The CISO Dilemma

Cybersecurity threats are growing. Regulations are tightening. Data privacy is becoming more critical. Through it all, the Chief Information Security Officer (CISO) stands as the frontline defender, protecting companies from financial losses, operational chaos, and reputational damage.

But there’s one problem: CISOs aren’t staying long.

Studies show the average tenure of a CISO is just 18 to 26 months, significantly shorter than other C-suite roles. When a company loses its CISO, it’s more than a leadership gap. It’s a serious security risk that leaves the business vulnerable to cyberattacks across all areas. So, why are CISOs leaving? And more importantly, how can companies attract and retain these top cybersecurity leaders?

Why CISOs Are Leaving So Quickly

CISOs are critical in safeguarding an organization's digital assets, yet the role often comes with significant challenges. Several factors contribute to high turnover, including the immense pressure to prevent cyber threats, evolving nature of cybersecurity risks, and often-limited resources and support. If companies don’t address these issues, they’ll continue to struggle with instability in their cybersecurity leadership.

Given these pressures, it's no surprise that many CISOs operate in a constant state of crisis management. Cyber threats evolve daily, and a single security incident can lead to regulatory fines, shareholder lawsuits, and reputational costs. Unlike other executives, the CISO is thrust into the headlines when a breach occurs. The pressure is intense, and without the right resources, support, and influence, burnout is inevitable.

What’s more, many CISOs lack direct access to the board or executive decision-making authority. Instead, they often report to the Chief Information Officer (CIO), the Chief Technology Officer (CTO), or the Chief Financial Officer (CFO), limiting their ability to secure budgets and shape enterprise security strategies. Companies that treat cybersecurity as a business risk - not just an IT function - will attract and retain the best CISOs. When that alignment is missing, security leaders move on.

Yet, CISOs are in extraordinarily high demand. Companies are offering bigger compensation packages, expanded leadership roles, and direct board access to find top talent. The reality is, CISOs have choices. If they don’t see a long-term future at a company, they’ll leave for one that offers it.

Other major factors causing CISOs to leave include rising legal and regulatory demands. New SEC disclosure rules and heightened cybersecurity scrutiny around cybersecurity have increased their personal liability. Some CISOs have even faced legal action over breaches, making board-level risk awareness and legal protections critical for retention. Without these safeguards, many top CISOs are questioning if the risk is worth the reward.

4 Strategies to Attract & Retain the Best CISOs

Finding and keeping top CISOs is essential for building strong leadership and a safer company. Given their high turnover rates and the vital role CISOs play, companies need to ensure their CISOs feel protected, supported, and rewarded.

Here are four strategies to help organizations attract and retain the best cybersecurity talent:

1. Align the CISO’s role for maximum impact. Cybersecurity leadership should drive business strategy, and not just compliance. Companies should strategically align CISO’s reporting structure - whether to the CEO or another senior leader - and include direct board access so that cybersecurity is embedded in high-level decision-making. To be most effective, CISOs need to go beyond IT operations and play a key role in enterprise-wide strategy. Their expertise should be included in discussions on risk management, data governance, and digital transformation, ensuring cybersecurity is positioned as a core business priority rather than a standalone technical concern.
2. Provide the right resources & executive support. A CISO cannot succeed without the right budget, tools, and team. To build a strong foundation, organizations need to invest in adequate funding for security programs and proactive risk management. By creating a security-first culture, the CISO won’t have to constantly battle for executive buy-ins while aligning cybersecurity with broader business objectives. Ultimately, this helps to reduce friction and position security as a strategic asset rather than an operational hurdle.
3. Offer competitive compensation & clear career growth. CISOs understand their worth, and they’ll look elsewhere if an organization doesn’t offer competitive pay, incentives, and a clear career path. To attract and keep the best CISOs, companies need to have strong and appealing compensation and growth opportunities. This includes offering market-standard pay, long-term incentives like equity and performance-based bonuses, and pathways for professional development and career advancement.
4. Protect CISOs from avoidable legal exposure. Executives won’t take on a role where they could be held personally liable for doing their job. Companies must include indemnification clauses in CISO contracts and ensure they are protected from legal exposure in the event of a breach. At the same time, board members and executives must educate themselves on cybersecurity risks so CISOs aren’t blamed for incidents beyond their control. This understanding and protection creates a supportive environment where CISOs can focus on their critical responsibilities without undue fear of personal repercussions.

Securing the Future

The cybersecurity threat landscape isn’t slowing down, and the companies that invest in strong, stable CISO leadership will be the ones that succeed in the long run. With proper resources, competitive pay, and legal protection, organizations will find and keep the best CISOs, ultimately ensuring their digital assets are well-protected.

After all, taking a proactive approach to hiring, retention, and executive alignment is no longer optional. It’s mission critical.

To find out how Korn Ferry is helping clients navigate today’s security environment, learn more about our Technology and Digital capabilities.