Why do CISOs change jobs so frequently?

Happy 2018, everyone — let’s hope that this is a good year for cybersecurity professionals and global cyber safety. 

Of course, an organization’s cybersecurity success is often a function of the effectiveness of the chief information security officer (CISO). A strong CISO can mean the difference between functional cybersecurity and constant chaos. 

Unfortunately, many CISOs don’t have a long shelf life. Industry research suggests that the average CISO tenure is only about 24 to 48 months, with many packing their bags even sooner. This begs an obvious question: Why do CISOs seek out other opportunities so often?

Top 4 reasons why CISOs change jobs frequently

ESG and the Information Systems Security Association (ISSA) sought to answer this question in a recent survey of 343 cybersecurity professionals and ISSA members.  The top four reasons cited were as follows:

• 38% of respondents say CISOs change jobs when they are offered higher compensation packages from other organizations. No surprise here, as CISOs are in high demand while the cybersecurity skills shortage has led to continuous salary inflation. Many CISOs are willing to jump ship when presented with an offer they can’t refuse.

When you look at the data beyond the almighty dollar, some other patterns emerge:

• 36% of respondents say CISOs change jobs when their current employer does not have a corporate culture that emphasizes cybersecurity. Given the job market for CISOs, don’t expect cybersecurity leaders to simply go through the motions if the corporation isn’t committed to the cause.
• 34% of respondents say CISOs change jobs when the they are not active participants with executive management and the board of directors. CISOs are business managers who oversee a technology discipline. The data indicates that they will quickly fly the coop when they are treated as glorified system administrators.
• 31% of respondents say CISOs change jobs when cybersecurity budgets are not commensurate with the organization’s size or industry. As hard as it is to believe in 2018, there are still plenty of organizations willing to nickel and dime the CISO and settle for “good enough” security. This isn’t a strategy for long-term CISO retention or strong cybersecurity for that matter.

Clearly, money matters to CISOs, but they also want to work for executives who are willing to fund, participate in, and cheerlead cybersecurity efforts across the entire organization. In lieu of this commitment, the CISO is as good as gone.

The data presented in this blog post is included in the recently published ESG/ISSA research report, The Life and Times of Cybersecurity Professionals (follow the link for a free download of the entire report).