CISOs burn out faster as liability and risk soar

CISO burnout – A CISO job that once focused on defending networks has stretched into crisis response, regulatory policing, and business diplomacy—often with no real training runway. With typical CISO tenure reported at just 18 to 26 months, and surveys showing many are alrea

When Chad Kliewer woke up at 3 a.m. he wasn’t checking dashboards—he was listening to a doctor call from a rural hospital where the internet had gone out. The doctor couldn’t send scan results to a radiologist. and Kliewer remembers the doctor saying: “I don’t know whether to put this patient on a helicopter or send him home.”.

At the time, Kliewer was the head of information security at a hospital system. As the top—and lone—security worker, he says he was on the hook for everything that followed.

“It’s not just my job,” he said. “I’m not an ER doctor, but yet the ER doctors are depending on my services.”

Kliewer describes a strain that didn’t stay in the abstract. He says the stress of the work went beyond normal exhaustion—his hair didn’t just turn gray. it started to fall out. He also says he experienced what he now recognizes as work-induced panic attacks. fueled by pressure that came with phone calls any hour of the day. Those calls weren’t theoretical. They were about IT outages and HIPAA compliance issues. They meant messaging colleagues while out of office and on vacation.

For CISOs, or chief information security officers, Kliewer’s story is increasingly recognizable—because the job, as described by multiple executives and surveys, has moved from “security operations” into something broader and harder to sustain.

The numbers show how fast the role is churning. Cybersecurity Ventures estimates the typical tenure of a CISO lasts just 18 to 26 months. compared with nearly five years for other C-suite roles. In parallel. nearly 70% of CISOs say they are open to changing jobs—or even leaving the CISO role entirely—within the next year. according to a report from security research firm IANS. Half of CISOs say the scope of the job has become unmanageable.

Part of the strain comes from what the role has become. CISOs are expected to bridge the technical side of a company with its business objectives. reaching across finance. human resources. and day-to-day operations. They are seen as the Department of No. slowing attempts to adopt AI because white-collar workers can end up plugging sensitive data into unauthorized systems—leading to “shadow AI” used in the name of efficiency.

As the job expands, so does the web of obligations. Over the past three decades, CISOs have faced a growing list of regulatory demands. Those demands now also land on boards that often rarely speak in tech terms. At the same time. they must fight compounding threats tied to AI while enabling its potential to make workers more efficient. And they do it with one added pressure that can’t be ignored: potential personal liability for security breaches.

“Immense stress has infected the brains of CISOs with malware,” is how the source frames the situation—followed immediately by a blunt summary of what the role demands.

That breadth is echoed by Martin Whitworth, a retired CISO. He says the job requires CISOs to handle the “operational, the strategic, the risk, the human role,” and that “that’s enough to burn anyone out.”

The stress is compounded by how the role has been staffed. The first CISO was named in the mid-1990s at Citicorp, and the position emerged after a hack. Today, an estimated 35,000 people work as CISOs, often in more junior spots in the C-suite. Some companies—typically smaller ones or startups—hire fractional CISOs who work part-time for multiple companies. Others use virtual CISOs who are on-call for support.

That staffing reality matters because the remit keeps expanding. One reason the job feels different now is that security has become more complicated in the AI era. requiring more strategy. Yet. the C-suite experience described by CISOs also points to a gap: there’s “no real training ground” for the diplomatic. business side of the work. after years spent mastering technology in roles that are often siloed and insulated from the publicly known business work.

“What gets you to the table doesn’t necessarily make you effective at the table. ” says Joe Silva. a former CISO turned CEO of security company Spektion. “Or. you got to the table. but then you realize it’s the kids’ table. ” he adds. describing how CISOs can sit a rung down on the corporate ladder. beneath top execs like CEOs.

That ladder position is more than a career complaint—it becomes operational when emergencies hit and the role’s political weight is unclear.

CISO turnover also leaves gaps. When CISOs leave, their departure can disrupt the IT team, the source says. There’s often not a second-in-command person ready to take on the human side of the role. Silva puts it sharply: “Many of them do not have a lot of exposure to these conversations. the political dynamics. ” and then. he says. “security can get steamrolled.”.

Survey data points to a similar feeling inside the job. A 2024 survey of 500 CISOs around the world by cybersecurity firm Trellix found that 72% of respondents have concerns about their future in the role due to expanding responsibilities—regulatory demands spanning healthcare privacy like HIPAA to the financial industry. along with a growing day-to-day workload enforcing security measures. Ron Green, former chief security officer at Mastercard, says: “Everybody wants to hold the CISO responsible.”.

That concern isn’t just theoretical. In 2023. the Securities and Exchange Commission charged software company SolarWinds with fraud after cyberattackers linked to Russia inserted malicious code into SolarWinds’ software. which the company then pushed onto its customers. including federal government agencies and thousands of companies. The SEC also named SolarWinds’ CISO Tim Brown in the complaint. seeking to bar Brown from serving as an officer and director. The SEC dropped the case late last year. but the source says it set a chilling example of how CISOs could personally hold the liability for a company error.

Even inside the role, the mismatch between risk and expectations can become personal.

Matt Hillary. CISO at AI software company Drata. describes the job ballooning into something “so. so intense. ” adding that “we can literally do everything and still either miss something or overlook something.” He says he was stuck on perfectionism. and that he eventually had to shift his mindset. The core problem. he says. was recognizing the mental toll of trying to reach an impossible standard in a world of infinite risks.

Hillary says the work keeps arriving in waves: he often sets quarterly goals and objectives for his team. but new risks and unexpected fires still keep coming. He also emphasizes the need to keep communicating to the company that it can’t fight off every security risk. “I needed to understand that there’s a significant gray area there that needs to exist. ” he says. adding that “perfection isn’t possible.”.

One response is to split the job. With responsibility growing. 84% of CISOs believe the job should become two separate roles—one person handling technical aspects and another focusing on business concerns. according to the Trellix survey. Some companies have started doing that by hiring chief trust officers to handle more proactive and communicative aspects. while CISOs own the cyber defense piece. Other CISOs argue that the fixes begin earlier in the conversation—by bringing security into business decisions sooner. before responsibilities pile into the CISO lane.

Rinki Sethi, CISO at cloud security company Upwind Security, describes the problem as a misrouting of duties: “We’re taking on so much more than security,” she says. “There’s a lot of things where people don’t know where it belongs, and it gets dumped into the security people.”

The burnout is also visible in the exits. The source lists several high-profile departures. Last year. Google Cloud CISO Phil Venables left his role to become a venture partner. capping four years at Google and two decades in security at Goldman Sachs. T-Mobile’s former chief security officer quit in 2023 and took up angel investing. The former director of cybersecurity at the National Security Agency retired and then took a venture job.

Kliewer’s path mirrors that turn, though he arrived at it through his own warning signs. He began what he calls his journey as a recovering CISO about four years ago, and now teaches cybersecurity at Western Governors University.

He says he “reached that point” where the stress wasn’t worth it anymore.

“I’ve lived the stress and I’ve just decided I’ve reached that point in my life where the stress isn’t worth it anymore,” he says.

That decision lands at a dangerous moment for cybersecurity. The stress that is pushing CISOs out is showing up as AI expands both the risks and the need for security—meaning the job is becoming more crucial just as it becomes harder to keep staffed.

CISO cybersecurity burnout HIPAA SolarWinds SEC Tim Brown Martin Whitworth Ron Green Trellix survey AI security shadow AI fractional CISO