‘I Quit!’ – When CISOs Need to Take Charge of Their Careers
Brandy Harris
Security Needs to Document Risks and Push Back Against Retroactive Accountability
A recent LinkedIn post has been circulating in cybersecurity circles, written as a CISO’s resignation letter – “effective immediately.” It resonates with security leaders who know the pattern – budget requests denied, risks that are documented and escalated, and a breach that follows a known vulnerability. Then the CISO was hit by inevitable question: “Why didn’t you prevent this?”
Whether the resignation letter is a true story or a parable, the LinkedIn post exposes a structural flaw in how organizations manage cyber risk. It’s not just a story about a CISO walking away from the job. It shows what happens when risk is accepted quietly and accountability is enforced retroactively, and it’s a cautionary tale about why CISOs need to actively manage their careers.
The Problems Are Structural, Not Personal
CISOs operate in an inherently asymmetrical environment. Cyber risk is persistent, adaptive and increasingly consequential, while funding and staffing are finite. Boards and executive teams, often under their own financial and regulatory pressures, ask security leaders to manage risk within constraints outside the security leader’s direct authority.
The tension itself is not the problem. Every leadership role involves tradeoffs. The problem emerges when those tradeoffs are never named. Financial constraints are treated as implicit. Risk acceptance is assumed rather than declared. Residual exposure is ignored until it materializes. When an incident occurs, the organization rewrites the narrative and assigns accountability downward.
That is the moment when the CISO role becomes untenable.
Retroactive Accountability Is the Breaking Point
The most damaging question a CISO can hear after a breach isn’t “What happened?” It’s “Why didn’t you prevent this?” when the organization previously declined to fund mitigation projects that could have avoided the breach. This is not a failure of communication. It is a failure of governance. Retroactive accountability occurs when leaders benefit from risk acceptance in advance but deny ownership once consequences appear. The CISO becomes the container for that contradiction.
Over time, this creates something deeper than stress. It creates moral injury. Security leaders know what should have been done, know they raised the issue and know they were overruled. Being held responsible anyway erodes trust and leads to burn out or attrition.
Risk Posture, Not Security Spend
One of the few ways to make this role survivable is to change how security decisions are framed at the executive and board level. The conversation shouldn’t be about whether the organization is “secure enough.” That question has no concrete answer.
Instead, it must be about risk posture selection.
At a given level of funding, the organization is explicitly accepting specific categories of risk, with known impact ranges and operational consequences. At a higher level of funding, certain risks are reduced, others remain and recovery improves. At a lower level, exposure increases in predictable ways.
This reframing does two critical things. First, it moves the discussion from justification to choice. Leadership is not being asked to approve a security expense. They are being asked to select a risk posture. Second, it makes accountability forward-facing rather than retrospective. When a known risk materializes, it is recognized as the outcome of a documented decision, not a surprise failure of execution.
Shared Ownership Is the Difference Between Survival and Burnout
When financial constraints, risk acceptance and residual exposure are treated as shared governance decisions, the CISO role becomes difficult but sane. The pressure does not disappear, but it becomes coherent. Responsibility aligns with authority. Decisions are traceable. Blame is replaced with analysis.
When those elements are denied or rewritten after the fact, survival becomes accidental rather than intentional. Some CISOs endure by dissociating. Others burn out quietly. Some, like the figure in the LinkedIn story, walk away abruptly once the psychological cost outweighs the professional one. None of those outcomes strengthen organizational security.
Why This Matters Beyond Individual Careers
The lesson here is not that CISOs should resign when conditions are difficult. It is that organizations that want effective, stable security leadership must mature how they govern risk. Cybersecurity cannot function as a symbolic assurance role while simultaneously serving as the dumping ground for unowned decisions.
Stories like the viral resignation letter persist because they reflect a pattern many security leaders recognize but rarely see named. They are not calls to quit. They are warnings about what happens when accountability flows in only one direction.
So, can a CISO survive between a rock and a hard place without being crushed?
Yes, but only when the rock and the hard place are acknowledged openly. When financial constraints, risk acceptance and residual exposure are treated as shared governance decisions rather than silent expectations, the role becomes difficult but sane. When they are denied or rewritten after the fact, survival becomes a matter of luck.
That distinction isn’t philosophical. It’s operational and it’s one that boards and executives can no longer afford to ignore.
About CyberEd.io
CyberEd.io supports security leaders as they navigate the operational, governance, and career realities of modern cybersecurity leadership. Our training and learning experiences help CISOs and senior practitioners strengthen risk communication, executive alignment, and decision-making under constraint so accountability is shared and defensible. To learn how CyberEd.io can help you build resilient security leadership and sustainable career paths, contact us to start the conversation.