While organizations invest in cyber resilience, the resilience of those leading the charge information security chiefs (CISO) is often overlooked. The CISO position is consistently ranked as one of the most challenging positions in the C-suite. According to ISACA State of Cybersecurity in 2025 report, 66% of cybersecurity professionals say their role is more challenging now than it was five years ago.
CISOs often work in environments where security is underfunded, underemphasized, or misunderstood at the board and senior management level. Lack of support from senior management leads to:
- Budget constraints that limit the scope and impact of the CISO function, including resources for tools and automation.
- Skill shortages and restrictive operating models that prevent effective delegation of authority.
- Strategic misalignment where short-term delivery takes precedence over long-term business sustainability and customer outcomes.
This creates a vicious cycle: CISOs are held accountable for results without sufficient resources or management support, leading to stress, frustration and burnout.
Security is still often perceived as an obstacle to business until a major incident occurs. The constant need to “sell” cybersecurity across conflicting C-suite priorities is challenging, and growing public and stakeholder awareness is adding to the pressure.
For example, in finance, CISOs face strict regulation and intense scrutiny from the board of directors and the public. In the public sector, bureaucratic friction and procurement constraints can complicate strategic investments, leaving CISOs exposed from both an operational and reputational perspective.
To make progress in cybersecurity, CISOs must move beyond technical security and reposition security as a strategic enabler of business growth. This starts with changing the mindset of the board of directors and senior management through education, influence and ongoing engagement to view cybersecurity as an integral part of innovation and sustainability.
Developing executive dashboards that reflect the organization's cybersecurity posture can provide visibility into progress, operational resilience, and how security initiatives are aligned with enterprise strategy and goals. It is equally important to frame cyber risks from a business perspective, translating technical threats into measurable revenue, regulatory and user impacts. This type of communication elevates the CISO's role from IT specialist to strategic partner.
An ever-changing cyber landscape
Unlike other leadership roles, the CISO must constantly adapt to overlapping and complex regulations such as the UK Data Protection Act, the EU General Data Protection Regulation (GDPR) and frameworks such as DORA and FCA PS21/3. They also face threats including ransomware and artificial intelligence attacks. In addition, CISOs must cope with expanding attack surfaces resulting from migration to other markets, cloud adoption, and increased dependencies on third parties. These challenges are exacerbated by rapid technological shifts such as quantum computing and generative artificial intelligence.
CISOs must simultaneously manage today's risks, ensure operational integrity, define future strategy, and monitor the evolving landscape—all in real time. The speed of threats means that new systems, technologies or vulnerabilities can be attacked within hours of going live, leaving little chance for error or recovery.
The rapid pace of digital transformation, while important for business growth, increases risk and complexity beyond what traditional operating models can accommodate. CISOs must adapt quickly to protect organizations from increasingly sophisticated threats.
For example, in the healthcare industry, CISOs face ransomware threats that directly impact patient safety. In large global organizations, tool proliferation and third-party outsourcing add complexity and reduce visibility, leaving CISOs with fragmented oversight capabilities.
Building a stronger cybersecurity posture requires a unified, risk-based approach that clearly delegates control and responsibility across teams and partners. By combining a zero trust architecture with continuous third-party monitoring, organizations can reduce their attack surface and control vendor risk. Conducting threat simulation exercises further increases the security team's agility, preparing it to respond to emerging threats before they escalate.
Systemic illusions and cognitive overload
While strategic misalignments and resource constraints put pressure on the CISO, the problem of misalignment between accountability and authority persists. CISOs are expected to secure systems and manage risks in business units, outsourced services and technologies that they do not directly control, leaving them accountable for results without clear decision rights or contractual leverage.
The illusion of control occurs when CISOs are responsible for cybersecurity risks but lack the authority to enforce control, especially in fragmented, outsourced, or federated environments. Their role shifts from decisive action to constant negotiation, resulting in increased stress and responsibility, but without the ability to drive change. In some public sector organizations, the CISO role is secondary or voluntary and is often combined with IT delivery, forcing people to prioritize security over operational delivery.
Changing cybersecurity leadership requires structural and cultural alignment. Establishing cross-functional governance and defining risk ownership between security leaders and business leaders will ensure that cyber risk becomes part of executives' day-to-day decision-making. Embedding security outcomes and risk criteria across all business projects further reinforces the fact that cybersecurity is a shared responsibility. At the same time, supporting the CISO's own resilience and well-being is critical. Accessing peer networks, executive coaching, and setting clear boundaries can help alleviate cognitive overload.
From burnout to balance
CISO burnout is not a personal weakness, but a consequence of inconsistent organizational design. Until cybersecurity becomes a core business function, CISOs will continue to face impossible expectations and fragmented authority. Organizations must redefine accountability and give CISOs real decision-making authority, and invest in the resilience of both their people and their strategies. Only then will cybersecurity leadership become a source of business strength rather than a risk of burnout.
John Skipper and Farrukh Ahmad are cybersecurity experts at the company PA Consulting
