53% of cyber department leaders eyeing the exit

Security department heads — those directly reporting to the CISO — are decidedly looking to leave their posts. But various factors, including a weak economy, are delaying their exoduses, which could give CISOs time to change their minds.

According to the 2025 IANS Cybersecurity Staff Compensation Benchmark Report, the majority of functional department heads (53%) are contemplating a change of employment in the near future, versus 46% of middle managers and 40% of staff. 

“While these considerations do not always translate directly into actual attrition, they signal potential motivational challenges and underlying dissatisfaction with certain aspects of the job,” IANS wrote in its report.

“There’s a lot of pent-up interest in changing jobs out there and getting ahead of the situation can help to prevent an exodus when more opportunities are available in the marketplace,” said Nick Kakilowski, senior research director at IANS, noting that broad dissatisfaction is being met by a job market sufficiently slow to prevent significant movement.

“This makes now a prime time to make lower-cost investments in retention to boost satisfaction and secure the loyalty of high performers to avoid the high costs of recruiting new talent when the market eventually opens up,” he said.

Ravi de Silva, CEO of compliance consulting firm de Risk Partners, argues that CISOs must adjust their thinking if they want to retain their direct reports in 2025. 

“If you want to keep [those department heads], think like a founder, not a function. Give them ownership, not just oversight. People stay when they’re building something that matters, not just protecting something that might break,” said de Silva, who until last year was the global head of compliance testing at Citi, a role he held for seven years. “Retention isn’t about perks. It’s about purpose. If your team has no voice in shaping security culture, don’t be surprised when they find a company that gives them one. They want agency, not just direction.”

Although burnout is often seen as a driving force behind job dissatisfaction, de Silva disagrees. 

“The problem isn’t burnout. It’s the bottleneck beneath the CISO. Mid-levels are carrying risk without being allowed to lead. If the only way forward is more pressure with no growth, they’ll leave,” de Silva said. “Drop your top performers into cloud, fraud, or ops. It signals trust, builds range, and keeps them engaged. Boredom is a bigger flight risk than burnout.”

Moreover, Kakilowski notes that IANS research shows enterprise CISOs are staying in their roles much longer these days, leaving deputies with ambitions for the top security executive spot having to wait longer or look elsewhere for their shot.

Unique challenges to the security lead role

Mike Piekarski notes that a typically overlooked element for retaining department leads is cybersecurity group camaraderie, as teammates are often a key reason to enjoy the job. “They want to stay for each other. Encouraging them to explore things together, that builds a team vibe,” said Piekarski, who prior to running cybersecurity consulting firm BreachCraft led the security engineering team at Disney and held a similar role with Comcast. 

“I had a cyber team lead who was responsible for herding cats in our SOC and being a lead engineer on technical projects. He revealed that he did not like the managing of resources, but did like mentoring them and teaching them technical skills. And many of his engineering tasks became repetitive over time so he started feeling stagnant,” Piekarski said. “That [leader] revealed to me that he had an interest in forensics and incident response so we put together a plan and budget to get him SANS training and a GCFA [GIAC Certified Forensic Analyst] where we carved out responsibilities for him to lead incident response processes.”

Piekarski said the move helped open an ongoing dialogue that resulted in shifting administrative duties to another resource to manage, while keeping the lead as a senior technical mentor for the team.

“I also began soliciting his input for internal strategies, to make him more included in leadership decisions and processes, even bouncing project plans off of him to vet them, which would not be a traditional part of his role but I believe demonstrated to him I valued his input and expertise,” he said.

Jay Bavisi, president of security certs and training company EC-Council, cautions that, as a retention strategy, training can sometimes have an adverse effect.

“Training in cybersecurity usually improves retention if it’s part of a broader talent development strategy,” he said. But “done in isolation, it can backfire by making employees more marketable without giving them reasons to stay.”

One way to reduce dissatisfaction among functional heads is to avoid role creep, said Marcos Alves, CEO of AI cybersecurity vendor Hal-AI. 

“It’s common for team members to be assigned responsibilities that go well beyond their official job descriptions. This leads not only to financial dissatisfaction, but also to professional frustration — because when they succeed, it’s not formally recognized. But when they make a mistake, well, you know how it goes,” Alves said.

“Always ensure alignment between official job roles and the actual responsibilities being carried out,” he advised. “If necessary, meet with the professional and update their employment contract to reflect the expanded scope of their duties.”

Ed Skoudis, president of SANS Technology Institute, sees a related problem: “Security professionals are being promoted into leadership roles where they feel unequipped, unsupported, or simply disinterested — yet there’s little room for advancement elsewhere.” 

Worse, business directions, over which department heads have no say or control, can bring additional dissatisfaction to the role.

“Budget freezes, M&A events, offshoring, shifting board priorities. None of these had anything to do with performance, yet they constantly loom over the role,” said Colin Caird, founder of an AI app development firm called Numbers Station. “It’s hard to turn ‘nothing bad happened this quarter’ into a compelling case for a raise or a promotion.”

Making that worse is the constant threat of key roles being outsourced, Caird said. “Even at traditionally in-house-heavy Fortune 500s, there’s growing pressure to hand off cybersecurity functions to MDR providers. That erodes both influence and job security for internal teams.”