Cyber Ethos

Facebook Linkedin Instagram Youtube
logo

The Hidden Reason Your Best CISOs Candidates Say No

When a board tells me they can’t find a CISO, they’re revealing something unintended. 75% of Australian CISOs face excessive expectations. 68% witnessed burnout this year. When candidates see boards treating cyber as compliance and CISOs as liability absorbers, they decline.

What boards read as talent shortage is often the market’s verdict on the role they created.

The Real Problem: Fragile Governance

If your entire cyber governance sits in one role, and that role is vacant, the governance never existed. It was concentrated, not embedded.

The CISO vacancy isn’t your primary problem. It is governance that placed all accountability in one person rather than distributing it appropriately.

What CISOs See During Due Diligence

Qualified CISOs aren’t reading job descriptions. They’re reading the organisation.

1) The interview panel. No board involvement? The governance relationship will be at arm’s length.
2) The reporting line. Reporting to the CIO? Security is structurally subordinate.
3) The budget. Set by the CISO based on risk, or handed down from finance? They know the difference.
Only 30% of boards describe their CISO relationship as strong. Most remain transactional.

The Gap

Boards confuse access with influence. A fifteen-minute quarterly slot isn’t real access. Boards grant authority on paper, not in practice. The test isn’t when security and business align. It’s when they don’t. Boards offer accountability without protection. 72% of CISOs refuse positions without proper liability protection. Accountability without budget authority or enforcement power is a liability without leverage.

When Conflicts Expose the Truth

I’ve watched this repeatedly. Strong CISO hired. Board proud. Six months in, major project arrives. CISO flags gaps, suggests delay.

The executive frames it as obstruction. CEO caves under pressure. Go-live proceeds. Board never informed. Remediation gets deprioritised. Months later, that gap contributes to an incident.
70% of CISOs say internal conflicts cause more problems than cyberattacks.
What breaks CISOs isn’t external threats. It’s discovering the organisation isn’t behind them.

What Boards Must Change

  1. Define escalation thresholds. Any go-live with documented CISO concerns must reach the board.
  2. Create a direct line. Formal CISO-Audit Chair relationship outside scheduled reporting.
  3. Add a standing item: “Material security recommendations not implemented? What’s the residual risk?”

The First Action

Before the next job description, audit honestly:

  • Authority when security conflicts with business?
  • Real Audit Chair access?
  • How was last friction resolved?
  • What changes before they arrive?

Remember, the trust shortage doesn’t close with salary. It closes when a board can say with evidence: we’ve built conditions for success, and we’ll back you when it matters. That’s what serious CISOs are waiting to hear.

Kiran Kewalramani

Kiran Kewalramani

Kiran Kewalramani stands as an acclaimed technologist with over two decades of robust executive experience in technology, cybersecurity, data privacy and cloud solution enablement. His illustrious career has been marked by transformative roles in esteemed organizations, including Cyber Ethos, Queensland Department of Education, Gladstone Area Water Board, NSW Rural Fire Service, NSW Police Force, Telstra, American Express, and more.

Linkedin Instagram Facebook