There’s a joke cryptographer Jon Callas likes to tell: CISO stands for Chief Intrusion Scapegoat Officer, “because CISOs are often thrown into a position where they can’t succeed.” Callas, who is the director of public interest tech at the Electronic Frontier Foundation, says that security officers are often “simultaneously in charge and powerless.” They know what they should do to mitigate risks, but they can’t get enough support.
This predicament threatens to overwhelm them. Almost 90% of CISOs consider themselves under moderate or high stress, and many change jobs often. According to the Heidrick & Struggles 2022 global survey, almost a quarter of CISOs have held their previous position for less than two years and 62% have been in their current role for less than a year.