While organisations invest in cyber resilience, the resilience of those leading the charge, chief information security officers (CISOs), is often overlooked. The CISO role is consistently ranked among the most high-pressure in the C-suite. According to ISACA’s State of Cybersecurity 2025 report, 66% of cyber security professionals say their role is more stressful now than it was five years ago.
CISOs often operate in environments where security is underfunded, under prioritised, or misunderstood at the board and C-suite level. A lack of senior-level buy-in trickles down into:
- Budget constraints that limit the scope and impact of the CISO function, including resources for tooling and automation.
- Skills shortages and restrictive operating models that prevent effective delegation.
- Strategic misalignment, where short-term delivery is prioritised over long-term business resilience and customer outcomes.
This creates a vicious cycle: CISOs are held accountable for outcomes without sufficient resources or executive backing, leading to stress, frustration, and burnout.
Security is still often perceived as a business inhibitor until a significant incident occurs. The constant need to ‘sell’ cyber security within conflicting C-suite priorities burns effort, while rising public and stakeholder awareness amplifies the pressure.
For example, in finance, CISOs face strict regulation and intense board and public scrutiny. In the public sector, bureaucratic friction and procurement constraints can complicate strategic investments, leaving CISOs exposed both operationally and reputationally.
To move the needle on cyber security, CISOs must go beyond technical defences and reposition security as a strategic business enabler. This starts with shifting board and C-suite mindsets, through education, influence, and persistent engagement, to see cyber security as integral to innovation and resilience.
Developing executive-level dashboards that articulate the organisation’s cyber security posture can provide visibility into progress, operational resilience, and how security initiatives align with strategy and enterprise goals. Equally critical is framing cyber risk in business terms, translating technical threats into quantifiable impacts on revenue, regulation, and user impact. This kind of communication elevates the CISO’s role from IT steward to strategic partner.
The ever-changing cyber landscape
Unlike other leadership roles, the CISO must constantly adapt to overlapping and complex regulations, such as the UK Data Protection Act, the EU General Data Protection Regulation (GDPR), and frameworks like DORA and FCA PS21/3. They also face threats including ransomware and AI-driven attacks. Additionally, CISOs must manage expanding attack surfaces resulting from offshoring, cloud adoption, and increasing third-party dependencies. Compounding these challenges are rapid technological shifts, such quantum computing and generative AI.
CISOs must simultaneously manage today’s risk, ensure operational integrity, steer future strategy, and monitor an evolving landscape, all in real time. The pace of threats means new systems, technologies, or vulnerabilities can be targeted within hours of going live, leaving little margin for error or recovery.
The rapid pace of digital transformation, while essential for business growth, expands risk and complexity beyond what traditional operating models can accommodate. CISOs must adapt at speed, safeguarding organisations against increasingly sophisticated threats.
In healthcare, for example, CISOs face ransomware threats that directly impact patient safety. In large global organisations, tool sprawl and third-party outsourcing increase complexity and reduce visibility, leaving CISOs with fragmented control capabilities.
Building a stronger cyber security posture requires a unified, risk-based approach that clearly delegates controls and accountability across teams and partners. By layering zero-trust architecture with continuous third-party monitoring, organisations can shrink their attack surface and keep vendor risk in check. Running threat simulation exercises further sharpens the security team’s agility, preparing them to respond to emerging threats before they escalate.
Systemic illusions and cognitive overload
While strategic misalignments and resource constraints put the CISO under pressure, the issue of a mismatch between accountability and authority persists. CISOs are expected to secure systems and manage risk across business units, outsourced services and technologies they don’t directly control which leaves them accountable for outcomes without clear decision rights or contractual levers.
The illusion of control arises when CISOs are accountable for cyber security risk but lack authority to enforce controls, especially across fragmented, outsourced, or federated environments. Their role shifts from decisive action to constant negotiation, increasing stress and accountability without power to drive change. In some public sector organisations, the CISO role is secondary or voluntary, often combined with IT delivery, forcing individuals to prioritise security against operational delivery.
Driving change in cyber security leadership demands structural and cultural alignment. Establishing cross-functional governance and defining risk ownership between security and business leaders ensures that cyber risk becomes part of everyday executive decision-making. Embedding security deliverables and risk criteria into all business projects further reinforces that cyber security is a shared accountability. At the same time, supporting the CISO’s own resilience and wellbeing is crucial. Access to peer networks, executive coaching, and setting clear boundaries can help mitigate cognitive overload.
From burnout to balance
CISO burnout is not a personal weakness but a consequence of conflicting organisational design. Until cyber security is embedded as a core business function, CISOs will continue to face impossible expectations and fragmented authority. Organisations must redefine accountability and empower CISOs with real decision-making authority, and invest in resilience, for both their people and their strategies. Only then will cyber security leadership become a source of business strength, rather than a burnout risk.
John Skipper and Farrukh Ahmad are cyber security experts at PA Consulting
