CISOs’ frustrations are reflected in their frequently short tenures. A 2023 report from Cybersecurity Ventures found that CISOs last an average of 18 to 26 months. “I’ve seen more CISOs leave their position over the last two years and not return. They’re moving on and doing other things,” says George Gerchow, chief security officer at Bedrock Security and faculty advisor at IANS.
Gerchow has experienced firsthand the frustrations of a less than ideal reporting structure. Initially, he was reporting to the right places, but organizational changes upended those communication channels. He was rarely communicating one-on-one with his boss, and the board was paying much less attention to him. “I felt like I had a wall between us, and then, my team started suffering. And I started seeing them leaving the company. I couldn’t talk them into staying very much. I probably waited too long, but I pulled the plug,” Gerchow shares.
Coming into his current role with Bedrock Security, Gerchow made board reporting nonnegotiable. “In my contract, it says I must report to the CEO or the board,” he says.
