Addressing High Turnover: Retaining CISOs in the Workplace


This article explores the reasons why cybersecurity professionals are leaving their jobs. It also provides some recommendations on how to prevent this from happening in the future.


The cybersecurity landscape is constantly evolving, and organizations are facing an ever-increasing number of threats. This has led to a growing demand for skilled cybersecurity professionals, but the supply of qualified talent is not keeping pace. As a result, many organizations are struggling to find and retain the cybersecurity leaders they need to protect the security of their businesses.

A recent report by Gartner predicts that nearly half of all cybersecurity leaders will change jobs by 2025. This is a significant number, and it is a trend that organizations need to take seriously. 

There are a number of factors that are contributing to the cybersecurity “great resignation”. In this article we will explore the most important of them.


Cybersecurity professionals and leaders, such as CISOs, are responsible for protecting their organizations from a variety of cyber threats, ranging from ransomware attacks to state-sponsored espionage. In addition, new technologies, threats, and regulations emerge. Cybersecurity professionals have to keep up with these changes and adapt their strategies accordingly. They also have to deal with the complexity and diversity of their IT environments, such as cloud services, mobile devices, IoT devices, third party suppliers and not to forget about legacy systems.

Their oversight is too broad and this puts them under a lot of stress. They are constantly on the lookout for threats, and they are often required to work long hours and deal with difficult and often emergency situations. 

This can lead to burnout, which can make it difficult to stay motivated and engaged in their work.

Unrealistic expectations from Boards

Cybersecurity professionals are under immense pressure from top management to protect their organizations. They also have to deal with the increasing scrutiny and accountability from regulators, customers, shareholders, and other stakeholders. They have to balance the competing demands of security, tight budget, performance, innovation, and compliance.

It looks like they are often expected to solve all of their organization’s security and other ad-hoc problems. This is an unrealistic expectation, and it can lead to frustration and disappointment.

The lack of support and alignment

Cybersecurity leaders often struggle to get practical support, which should be far beyond just declarative policy statements. They need help from their senior management and board of directors for security initiatives and business cases they need to implement. According to a survey by Gartner, only 12% of CISOs report directly to the CEO, while 40% report to the CIO. Others are reporting to the CFO, COO or Enterprise Architect, which is even worse. This limits their visibility and influence in the organization, and very often creates conflict of interests. They also have to deal with the cultural and communication gaps between the security team and the rest of the organization.

These challenges can take a toll on the cybersecurity leaders’ well-being and performance. According to a report by McKinsey, 65% of CISOs say they experience moderate or high stress levels on a regular basis. Moreover, according to a survey by Infosecurity Magazine, 48% of CISOs plan to change jobs within two years.

Lack of career growth opportunities

Many cybersecurity leaders feel that they have reached the top of their career and there are no more opportunities for advancement. This can lead to boredom and dissatisfaction, which can make them more likely to leave their jobs.

Toxic work environments

Some organizations have toxic work environments that are not conducive to success. This can include things like a lack of communication, a lack of support, and a lack of respect for cybersecurity professionals. These factors can make it difficult for cybersecurity leaders to stay motivated and engaged in their work.

The cybersecurity skills gap

It is obvious that there is a growing shortage of skilled cybersecurity professionals. This is due to a number of factors, including the increasing complexity of cyberattacks, the rising cost of education and training, and the lack of diversity in the cybersecurity workforce.

Another factor is the difficulty of recruiting and retaining experts in cybersecurity teams longer than just a couple of years. With the continuously evolving nature of cybersecurity threats, companies need someone who can adapt to changes. However, finding the right expertise has become a big challenge for recruiters and CISOs. They struggle to find cybersecurity professionals with the required expertise, and even when hired, these experts may be easily lured away by better job offers. 

Furthermore, the McKinsey report states that companies are falling short of proper ways to attract and develop cybersecurity talent, reducing the ability of business to respond to evolving cyber threats. Inadequate recruitment and training strategies drive potential candidates away from cybersecurity, creating the existing anomaly of high demand and a shortage of skilled experts

In addition to these factors, the COVID-19 pandemic has also had a significant impact on the cybersecurity landscape. The shift to remote work has created new challenges for cybersecurity professionals, and it has also made it more difficult for organizations to attract and retain talent.

How can organizations attract and retain valuable cybersecurity talents?

So what can be done to address these challenges and retain cybersecurity professionals and leaders?

The cybersecurity “great resignation” is a serious challenge that organizations need to address. By understanding the reasons why cybersecurity leaders are leaving their jobs, organizations can take steps to retain their talent and protect their organizations from cyberattacks which then leads to financial losses and reputational damage.

Here are some specific steps that organizations can take to address the cybersecurity great resignation:

  • Invest in training and development: Organizations desperately need to invest in training and development programs. This will help to ensure that they have the skills and knowledge they need to stay ahead of the latest threats.
  • Create a more supportive work environment: This includes things like providing adequate resources, creating a culture of trust and collaboration, and recognizing and rewarding their contributions.
  • Provide opportunities for career growth: This will help to keep them motivated and engaged in their work.
  • Address unrealistic expectations: Boards need to be far more realistic about what can be achieved, and they need to provide the support and resources necessary to meet those goals.
  • Create a positive work culture that is conducive to success. This includes things like promoting diversity and inclusion, and creating a culture of respect and appreciation.
  • Enhance well-being and work-life balance: Organizations should also provide them with flexible work arrangements, mental health support, and wellness programs.

By taking these steps, organizations can address the cybersecurity great resignation and retain their talent. This is essential to protecting their organizations from cyberthreats.

By taking these steps, organizations can make themselves more attractive to cybersecurity talent and help to address the cybersecurity great resignation.


In conclusion, as we move towards a more digitized and artificially intelligent world, as well as to Web3.0, the demand for cybersecurity experts is not only increasing, but also changing. With skills gap prevalent, competition to hire cybersecurity leaders with the right expertise and experience is going to be fiercer in the next few years. 

By timely addressing the challenges that cybersecurity leaders face, organizations can improve their entire security posture, as well as retain their valuable talent.

Share this post
Next IT Security Team
Next IT Security Team
Articles: 66

Nordics Edition

C-Level IT Security Event

BeNeLux Edition

C-Level IT Security Event

DACH Edition

C-Level IT Security Event