In recent years, two high-profile security leaders faced personal accountability for breaches under their watch. Uber’s CISO, Joseph Sullivan, was accused of hiding a data breach and was found guilty of federal charges in 2022. Then, the SEC charged SolarWinds CISO Timothy Brown with fraud tied to a 2020 supply chain attack. Although some charges were dismissed, a securities fraud claim remained.
These events left many CISOs wondering if personal liability, stacked on top of grueling hours and high stress, is worth it. Quite a few security professionals are stepping away from full-time jobs to become virtual CISOs (vCISOs). They’re lured by flexible schedules, fewer liability risks, and potentially higher earnings. Instead of being tied to a single company around the clock, they can consult for multiple businesses, maintain better work-life balance, and sidestep individual legal jeopardy.
Mounting Pressures & Plummeting Job Satisfaction
The numbers paint a sobering picture. A “State of the CISO 2023-2024” report by IANS Research shows a drop in job satisfaction (from 74% in 2022 down to 64% in 2023). Meanwhile, a recent BlackFog survey revealed 70% of security IT decision-makers say personal liability worries made them think twice about the CISO role. Gartner predicts that by 2025, nearly half of all cybersecurity leaders will have switched positions, with a quarter citing stress as the main factor.
Such burnout is no shock when you consider the expanding list of responsibilities. CISOs must juggle business goals, product security, infrastructure protections, ransomware defenses, supply chain security, AI governance, and regulatory compliance (including the SEC’s ever-evolving cyber-incident disclosure rules). This heightened pressure for transparency forces CISOs into a dilemma. They can reveal a security incident and risk financial harm to the company, or conceal it and face personal liability.
But this isn’t their only hurdle. Internally, CISOs must show they’re skilled and deserving of bigger budgets while also highlighting genuine risks to influence the right security measures. It’s a tough balancing act that demands serious nerve.
vCISO Services Are on the Rise
The demand for a vCISO is surging, especially among midsized companies that crave executive-level security knowledge but can’t justify the cost of a full-time CISO. According to Cynomi’s recent report, 75% of managed service providers see strong demand for vCISO offerings. With AI tools now giving security experts an edge in thwarting cyber threats, the vCISO market is expected to rise from $1.06 billion in 2024 to $1.48 billion by 2032, says Business Research Insights.
However, this shift raises crucial questions for enterprise security. Having led security initiatives through multiple digital transformations, I know that true security leadership requires deep, daily engagement. Risk management can be as much an art as a science, and context is key—both with the technology stack and business culture. External consultants, no matter how knowledgeable, often lack the same familiarity and sense of ownership that in-house CISOs develop through close, ongoing collaboration with teams, executives, and board members. Even the best vCISOs may struggle to match the urgency and dedication of full-time CISOs who feel the stakes more personally.
Why Organizations Need to Reevaluate Their Security Culture
The rapid rise in vCISO roles should alert boards and executives. If your company finds it difficult to retain top security talent or is leaning toward hiring a virtual CISO, ask why. Are you merely chasing lower costs, or is the internal environment too toxic for leaders to thrive?
Eventually, companies will see that effective security leadership calls for unwavering dedication. But this realization will only matter if they fix the core issues that push CISOs away:
- Vague or Unrealistic Accountability
Many job descriptions expect CISOs to master every technical system, regulation, and even help with marketing. It’s reasonable to have broad goals, but you need subject matter experts to back them up. - Insufficient Resources
Don’t expand a CISO’s workload without boosting their budget, staffing, or tools. It’s not fair to demand more when they’re already stretched thin. - Lack of Board-Level Representation
CISOs shouldn’t be blamed for outcomes they can’t control. If you want big changes, give them decision-making authority and respect those decisions, even when they’re tough or unpopular.
Your CISO works tirelessly to protect your organization. The question is, who’s looking out for them? Check in with your security leaders. Ensure they’re equipped for success, and stand behind them when they make critical calls. Offer the resources they need and show that you’re willing to act on their guidance, no matter how challenging.
The future of enterprise security hinges on striking the right balance. Will organizations address these concerns and keep their CISOs on board, or will more talented leaders join the rising ranks of vCISO consultants?
