top of page
Search

Why Cybersecurity Leadership Keeps Failing (And What Needs to Change)

  • Writer: Karl DiMascio
    Karl DiMascio
  • Jun 8
  • 2 min read

It’s easy to point fingers when a breach hits the headlines. The CISO becomes the scapegoat, the board demands answers, and the post-mortem begins. But beneath the incident response reports and regulatory scrutiny lies a bigger question: why are cybersecurity leaders still struggling in 2025?


This isn’t about blaming individuals. It’s about understanding the structural, cultural, and operational challenges that make the job of leading cybersecurity so uniquely difficult, and what actually needs to change to fix it.


1. The Impossible Job Description

Today’s cybersecurity leader is expected to be a translator between technical teams and non-technical executives, a strategic visionary and operational tactician, a compliance guru, and a crisis commander - all at once. They must balance risk appetite with innovation, cost with protection, and speed with security.


Yet most organisations don’t set CISOs up for success. Budgets are constrained. Reporting lines are fuzzy. Boards want magic answers without wanting to understand the real threat landscape. When a leader operates in a structure that doesn't support them, failure isn’t just likely - it’s inevitable.


2. Is It a Leadership Problem, or a Company Problem?

Cybersecurity often reveals a company’s true culture. If security is treated as an IT cost centre, leaders will be hamstrung. If boardrooms only engage with cybersecurity after a breach, leadership will always be reactive. If there’s no shared accountability across business units, CISOs become lone warriors in an unwinnable war.


So, is the CISO failing, or is the company failing the CISO? The answer is usually both. Strong leadership matters, but it cannot overcome broken systems or misaligned incentives alone.


3. The Human Toll

Burnout in cybersecurity leadership is rampant. Many CISOs leave roles within 18–24 months. The stress of managing 24/7 threats, regulatory pressures, and internal politics creates a volatile mix. Good leaders are often driven out not by hackers, but by bureaucracy, lack of support, or misaligned executive priorities.


And as we keep recycling the same leadership under the same conditions, we wonder why the outcomes don’t improve.


4. What Needs to Change?

It starts with rethinking the role of cybersecurity leadership in the business:

  • Clear governance and reporting lines. CISOs need board-level visibility, not buried under IT or compliance.

  • Shared risk ownership. Business leaders must co-own cyber risk, not just outsource it to the security team.

  • Investment in resilience. Cybersecurity isn’t a cost, it’s an enabler. That mindset shift must happen at the top.

  • Longer-term leadership development. We need to stop burning through CISOs and start building true succession paths and support systems.


And critically, we must stop expecting individual heroics to overcome systemic dysfunction.


5. A Call for Real Cybersecurity Leadership

Cybersecurity leadership in 2025 needs more than technical depth and crisis management skills. It needs influence, resilience, strategic literacy, and most of all, the support to lead meaningfully.


It’s time to stop setting our cybersecurity leaders up to fail.


Because if we don’t fix the system, no leader will be good enough.


Karl DiMascio

IntroSecurity ASEAN

June 8th, 2025

bottom of page