There is a version of the CISO burnout conversation that the industry prefers. It talks about resilience, self-care, executive coaching, and the importance of unplugging. It frames the problem as something that lives inside the individual — a coping deficit, a work-life balance failure, a personal shortcoming that better habits could fix.

That version is wrong. Or rather, it is wrong enough to be dangerous for anyone actually considering whether to take a CISO role or how to survive one.

The structural conditions of the CISO job in 2026 are hostile. Not in a vague, everyone-has-stress way. Hostile in specific, measurable, documented ways that have driven average tenure at large enterprises below 2.5 years, created personal legal exposure that did not exist five years ago, and produced a cohort of experienced security leaders who have quietly concluded that the role as currently structured is not worth taking.

This article is about those conditions. Not the soft version. The actual version.

The Tenure Number and What It Means

The figures on CISO tenure have been cited so many times that they have started to feel abstract. They should not. At large enterprises — companies with over $1 billion in revenue — the average CISO tenure is somewhere between 18 months and 26 months depending on the study and the year. IANS Research and Artico Search have both tracked this number for years. It has not meaningfully improved.

For context: the average tenure of a CEO at a large public company is approximately seven years. The average CFO tenure is around five years. The CISO sits at the same executive table, is expected to operate at the same strategic level, and turns over roughly three times as fast.

This is not explained by the security talent market being uniquely fluid. Security professionals move jobs, but not that quickly across all roles. It is not explained by CISOs getting recruited away into better opportunities — though that happens. The primary driver of short CISO tenure is that the job grinds people down in ways that are specific to the role, and the most experienced people eventually leave because continuing does not make structural sense.

The single largest change to the CISO risk calculus in recent years was not a breach. It was an enforcement action.

In October 2023, the SEC charged Timothy Brown, the CISO of SolarWinds, with fraud and internal control failures related to the company’s handling of the Orion supply chain attack that was discovered in December 2020. The complaint alleged that Brown was aware of significant cybersecurity risks and vulnerabilities at SolarWinds but publicly minimized them, and that he and the company made materially misleading statements about its security posture.

A federal judge dismissed most of the charges against Brown in July 2024, but the case did not disappear quietly. What it established — regardless of the final outcome — is that the SEC is willing to name a CISO personally in an enforcement action. Not the company alone. The individual. The case produced personal legal fees, reputational damage, and years of professional uncertainty for someone who was, by most accounts, doing the job that the organization required of him in a difficult environment.

The Uber CISO case is the other reference point every security leader knows. Joseph Sullivan, Uber’s Chief Security Officer, was convicted in 2022 on federal charges of obstruction of justice and misprision of a felony related to how Uber handled a 2016 breach discovery during an FTC investigation. Sullivan was sentenced to three years of probation and a $50,000 fine. He was doing what Uber’s legal and executive teams directed, or at minimum what they endorsed after the fact — and he went to trial and was convicted.

These two cases together define the new landscape. The CISO is now a role with genuine personal criminal and civil exposure, in circumstances where the organization may have made the decisions that created the problem, and where the CISO is the named executive most likely to be held accountable after the fact. The company can settle. The company can replace its leadership. The company can hire expensive lawyers on the company’s behalf. The CISO, in the worst case, faces this individually.

The SEC’s cybersecurity disclosure rules, which took effect in December 2023, require public companies to disclose material cybersecurity incidents within four business days and to make annual disclosures about cybersecurity risk management and governance. This creates a formal record that regulators can examine. It also creates a documented chain of what the CISO knew, when they knew it, and what they disclosed — which is precisely the kind of paper trail that enforcement actions are built from.

The practical effect of this landscape is that every experienced CISO now asks a question before accepting a role that they did not need to ask ten years ago: if something goes wrong here, in ways that are not my fault and may not be within my control, am I personally exposed? The answer in 2026 is: possibly, yes. And the structures that would protect a CISO — strong D&O insurance with explicit coverage, formal legal indemnification, independent legal counsel paid by the company — are not standard. They are negotiated exceptions, and many organizations resist providing them.

Board Pressure with Inadequate Resources

The structural tension at the center of the CISO role is simple to describe and difficult to resolve: boards and CEOs want security outcomes that cost money and require organizational authority, and they are frequently unwilling to provide either at the level the outcomes actually require.

Gartner’s cybersecurity spending data consistently shows that security budgets at most large enterprises represent between 0.2% and 0.9% of annual revenue, with significant variance by sector. The organizations at the low end of that range are frequently not the organizations with the least risk. They are often the organizations that have successfully argued that security is an IT cost center rather than a business function, and that CISO requests for additional headcount or tooling represent budget expansion rather than risk management.

The CISO in this environment is expected to defend a perimeter that grows every year as the organization adopts cloud infrastructure, acquires companies with legacy systems, enables remote work, and connects more operational technology to internet-accessible networks — all while the security budget grows at a fraction of the rate of the attack surface.

When a breach occurs, the board asks why the CISO did not prevent it. The answer — that the CISO requested budget for the control that would have prevented it and was denied, or that the acquisition the board approved in Q3 brought in the compromised system — rarely satisfies. Boards are not, in general, deeply technically literate about security risk. They approved what the CFO told them to approve. They are now looking for an accountable executive. The CISO is the accountable executive.

This dynamic is not hypothetical. It is the documented pattern behind a significant portion of CISO departures at companies that have experienced public breaches. The CISO leaves — voluntarily or otherwise — and the organization hires a new one with a press release about renewed commitment to security. The budget allocation does not change. The new CISO encounters the same structural problem within eighteen months.

The 24/7 Reality

The operational reality of the CISO role is that it has no off hours. This is not a metaphor.

A critical incident — ransomware deployment, active data exfiltration, a third-party breach affecting your vendor ecosystem — requires the CISO to be reachable and functional immediately, regardless of what time zone they are in or what they were doing when the alert came. Incident response is time-sensitive. The decisions made in the first hours of a breach materially affect the scope, cost, and regulatory exposure of the event. The CISO needs to be present for those decisions.

This is not something that can be delegated away cleanly, because the decisions that need CISO-level input — whether to notify regulators, whether to bring in external counsel, whether to shut down systems that are generating revenue, whether to engage law enforcement — are exactly the decisions that will be scrutinized later if the response is judged inadequate. The CISO needs to be on them.

What this produces, in practice, is a person who cannot fully decompress. They can be on vacation. They can be at a conference. They can be at their child’s school event. But they cannot actually disconnect, because the cost of being unreachable during a genuine incident is too high. The psychological result, over months and years, is a persistent low-grade vigilance that does not turn off — and that vigilance is exhausting in a specific way that does not respond well to standard advice about self-care and time off.

The CISO who takes a week-long vacation in a location with poor cell coverage is not resting. They are managing anxiety about what they might be missing. The CISO who does not take the vacation is accumulating a different kind of damage. There is no clean resolution to this. It is a structural feature of the role.

Add to this the psychological weight of knowing, with certainty, that an attack will happen. Not might happen. Will happen. The question is when, and whether the organization’s defenses will be sufficient to contain it when it does. Living with that knowledge continuously, while managing a team, while negotiating budget, while briefing the board, while maintaining the operational infrastructure of a security program — that is a sustained cognitive and emotional load that compounds over time in ways that are not visible until they become acute.

Scapegoating After Breaches

The organizational response to a major breach follows a pattern that anyone in security leadership can recite. There is an initial period of crisis management. There is a period of forensics and containment. There is an external investigation, often conducted by a firm hired by the board or outside counsel. And then there is an accountability phase.

In the accountability phase, the organization needs to explain to its board, its investors, its regulators, and its customers why this happened and what has changed. The honest explanation is often: we underinvested in security for years, the risk was identified and not adequately resourced, and a sophisticated attacker exploited a gap that we knew existed. That explanation is accurate and defensible, but it implicates the board, the CEO, and the CFO in the decision-making that created the gap.

The alternative explanation — that the CISO failed, that security leadership was inadequate, that the organization’s security program was not fit for purpose — is less accurate but more convenient. It assigns responsibility to one person who can be replaced, and it implies that replacing them solves the problem. The board can announce that it has taken decisive action. The new CISO can arrive with a mandate for improvement. Investors are reassured.

This happens. It happens in major, well-documented breaches. It happened after the Target breach in 2013, when the CISO and CEO both departed. It happened after the Equifax breach in 2017, when the CISO retired under pressure weeks after disclosure. It happened repeatedly in smaller organizations where the breach never made national news but the CISO still left under circumstances that any reasonable observer would describe as scapegoating.

Experienced CISOs know this pattern. It is one of the reasons that senior security leaders increasingly approach new roles with more caution than they once did, and one of the reasons that negotiation around role authority, budget commitments, and indemnification has become more sophisticated and more important.

What Burned-Out CISOs Do Next

The exit paths from a CISO role are reasonably well defined at this point, because enough people have made them that there are established patterns.

Fractional CISO consulting is the most common initial step. A fractional CISO serves multiple organizations simultaneously, typically at the Series B through late-stage or small public company level, providing strategic security leadership on a part-time basis. The appeal is obvious: no single organization’s crisis is your only crisis. You have time in your schedule that belongs to you. You can decline engagements that look structurally problematic. The income is typically lower than a full-time CISO salary at a large enterprise, but the arrangement is more sustainable, and many people find they can maintain it longer.

Board advisory and VC/investor advisory work is the other major track. As organizations have come under pressure to add genuine security expertise to their boards — partly driven by SEC disclosure requirements — the market for CISOs with board-level credibility has grown. This is selective work. Not every former CISO is well positioned for it. But for those who are, board advisory roles provide income, intellectual engagement, and influence over organizational security posture without the operational weight of running a security function.

Some CISOs move into investor roles at venture or growth equity firms, where their ability to evaluate portfolio company security posture and risk is genuinely valuable. This is a smaller market but a real one.

A meaningful subset leaves the field entirely. They move into general management, consulting in adjacent areas, entrepreneurship, or simply step back from executive work. This is not failure. It is a rational response to a role that, in many configurations, is not sustainable on any time horizon. The industry does not like to talk about this exit path directly, because it implies that the role itself is the problem. But the people who take it are often among the most experienced and capable security leaders the field has produced, and their departure represents a genuine loss.

What Organizations Can Do

If an organization wants a CISO who stays, performs, and does not burn out in two years, there are structural changes required. These are not complicated. They are just politically inconvenient.

The CISO needs actual budget authority. Not the authority to make the case for budget that the CFO will then approve or deny on other grounds. Authority over a security budget that is sized to the organization’s actual risk profile and that the CISO controls operationally. This means the security function is funded as a business risk management activity, not a cost center to be minimized.

The CISO needs genuine C-suite peer relationships, not a reporting structure where security is subordinated to the CIO or CFO in ways that structurally prevent the CISO from advocating effectively. Many organizations place the CISO below the CIO in the org chart, which means security budget requests compete with IT infrastructure requests inside the same reporting line, and the CISO loses that competition regularly. Reporting directly to the CEO or, where governance warrants it, to the board, changes the dynamic.

The CISO needs legal indemnification. The company’s D&O insurance should explicitly cover the CISO. The company should provide, in writing, an indemnification commitment that covers legal costs and liabilities arising from the CISO’s good-faith performance of their duties. This is standard practice for other C-suite executives and it should be standard for the CISO. It currently is not, in most organizations.

The scope of the role needs to be defined and bounded. Security is not everything. The CISO is not the person responsible for every vendor relationship, every IT procurement decision, every compliance program that touches a technology system. Where the CISO’s authority begins and ends should be documented and agreed upon before they start. The CISO who discovers after starting that they are expected to own compliance, privacy, physical security, and enterprise risk as well as information security — with no additional headcount — has been handed a different job than the one they were hired for.

What to Negotiate Before Accepting a CISO Role

If you are considering a CISO role, there is a baseline of due diligence that is not optional.

Ask for the security budget as a percentage of revenue or IT spend, and compare it to peer organizations in the same sector. If it is materially below peer benchmarks and you are not being offered the authority to change it, you should understand that you are being hired to manage a program that is already undersized.

Ask about the reporting structure and what organizational decisions require CISO sign-off. If security decisions — including major technology acquisitions and vendor contracts — can be made above or around you, your authority is nominal.

Ask directly about D&O coverage and whether the CISO position is included. Ask about indemnification. Get the answer in writing before you accept. If the organization resists this as unreasonable, that resistance tells you something important about how they view the role.

Ask what happened to the previous CISO and why they left. If the answer is vague or evasive, or if the previous person left during or shortly after a breach, investigate further. Talk to people in your network who know the organization. The pattern of how an organization treats security leadership is generally consistent across cycles.

Ask about board engagement. How often does the CISO present to the board? What is the board’s actual level of engagement with security risk? If the answer is that the CISO presents to the audit committee once a year through a slide deck that the CFO reviews first, the governance structure is not one in which security leadership has genuine organizational standing.

When Taking the CISO Role Is a Bad Idea

This needs to be said directly, because the industry rarely says it: some CISO roles should not be taken.

If the organization has a recent history of breaches and the security budget has not materially increased in response, the new CISO is being hired to take accountability for the next incident, not to prevent it.

If the reporting structure places you below the CIO with no documented path to escalate security concerns to the board, you do not have the authority the role implies.

If the organization will not provide D&O coverage and indemnification, you are accepting personal legal exposure without the organizational protection that other executives receive as a matter of course.

If the board has no meaningful understanding of or engagement with cybersecurity risk, you will spend significant time educating instead of operating, and you will be blamed for outcomes you could not have changed because the organization lacked the governance to support the decisions you needed made.

If the prior CISO was terminated or departed under pressure following a breach, and the departure was characterized publicly in ways that assigned fault to the individual rather than the organization’s security investment decisions, the organization’s approach to accountability has been demonstrated. Assume it will apply to you.

None of this means that CISO roles are uniformly bad or that the best security leaders should avoid them. The role can be done well, in organizations that are structured to support it. Those organizations exist. They are not the majority. The difference between an organization that will support a CISO and one that will consume them is visible in the budget data, the org chart, the governance structure, and the history. All of it is discoverable before you sign.

The CISO burnout problem is not a resilience problem. It is an architecture problem. The organizations that solve it will keep their security leaders. The ones that do not will continue to cycle through them every two years, replacing experience with optimism, and wondering why the security posture never improves.

This article is provided for informational purposes only. Salary data and market conditions change; verify figures with current industry surveys before making career decisions.