISOs have been in their current position for an average of just one year—with overall average tenure of 26 months, according to Cybersecurity Ventures’ 2020 Fortune 500 CISO analysis—compared to 4.9 years for other C-suite executives, the problem isn’t the talent pool. It’s the fishbowl.
After analysing dozens of recent research studies from leading firms, a clear pattern emerges: most “failing” CISOs aren’t failing. They’re being structurally failed by their organisations long before they arrive.
The credibility paradox: authority without power
Consider a composite scenario reflecting common patterns: Sarah REDACTED lasted 11 months as CISO at a mid-sized financial services firm. She identified critical vulnerabilities, presented remediation plans to the board and watched her recommendations get tabled—twice. When a breach inevitably occurred, she was out within weeks.
Her mistake wasn’t technical. It was accepting a role where she had responsibility without authority.
Seventy-nine per cent of CISOs report feeling boardroom pressure to downplay the severity of cyber risks, according to Trend Micro’s 2024 CISO Credibility Gap research. One-third say cybersecurity is still treated as part of IT rather than business risk.
This is the credibility paradox in action. Boards hire CISOs to manage existential risk, then treat them as technical support staff reporting to the CIO.
Gartner’s 2024 Board of Directors Survey shows that 84 per cent of directors classify cybersecurity as a business risk. Meanwhile, other research indicates a persistent literacy gap at the board level, creating a governance blind spot.
The warning signs are structural:
Reporting structure matters. When a CISO reports to the CIO, they face an inherent conflict of interest. The CIO is typically measured on speed, innovation and uptime—delivering projects on time and keeping systems running. The CISO’s mandate often requires slowing down deployments, adding security controls and occasionally saying no. When forced to choose between project deadlines and security requirements, even well-intentioned CIOs face impossible trade-offs.
Regulators are taking notice. In Canada, OSFI’s Guideline B-13 on technology and cyber risk management expects roles like the CISO to have “appropriate stature and visibility” within federally regulated financial institutions—an explicit cue that buried reporting structures undermine effective oversight.
Board access predicts satisfaction. IANS Research found that CISO satisfaction with leadership’s handling of security budget requests drops dramatically without regular board engagement: just 28 per cent of those without board contact are satisfied versus 57 per cent with at least infrequent interaction.
It’s like hiring a fire chief, ignoring their warnings about faulty wiring, then blaming them when the building burns down.
The resource mismatch
Here’s the pattern that predicts CISO failure with frightening accuracy: growing security mandates paired with shrinking (or lagging) budgets.
Team8’s 2025 CISO Village Survey shows that 52 per cent of CISOs report a budget increase in 2025—down from 70 per cent in 2024. Meanwhile, the attack surface expands, AI-enabled threats accelerate and regulatory requirements intensify.
The data is damning. Only 29 per cent of CISOs report having proper budget for cybersecurity initiatives, Splunk’s 2025 CISO Report indicates. More critically: 62 per cent said postponing an upgrade due to budget cuts led to a successful attack.
Every department head argues for more budget—marketing, R&D, operations. But cybersecurity budget requests are fundamentally different. Unlike a marketing campaign with measurable ROI or a product launch with revenue projections, security spending prevents catastrophic loss. It’s insurance, not a growth investment. The CISO’s success is often invisible—a breach that didn’t happen.
IBM’s Cost of a Data Breach Report 2024 found that the average breach costs USD $4.88 million—up 10 per cent year over year (and up from $3.86 million in 2020). Yet organisations consistently underinvest in prevention while absorbing massive costs after incidents.
The test is simple: has your security budget grown proportionally to your attack surface? Can your CISO articulate which risks are being accepted due to resource constraints—and has leadership formally acknowledged those decisions?
If not, you’re not setting your CISO up for success. You’re setting them up as a future scapegoat.
The culture cascade
In 2019, Capital One experienced a massive data breach affecting over 100 million customers. Post-breach reporting revealed something more troubling than the technical vulnerability: employees had raised concerns about high turnover in the cybersecurity unit, with about one-third leaving in 2018 alone.
The breach wasn’t just a technical failure. It was a cultural collapse that manifested as a security incident.
A 2024 survey reported by InformationWeek found that 66 per cent of cybersecurity professionals said their job was more stressful than five years ago. Earlier research covered by Help Net Security found that leaders were seeing rising turnover, with one in five security professionals considering leaving within six months—a durable warning signal.
This isn’t normal attrition. This is a toxicity indicator.
The warning signs are recognisable. When security is treated as a mere compliance requirement rather than fundamental risk management, it weakens overall resilience and leads to bare-minimum adherence.
Public shaming after security incidents creates a fear-based culture. If employees fear repercussions for mistakes, they’re less likely to report incidents or vulnerabilities, leading to unaddressed security gaps.
The “zero-intrusions-allowed” mindset punishes defenders for uncovering problems rather than rewarding resilience. As Rob Lee, chief of research at SANS Institute, told Dark Reading: “Organisations with this mindset expect absolute perfection and blame security teams even when threats are successfully detected and mitigated.”
The cascade effect is measurable. Between 2022 and 2023, CISO satisfaction fell by 10 points to 64 per cent, while those open to a job change rose to 75 per cent, according to IANS Research’s 2023–2024 benchmark report.
Your security team’s turnover rate is a leading indicator of impending CISO failure. If it exceeds 20 per cent annually, you don’t have a hiring problem—you have a culture problem.
The board–CISO gap
Picture this scene, repeated in boardrooms across North America: a CISO presents mean time to detect, vulnerability counts and patch compliance rates. Board members nod politely, then ask: “But are we secure?”
It’s the wrong question, asked by people who don’t have the context to ask better ones.
PwC research shows that 59 per cent of directors admit they struggle to understand cyber-risk drivers. This knowledge gap creates a dangerous dynamic: boards can’t effectively oversee what they don’t understand, yet they hold CISOs accountable when things go wrong.
The communication gap is a shared failing. CISOs must translate technical risks into business language—this is a fundamental executive responsibility. CFOs translate complex accounting standards for boards. General counsel translate legal risk. Security leaders must do the same.
But effective oversight requires both a skilled translator and an educated audience. Splunk’s 2025 CISO Report found that among respondents who indicated a “very good” or “excellent” CISO-board relationship, 44 per cent of CISOs believed they were adequately communicating security-milestone progress, while only 29 per cent of board members believed the same.
Even when CISOs think they’re communicating well, boards disagree. This suggests the problem isn’t just translation—it’s comprehension.
Boards have a fiduciary duty to develop sufficient literacy to govern one of the organisation’s most significant risks. Only 29 per cent of organisations report having at least one board member with cybersecurity expertise. Effective governance is a two-way street.
The liability trap
On Oct. 30, 2023, the U.S. Securities and Exchange Commission did something unprecedented: it charged a CISO individually—SolarWinds’ Timothy Brown—marking the first time the SEC had charged a cybersecurity executive directly.
While a July 2024 court ruling dismissed most claims, the parties reached a preliminary settlement in July 2025, with a Sept. 12, 2025, deadline set for final paperwork pending SEC Commissioner approval.
The shockwave is still reverberating through security leadership.
More than half of private-company CISOs lack protections like directors and officers (D&O) insurance or indemnification, according to Hitch Partners’ 2025 CISO Security Leadership Survey.
The issue isn’t accountability itself—holding executives personally accountable for their domains is good governance. The Sarbanes-Oxley Act did this for CFOs, improving financial transparency.
The problem is the dangerous imbalance. CISOs are being asked to accept CEO-level liability without CEO-level authority, resources or protections. This creates a trap where they’re held responsible for outcomes they don’t have the power to control.
Court documents show that Brown had flagged the organisation’s security as “very vulnerable” shortly after joining, yet externally the company asserted it “placed a premium on the security of its products.”
Splunk’s 2025 report found that one in five CISOs had been pressured not to report a compliance issue. When personal liability enters the equation, that pressure intensifies.
The self-assessment framework
Rate your organisation honestly on these eight indicators:
1. Authority alignment
Does your CISO have budget authority matching their responsibility?
Red flag: CISO must seek approval for every tool and hire
2. Access deficit
How many organisational layers separate your CISO from the CEO?
Red flag: CISO reports to CIO/CTO who reports to CEO
3. Board engagement quality
Quarterly strategic sessions or annual compliance check-ins?
Red flag: Board sees CISO only after incidents
4. Team stability
Security team turnover rate versus company average?
Red flag: Turnover exceeds 20 per cent annually
5. Resource reality
Has security budget grown proportionally to attack-surface expansion?
Red flag: Flat security budget while the organisation doubles in size
6. Communication effectiveness
Can your board understand CISO reports without translation?
Red flag: Board asks “But are we secure?” after presentations
7. Culture indicators
Can security team members report mistakes without fear?
Red flag: Security incidents followed by blame sessions
8. Liability protection
Does your CISO have D&O coverage or indemnification?
Red flag: No liability protection while facing personal legal risk
Scoring:
- Zero to two red flags: your CISO has a fighting chance
- Three to four red flags: high risk of failure within 24 months
- Five or more red flags: you’re not retaining your next CISO
The fix—before it’s too late
For boards
Stop treating cybersecurity as a technical problem requiring a technical solution. Boards should already understand security as business-critical.
Invest in board education. If you can’t explain the difference between a vulnerability scan and a penetration test, you can’t effectively oversee security.
Create psychological safety for bad news. Trend Micro found that 79 per cent of CISOs feel pressure to downplay risks—that pressure comes from you.
For CEOs
Recognise that CISO turnover is a leading indicator of organisational dysfunction, not individual failing. When 24 per cent of Fortune 500 CISOs last just one year, systemic issues are at play.
Make security a team sport. Build security into objectives and key results (OKRs) and key performance indicators (KPIs) across the organisation. When security aligns with individual success metrics, it stops being “extra work” and starts being core business.
For CISOs
The structural issues outlined here don’t absolve security leaders of their responsibility to adapt and influence. The most effective CISOs recognise these headwinds and actively work to overcome them by becoming masterful translators of risk and skilled internal diplomats.
However, when structural flaws run too deep, even the most talented leader will fail. Ask these questions during the hiring process:
- Who does this role report to, and why?
- How often does the CISO present to the board, and what’s covered?
- What’s the security team’s turnover rate?
- What happened to the last person in this role?
- What budget authority comes with the position?
- What liability protections are provided?
If the answers reveal structural problems, walk away. For CISOs already in structurally flawed roles, start reframing the conversation. Quantify accepted risks in financial terms and present the board with clear, business-aligned choices rather than technical warnings.
Life’s too short to take a job designed for failure.
The real measure of success
The conversation about CISO failure needs reframing. A successful CISO isn’t one who prevents all breaches—that’s impossible. A successful CISO operates in an organisation that enables them to identify risks, communicate them effectively, secure resources to address them and maintain a resilient team.
The real question isn’t “Is our CISO good enough?” It’s “Have we created conditions where excellent CISOs can succeed?”
SOCRadar’s 2024 analysis shows that the average tenure of a CISO is roughly 26 months—significantly lower than other C-suite roles. That’s not a CISO problem. That’s an organisational design problem.
Before you hire your next CISO—or judge your current one—audit the structure first. Because if you’ve built a fishbowl where even the best fish suffocate, the problem isn’t the fish.
It’s time to fix the fishbowl.
Disclaimer
This publication is for general information only and does not constitute legal, compliance, financial or other professional advice. The views expressed are the author’s own and do not necessarily reflect those of any current or former employer, board, client or affiliate. Examples of individuals are composites unless expressly identified; any resemblance to real persons is coincidental. References to organisations, incidents, studies and statistics are drawn from publicly available sources believed to be reliable as of Oct. 14, 2025, but accuracy and completeness are not guaranteed. Nothing herein alleges misconduct by any specific individual or organisation. Do not act on this information without obtaining advice suited to your circumstances. If you believe any material is inaccurate, please contact the author to request a correction or removal.
#CISO #Cybersecurity #InfoSec #CyberRisk #RiskManagement #GRC #BoardGovernance #CorporateGovernance #BoardEducation #SecurityLeadership #SecurityCulture #SecurityBudget #CyberResilience #IncidentResponse #BusinessContinuity #DataProtection #Privacy #Compliance #RegulatoryCompliance #OSFI #OSFIB13 #TechnologyRisk #AIThreats #Ransomware #ZeroTrust #IdentitySecurity #ThirdPartyRisk #SupplyChainSecurity #SecurityStrategy #EnterpriseSecurity #CanadianBusiness #FinancialServices #DandOInsurance #Liability #RiskOversight
