The CISO is a Scapegoat – Why the Role Must Be Fundamentally Reformed

When things go wrong, the CISO is fired. At SolarWinds, at Uber, at Capital One – after every major security incident, the same head rolls. The Chief Information Security Officer bears the responsibility but lacks the budget, authority, and board seat to fulfill the role. An analysis of a toxic role structure.

TL;DR

• The average tenure of a CISO is 26 months – the shortest of all C-level positions
• Only 12 percent of CISOs report directly to the CEO – the majority are under the CIO or CTO and do not have their own budget authority
• After a security incident, the CISO is replaced in 60 percent of cases – even if the cause lies in underinvestment or business decisions
• Burnout rates among CISOs are over 50 percent – the highest of all IT leadership roles

Responsibility Without Power

Imagine you are the fire safety officer of a high-rise building. You know that the sprinkler system is outdated, the escape routes are blocked, and the fire doors do not close. You write reports. You escalate. But the building management says: “Too expensive. We’ll do it next year.” Then it burns. And you are fired because the fire safety failed.

This is the reality for most CISOs. They identify risks, document them, escalate them – and are overruled. By business units that want to deliver faster. By the CIO who needs the budget for other projects. By the board that sees security as a cost center. Until the attack comes.

The Structural Problem

Reporting Line: A CISO who reports to the CIO has an inherent conflict of interest. The CIO optimizes for speed and efficiency. Security is friction. In this setup, security systematically loses – not out of malicious intent, but due to structural inferiority.

Budget Reality: The average security share of the IT budget is 5 to 10 percent. In regulated industries, it is slightly more. This means: of every euro that IT spends, 90 cents go into projects that the CISO must secure – with the remaining 10 cents.

Career Trap: The role is a lose-lose position. If nothing happens, security was “unnecessarily expensive.” If something happens, security “failed.” No outcome is positively visible for the CISO. The best CISOs are invisible – and are the first to be cut when savings are needed.

What Joe Sullivan Showed at Uber

The case of Joe Sullivan is paradigmatic. As CISO of Uber, he covered up a data theft – and was criminally convicted for it. The conviction was legally correct. But it also showed: the CISO stood alone. The decision to cover up was made in an environment that treated security incidents as business risks to be managed – not as problems to be transparently communicated.

Since Sullivan, every CISO thinks: “If it goes wrong, I’ll end up in court.” This does not create better security but defensive CISOs who secure themselves with documentation instead of addressing risks.

How the Role Should Work

Board-Level Reporting: The CISO must report directly to the board or supervisory board – not to the CIO. In regulated industries, NIS2 and DORA already require this. It must become the standard.

Own Budget: Security needs its own budget that cannot be reallocated by the CIO. Guideline: At least 10 percent of the total IT budget, for KRITIS companies 15 percent.

Shared Accountability: NIS2 is on the right track: managers are personally liable for cybersecurity. Not just the CISO – the entire board. If the CEO is as liable as the CISO, security budgets will be negotiated differently.

Conclusion: Save the Role, Don’t Let the Head Roll

The CISO burnout is not an individual but a systemic problem. As long as the role combines responsibility without authority, it will lose the best minds – and companies will become less secure, not more. The reform begins with the reporting line and ends with the distribution of liability.

Key Facts

CISO Tenure: 26 months on average – compared to 72 months for the CFO and 54 months for the CIO.

Burnout: 54 percent of CISOs report chronic overload, 24 percent have actively sought a role outside of security in the last 12 months (IANS Research, 2024).

Frequently Asked Questions

Does Every Company Need a CISO?

Yes, for companies of a certain size. For companies with fewer than 200 employees, an external vCISO (virtual CISO) often suffices, who provides strategic advice and delegates operational security to managed services. It is crucial that responsibility is clearly assigned and backed by authority.

How Does NIS2 Change the CISO Role?

NIS2 makes managers personally liable. This shifts the dynamics: security becomes a board issue rather than a CISO issue. CISOs gain authority because the board now personally liable and actively listens.

How Much Does a CISO Earn in Germany?

Between 120,000 and 250,000 Euro, depending on the size of the company and the industry. Compared to US salaries (300,000 to 600,000 dollars), this is low – another reason for the skills shortage in this position in Europe.

Related Articles

• NIS2 and Manager Liability: Why Cybersecurity Is a Board Issue
• Cybersecurity 2025: The Year in Review
• DORA in Practice: First Experiences from the Financial Sector

More from the MBF Media Network

• C-Level Perspectives on IT Security on digital-chiefs.de
• Leadership and Digitalization on mybusinessfuture.com

Header Image Source: Pexels

About the author: Tobias Massow

More articles by Tobias Massow