The most miserable big-money job in the C-suite

9 hours ago 8

Rear view of asian businesswoman looking out conference room window.

Nearly 75% of security execs want to ditch their jobs.

When Chad Kliewer worked as the head of information security at a hospital system, the job became so stressful, his hair didn't just turn gray, it started to fall out, he says. During his career, he experienced what he now recognizes as work-induced panic attacks from the pressure. The job came with phone calls any hour of the day, fielding IT outages or HIPAA compliance issues, and left him messaging colleagues while out of office and on vacation.

He remembers waking at 3 a.m. to a doctor calling from the rural hospital where the internet had gone out. The doctor couldn't send the results of a scan to a radiologist, and Kliewer remembers him saying, "I don't know whether to put this patient on a helicopter or send him home." As the top, and lone, security worker, Kliewer was on the hook. "I'm not an ER doctor, but yet the ER doctors are depending on my services."

Immense stress has infected the brains of CISOs (chief information security officers) with malware, and they're looking to call it quits. The typical tenure of a CISO lasts just 18 to 26 months, compared to nearly five years for other C-suite roles, according to a report from research firm and publisher Cybersecurity Ventures. Half of CISOs say the scope of their job has become unmanageable, and nearly 70% say they're open to changing jobs or even leaving the CISO role entirely within the next year, according to a report from security research firm IANS.

The job bridges the complex, technical side of a company and its business objectives, from finance to human resources to day-to-day operations. They're seen as the Department of No, pumping the brakes on AI adoption as white-collar workers plug sensitive data into unauthorized systems, turning to shadow AI in the name of efficiency. Their role has swelled over the past three decades, demanding they meet a burgeoning list of regulatory demands, present increasingly to board members who rarely speak in tech terms, and fight the compounding threats of AI while enabling its potential to make workers more efficient. They do all of this while facing potential personal liability for security breaches.

It's no wonder the corporate world's security chiefs have hit their limits. CISOs at large companies face increasing pressure, while there's not enough people working in the role to serve small and medium-sized companies. With cybercrime losses expected to double from $6 trillion in 2021 to $12 trillion in 2031 by Cybersecurity Ventures' estimates, that means more threats loom at not only our workplaces, but the companies that hold our personal data as customers.

CISOs are "expected to do the operational, the strategic, the risk, the human role," says Martin Whitworth, a retired CISO. "That's enough to burn anyone out."

The first CISO was named in the mid-1990s at Citicorp, the new role spawned as a response to a hack. Now, an estimated 35,000 people work as CISOs, often in more junior spots in the C-suite. Some companies, typically smaller ones or startups, hire fractional CISOs, who work just part-time for multiple companies. Others use virtual CISOs who are on-call for support. Their job started as the role primarily responsible for defending against cybersecurity threats. But in recent years, the remit has grown, as have the cyber risks companies face, and their resources don't always keep pace. In the ever-evolving era of AI, security has become more complicated and requires more strategy. But there's no real training ground for the diplomatic, business side of the job, CISOs tell me, after they spend their careers mastering technology in work that's often siloed and insulated from the work the business is known publicly to do.

"What gets you to the table doesn't necessarily make you effective at the table," says Joe Silva, a former CISO turned CEO of security company Spektion. "Or, you got to the table, but then you realize it's the kids' table," as CISOs typically sit a rung down on the corporate ladder, beneath top execs like CEOs.

The typical tenure of a CISO lasts about 18 months, compared to nearly five years for other C-suite roles.

A 2024 survey of 500 CISOs around the world by cybersecurity firm Trellix found that 72% of respondents have concerns about their future in the role due to expanding responsibilities, like regulatory demands (spanning healthcare privacy, like HIPAA, to the financial industry) and a growing day-to-day workload enforcing security measures. "Everybody wants to hold the CISO responsible," says Ron Green, former chief security officer at Mastercard. In 2023, the Securities and Exchange Commission charged software company SolarWinds with fraud after a cyberattackers linked to Russia inserted malicious code into SolarWinds' software, which the company then pushed onto its customers, including federal government agencies and thousands of companies. The SEC also named SolarWinds' CISO Tim Brown in the complaint, seeking to bar Brown from serving as an officer and director. The SEC dropped the case late last year, but it set a chilling example of how CISOs could personally hold the liability for a company error.

The CISO job has "ballooned into this role that is so, so intense," says Matt Hillary, CISO at AI software company Drata. "We can literally do everything and still either miss something or overlook something." Hillary says he was stuck on perfectionism. Early in his tenure, he says he had to shift his mindset, recognizing the mental toll that trying to reach an impossible standard of zero risk in a world of infinite risks had taken on him. Often, he says he will set quarterly goals and objectives for his team, but then they're hit with an onslaught of new risks or unexpected fires to put out. Hillary says he needed to find ways to not feel like that translated to failure, while also communicating to the company clearly that the team can't fight off every security risk. "I needed to understand that there's a significant gray area there that needs to exist," and that perfection isn't possible.

With the growing amount of responsibility, 84% of CISOs believe the job should become two separate roles: with one person handling the technical aspects and another focused on business concerns, according to the Trellix survey. Some companies have already taken this route, hiring chief trust officers to take on proactive and communicative aspects of the role, while CISOs own the cyber defense piece. Some CISOs think the problems could be fixed if they came into conversations around business decisions sooner, to reflect their burgeoning responsibilities. "We're taking on so much more than security," says Rinki Sethi, CISO at cloud security company Upwind Security. "There's a lot of things where people don't know where it belongs, and it gets dumped into the security people."

Several high-profile CISOs have fled the field. Last year, Google Cloud CISO Phil Venables left his role to become a venture partner, capping four years at Google and two decades in security at Goldman Sachs. T-Mobile's former chief security officer quit in 2023 and took up angel investing. The former director of cybersecurity at the National Security Agency retired and then took a venture job. When CISOs leave, their departure can disrupt the IT team. There's often not a second-in-command person ready to take on the human side of the role. "Many of them do not have a lot of exposure to these conversations, the political dynamics," Silva says. "So security can get steamrolled."

Kliewer began what he calls his journey as a recovering CISO about four years ago, and now teaches cybersecurity at Western Governors University. "I've lived the stress and I've just decided I've reached that point in my life where the stress isn't worth it anymore," he says. The stress of the job threatens to push CISOs out just as the risks and opportunities of AI make cybersecurity ever more crucial.

Amanda Hoover is a senior correspondent at Business Insider covering the tech industry. She writes about the biggest tech companies and trends.

Business Insider's Discourse stories provide perspectives on the day's most pressing issues, informed by analysis, reporting, and expertise.

Most popular

Business Insider tells the stories you want to know about the world of business, technology, and finance

Amanda Hoover is a senior correspondent at Business Insider covering the tech industry. Amanda covers some of the world’s biggest tech companies like Airbnb, Spotify, and Meta and its influential figures. She has written about the evolving workforce, from the ways AI is reshaping roles to how employees are changing their relationship to the job or how they look for work. Her reporting includes deep dives into the tech workforce, looking at the rise of product managers, chief medical officers, and how ageism disproportionately affects tech workers. Amanda also writes about shifting tech trends, and how people are reevaluating how they spend screen time or what apps they use to meet new people. She has written about the influence of social media platforms like Twitter as well as TikTok trends and YouTube creators.Prior to joining Insider, Amanda covered housing tech and the future of work at WIRED. She has also written for The Star-Ledger, The Boston Globe, and Morning Brew.