Security Staff Acquisition & Development

Why CISOs Succeed and Why They Leave

Earlier this year, ESG and the Information Systems Security Association (ISSA) published a research report titled, The State of Cyber Security Careers. The report was based on a survey of 437 cybersecurity professionals, the clear majority of which were ISSA members.

Two-thirds of these cybersecurity professionals worked at an organization that employed a CSO or CISO. These individuals were then asked to identify the most important qualities that make a successful CISO. Here is a sample of the results:

  • 50% of respondents said that strong leadership skills were most important.
  • 47% of respondents said that strong communication skills were most important.
  • 30% of respondents said that a strong relationship with business executives was most important.
  • 29% of respondents said that a strong relationship with the CIO and other members of the IT leadership team was most important.
  • 23% of respondents said that strong management skills were most important.

Based upon this list, it’s clear that successful CISOs need to be strong business people who can work with business and IT executives. This is an important consideration since many security professionals are deeply rooted in the technology rather than the business aspects of infosec.

So, if these are the characteristics that influence CISO success, what determines failure? Cybersecurity pros were also asked what the factors were that most likely caused CISOs to leave an organization. The data indicates that:

  • 31% said that CISOs leave when the organization does not have a culture that emphasizes cybersecurity.
  • 30% said that CISOs leave when the CISO is not an active participant with executive managers or the board of directors.
  • 27% said that CISOs leave when they are offered a higher compensation package at another organization.
  • 23% said that CISOs leave when the cybersecurity budget is not commensurate with an organization’s size.
  • 22% said that CISOs leave when the IT organization ignores or minimizes cybersecurity as part of its planning and decision making process.

Looking across all this data, CISOs need to be strong leaders, communicators, influencers, and schmoozers who can translate cybersecurity risk into metrics and ideas for business planning. Alternatively, organizations must give CISOs the opportunity to take on this role or they will head for the door.

The entire ESG/ISSA report is available for free download here. Your comments, feedback, and questions are welcome.


Jon Oltsik is a senior principal analyst at ESG, an integrated IT research, analyst, strategy and validation firm. Read more ESG blogs here.

You can skip this ad in 5 seconds