June 1, 2026
Greg Reber
When a breach happens, the CISO's LinkedIn profile starts looking like a last will and testament.
Let's be honest about something that the cybersecurity industry prefers to discuss in hushed tones at conference cocktail hours: being a Chief Information Security Officer is, statistically speaking, one of the more dangerous jobs in corporate America. Not dangerous in the way that being a crab fisherman is dangerous. Nobody is losing fingers. But in terms of career mortality following a single bad day, the CISO occupies a uniquely exposed position in the organizational food chain.
Consider what happened to Timothy Brown, the CISO at SolarWinds during the devastating 2020 supply chain attack that compromised thousands of organizations, including multiple U.S. federal agencies, and who found himself personally named in an SEC lawsuit. The attack itself was extraordinarily sophisticated, a nation-state-level operation that exploited a trusted software update mechanism in ways that would have challenged any security team on the planet. None of that nuance made it into the headlines. What made it into the headlines was his name. Mr. Brown is still the CISO of SolarWinds. He speaks often, most notably about moving board-level conversations away from simple heatmaps toward quantified, defensible risk.
Here is the rational side of things that every CISO knows: Organizations spend years accumulating technical debt, underinvesting in security infrastructure, overriding security team recommendations for the sake of shipping velocity, and generally treating the CISO as a compliance checkbox rather than a strategic partner. Then, when the inevitable breach occurs, they express tremendous shock, the kind of shock that is only available to people who have not been paying attention, and the CISO becomes the designated vessel for all of that shock.
The data bears this out in ways that should make any sane person think twice before accepting the role. The average CISO tenure is 18 to 26 months, according to a study from CISO Global, while the rest of the C-suite enjoys a 4.9-year average. Chief Marketing Officers, who famously preside over campaigns that produce measurable failures on a quarterly basis, last longer. Something is structurally wrong here, and it is not primarily a talent problem.
What reasonable CISOs have begun to recognize, and what is reshaping how they evaluate and purchase security technology, is that their job now has two distinct components. The first is actually reducing risk. The second is being able to prove, in a courtroom or a board meeting or an SEC filing, that they did everything a reasonable security professional could have done. These two goals are related, but they are not identical, and increasingly, the second one is what keeps people employed.
This is what security professionals mean when they talk about defensibility. They are not describing a technical posture. They are describing a paper trail. They are describing the ability to stand in front of a hostile audience and say, with supporting documentation, that the risk was identified, quantified in financial terms the board could understand, prioritized according to rational criteria, and addressed to the extent that budget and organizational constraints allowed. The vendors who understand this will win. The ones still selling fear without evidence will not.
CISOs are now explicitly asking their security vendors to help them answer a set of very specific questions:
The vendors who can answer yes to those questions are not merely selling security software. They are selling something considerably more valuable: the reasonable expectation that when the bad thing happens, and in this industry the bad thing always eventually happens, the CISO will still have a job on the other side of it.
That is, if you think about it clearly, exactly what the market should be demanding.
.svg){kind=small}
.svg){kind=small}
© 2026 Root Evidence