All Posts
5 min read
11 Jan 2022

Don't wait for your culture to change

Table of contents

Organisational culture is recognised as a potential driver of burnout, particularly in cybersecurity where CISOs often report the dual pressures of invisibility of success coupled with a culture of blame when things go wrong.

There are other factors in play, but for now accept the premise that the culture needs to change. Culture is determined by the leadership, it’s generally a top-down thing. The corporate leaders are to be found in the C-Suite where CISOs are typically absent.

Studies are now showing an average tenure of a CISO being from 16-24 months. (Compared with NED tenure averaging 5.7 years and CXOs about the same: AICD)

The question is then, how long and under what circumstances will culture change to prevent skills loss in cyber leadership? What is the likelihood that a major breach or that of a competitor will result in the necessary epiphany in the C-Suite to the effect ‘we must support our cyber teams better’ versus ‘who do we fire’?

Following major incidents, we typically see no change to the C-Suite, but attrition or at least diminished morale in the cyber teams and doubts as to self-efficacy.

Cybermindz’ own research suggests this factor portends resignation intent — and is currently tracking at levels worse than those of frontline health care workers.

What to make of all this? Firstly, we can’t rely on constant calls for cultural change to do the work necessary here. If the attack environment continues to deteriorate, then, according to this analysis, we should expect to see further depletion in capability. Recognising this dynamic and reversing it should now be a national priority.

A good first step might be to mandate CISO representation in the C Suite, something I raised with Kevin Shaw late last year. I’m sure others have thought of this also. Are you putting this in your submissions to the National Cybersecurity Strategy?

How about mandatory cybersecurity education for the C Suite across all sectors, not just financial? A revision of employment contracts to ensure adequate resourcing as a right of appointment? Governmental leadership and advocacy in support of those in the trenches?

Right now, I’m not seeing a lot of non-CISOs going in to bat for CISOs. Your mileage may vary. Interested in your thoughts.

And by the way, before we wait for culture to change, what support can we give existing teams to manage the lack of empathy they feel from above? How do we keep them connected to mission and purpose while the culture catches up?

Featured Resources

Explore our latest resources for cybersecurity resilience.

View All Resources
Report

Pilot Program Report 2025

See how Cybermindz Pilot Programs improved mental resilience, reducing stress and boosting wellbeing in cyber professionals.
Read more
August 20, 2025
Blog

Good Stress vs Bad Stress

To appreciate the difference between what we might call 'good stress' versus 'bad stress', we need to revisit the work of Professor Hans Selye (pron. "Sell-yay").
Read more
August 18, 2025
Blog

I quit! — Cybersecurity Burnout

Read more
August 18, 2025
Podcast

Understanding Cyber Resilience Strategies

Why reaching for a drink is a poor strategy for managing anxiety.
Read more
September 27, 2024
Video

Cybermindz UK Launch

Lindy Cameron CB OBE, CEO of the UK National Cyber Security Centre, welcomes Cybermindz’s launch in the UK.
Read more
September 18, 2023
Button Text
View All Resources

Ready to Begin Your Journey?

Take the next step towards enhanced resilience and performance in cybersecurity. Schedule a consultation today.

Get Started