Being a CISO is a hard job. You must constantly balance business, technology, and regulatory requirements against things like employee and adversary behavior. You can be a superstar, build a world-class cybersecurity program, and follow best practices, providing exceptional protection for the organization. Despite this excellence, a single employee can click on a malicious web link, share a password, or misconfigure an asset, leading directly to a successful cyberattack. When this happens, it's your fault.Yup, CISOs have heavy responsibilities. How are they dealing with this burden? Not very well, according to research from ESG and the information systems security association (ISSA). The data reveal that 57% of cybersecurity professionals believe their organization\u2019s CISO is only somewhat effective, not very effective, or not at all effective.CISO performance depends on the situationReading between the lines of the research, it appears that lackluster CISO performance is often situational, and it creates a lot of the churn we see as CISOs move from job to job. Using the ESG\/ISSA research, we can dig further into suboptimal CISO performance and attrition simultaneously. When asked why CISOs tend to change jobs every two to four years, security professionals answered as follows:Thirty-three percent believe CISOs change jobs when they are offered higher compensation at another organization. It\u2019s all about the Benjamins in many cases, which may have nothing to do with job performance or satisfaction. I heard lots of examples of CISOs being offered up to 40% more to move on. It\u2019s hard for CISOs to say no, so it\u2019s incumbent upon CEOs, boards, and HR executives to remember that strong CISOs are the sexiest of catches. There will always be suitors, so the C-suite must monitor the hiring landscape and continuously assess what it can do to keep a successful CISO happy.Thirty-one percent believe CISOs change jobs when their current organization has a culture that doesn\u2019t emphasize cybersecurity. Clearly, a CISOs\u2019 job performance is highly correlated with cybersecurity culture. If it\u2019s not there, employees will run amok, security will be glued onto applications upon production deployment, and the security team will remain in emergency mode \u2014 not exactly a healthy work environment. CISOs can influence culture but CEOs (and HR) must drive cultural change. If this isn\u2019t happening, CISOs can\u2019t do their jobs and head for the exits.Twenty-nine percent believe CISOs change jobs when the cybersecurity budget is not commensurate with their organization\u2019s size. Money can\u2019t buy love but when spent wisely, it can help bolster cybersecurity protection. Don\u2019t get me wrong. CISOs can and should manage and maximize expenses, but there are limits to what they can do. A chronically underfunded security program indicates a communications gap (i.e., CISOs can\u2019t adequately explain what they need and why they need it), or more likely a philosophical gap (i.e., CEOs and boards don\u2019t believe the organization is a target). Either way, CISOs can\u2019t turn water into wine and tend to seek out \u201cgreener\u201d pastures from a budget and situational perspective.Twenty-seven percent believe CISOs change jobs when they are not an active participant with executive management and the board. There\u2019s a pattern here. When CISOs are not engaged with executives and the board, business decisions eschew things like cyber-risk management or threat modeling. CISOs are perceived as \u201cDr. No\u201d and can\u2019t adequately protect the business, while the cybersecurity team lives in a constant state of firefighting. CISOs tend to move on from this \u201ccan\u2019t win\u201d scenario.Twenty-five percent believe CISOs change jobs when their organization treats cybersecurity as a regulatory compliance. Hello, 2006 calling. Most organizations have moved on to understand the difference between strong cybersecurity and compliance checkboxes. Alas, some haven\u2019t. This is a potential career killer so smart CISOs move on quickly from compliance-centric firms.CISO job search red flagsTo be blatantly obvious, CISO success and tenure are highly correlated to executive management decisions at their organizations. While I\u2019m sure that CISOs get a rosy picture from headhunters, HR managers, and executives during the interviewing process, savvy security executives probably know if they have any chance for success within the first few weeks. At that point, doubts are often followed by resume updates and career development plans.During their job search process, CISOs should also watch out for red flags. If an organization has had several CISOs in the last five years, it could be that predecessors found more money elsewhere. Alternatively, maybe cultural, budget, and management hurdles make organizations a CISO \u201cno man\u2019s land.\u201d Caveat emptor.