CISOs, who have for years felt the strain of their jobs mounting with the expanding cyber threats and regulations they face, but according to a new report, the most consistent pressure is coming from within their organizations.
A survey released last week by Nagomi Security found that CISOs feel increasing stress coming from boards of directors that are more focused on security, shrinking resources, the proliferation of security tools, and expanded duties, such as having to manage how AI is deployed and secured within their organizations.
In fact, 44% of CISOs surveyed ranked board or executive expectations as their top stressor, more than external threats, which were cited by 33%.
“The increased presence of cybersecurity threats in the news and public consciousness has moved from the server room to the boardroom,”
Nagomi co-founder and CEO Emanuel Salmona told MSSP Alert. “What was once seen as a technical function is now recognized as a core business risk, one that influences revenue, valuation, and even personal executive accountability.”
Boards are more engaged and demand measurable proof that the security investments the organization is making not only address security and compliance, but also improve business performance.
“The challenge is that the role has evolved faster than most organizations are able to keep pace with,” he said. “Many CISOs operate at the crossroads of risk, finance, and technology, often without the shared structure or vocabulary needed to manage those overlapping demands effectively.”
Pressure is Mounting
The growing pressure on CISOs and the burnout many of them are feeling is a growing concern at organizations and within the industry.
In a column, Stephen Amstutz, director of innovation at cybersecurity vendor Xalient, noted a
study by ISC2 that found that 73% of CISOs in the United States said they experience burnout, while in a
Proofpoint survey, 61% said they face excessive expectations from their employers.
Nagomi, based in New York City, earlier this year co-produced a docuseries, “
CISO: The Worst Job I Ever Wanted,” which featured CISOs talking about their jobs.
Nagomi’s survey is one of two reports this week that took a look at the CISO’s job, including the toll the pressure takes on their personal lives. RSAC, the organizer of the annual RSAC conference, surveyed a range of CISOs, from those at companies with fewer than 500 employees to Fortune 1000 firms.
The Worry of Burnout
One of the areas addressed was the stress that CISOs feel, and at least 60% said their mental or physical health has been affected by their job.
“CISOs serve as their companies’ public armor, but in private, they wear the weight of expectations and obligations heavily,” the report’s authors
wrote. “And their cybersecurity team members are in the same boat. A 2024 study found that a worrying 78% of respondents were at serious risk of burnout, and the preliminary results from the 2025 study remain concerning, with 66% at risk.”
That’s not surprising, given that when CISOs burn out, the effects can ripple through a company. Nagomi’s Salmona said the demands that come with the job – from clarity and focus to sound judgement under pressure – can suffer if fatigue sets in.
“Nearly half of CISOs say burnout has already affected their ability to plan for or respond to incidents,” the CEO said. “That loss of edge translates into the results any human experiences when stressed: slower reactions, weaker coordination, and reduced vigilance. Over time, this compounds to erode readiness and resilience.”
It can also lead to high turnover, with CISOs leaving the job. When that happens, “security programs stall and institutional knowledge, as well as practical knowledge of owners of different priorities, disappear,” he said. “In that sense, burnout doesn’t just hurt individuals, but becomes a business risk in itself, weakening the organization’s entire security posture.”
Seeking Help
The authors of RSAC’s report said the company has seen the problem manifest itself at the conferences in recent years. At the sessions on mental health and employee burnout, senior cybersecurity leaders were more likely than the average attendee to go to them.
“RSAC 2021 – which was exclusively virtual because of the COVID-19 pandemic – boasted the highest percentage of Call for Submissions proposals on mental health and employee burnout,” they wrote. “But it was in 2022 that senior leaders were most keenly interested in the topic (they proved 45% more likely than the average attendee to join those sessions at the 2022 event).”
Blame, Expectations, and AI
For its
2025 CISO Pressure Index, Nagomi surveyed 100 U.S.-based CISOs and saw clearly the pressures of the job in multiple areas, including the personal accountability they face when a security incident occurs. About 17% said they always feel blamed for the incidents, regardless of the cause, and 39% said they often feel blamed. About 90% said that their role may be at risk to some degree, with 20% feeling extremely at risk.
Tool sprawl is a problem, with 65% of CISOs managing 20 or more security tools, 13% of them manage 50 or more. The tools can also come with integration problems (56% of CISOs said), and as much has half of them don’t deliver measurable ROI (57%).
Then there is AI. More than half of CISOs (59%) view agentic AI as their top near-term threat, and 20% of recent incidents are AI-related. That said, 82% of CISOs face pressure from leadership or boards to cut staff through AI-based automation.
“The rapid adoption of internal AI tools has added another layer of complexity,” Salmona said. “CISOs are now being asked to oversee how AI is deployed, governed, and secured within their own walls, often without clear precedent or policy frameworks, further amplifying the internal pressures they are already facing.”
MSSPs Can Ease the Burden
He said pressure will always be part of the CISO’s job, but organizations, the security industry, and the CISOs themselves “can manage it more intentionally” through prioritizing actions that measurably reduce risk, communicating technical outcomes in terms boards can understand, and spreading the job of security around to deputies, sharing accountability, and talking about workloads.
MSSPs and MSPs can also make a difference by assuming such day-to-day functions as monitoring and response.
“The best partners do more than add capacity: they bring clarity,” he said. “They help ensure defenses are effective, tools are aligned, and data is translated into meaningful, easily digestible insights for leadership.”
They also need to build trust with CISOs, many of whom are reluctant to rely on partners if the accountability is theirs alone. MSSPs need to establish strong collaboration, transparency, and share responsibility to move from being a partner to being an extension of the internal security team.
