Survey Finds Over Half of CISOs Manage 10+ Security Areas with Limited Legal Protections and Short Tenure

Hitch Partners has released its eighth annual North America Security Organization Report, capturing the priorities, reporting lines, and program structures shaping today’s security leadership. The report draws on survey responses from over 500 CISOs and Director-level security leaders across the U.S. and Canada, offering a snapshot of how the modern CISO role continues to evolve in step with intensifying cyber threats and growing executive scrutiny.

For this research, “CISO” covers titles like Chief Information Security Officer, Chief Security Officer, Head of Security, VP of Security, and related roles charged with the overall security program strategy and execution. Here are a few of the highlights from the report that show how things are trending for CISOs.

1. Scope Keeps Growing

More than half of CISOs now oversee at least 10 separate security areas. This includes not just traditional cyber defense but also risk management, compliance, privacy, secure software development, and third-party risk. The role has steadily expanded into new business-critical areas, but teams and budgets are not always keeping pace.

2. Reporting Lines Shift in Bigger Companies

Smaller companies are more likely to give CISOs direct access to the CEO. About 35% of CISOs at firms with under 250 employees report directly to the CEO. In larger organizations, this drops sharply to just 2%. Instead, most large-company CISOs report to the CIO. This can limit how independently a CISO can push for security investments and resources, an important consideration given the reliance on ROI justifications.

3. Board Access Is Improving but Seats Remain Rare

Board engagement continues to increase. 62% of CISOs at public companies now present to the board at least quarterly, a 14% rise over last year. However, very few CISOs hold a formal board seat. Most participate as advisors rather than as voting members. Many CISOs say a board role is a goal for their future career growth.

4. Limited Legal Protections, Especially in Private Companies

The survey shows a clear gap in legal protections. More than half of CISOs at private companies lack key safeguards like Directors & Officers (D&O) insurance or strong indemnification policies. By contrast, CISOs at public companies are more likely to have these protections in place, along with better equity and signing bonus packages. The lack of coverage leaves many private-company CISOs exposed to personal risk in the event of legal action or disputes.

Many CISOs also lack strong personal legal protections even as they take on more responsibility. To cover these gaps, some leaders use personal liability insurance. However, only about 22 percent of CISOs at public companies and about 26 percent at private companies report having a personal liability policy in place. Meanwhile, nearly 29 percent at public companies and about 24 percent at private companies say they have faced a situation where they considered using such a policy. This shows how real the personal risk can be, especially in high-stakes incidents.

5. Short Tenure Reflects High Turnover and Stress

On average, CISOs stay in their role for about 39 months. This short tenure highlights the demands and pressures of the job. Building and maintaining a security program, justifying budgets, and managing large teams often lead to burnout or job changes. Many CISOs move on to larger organizations or roles with broader business strategy influence.

Despite Challenges, CISOs Still Secure Budgets and See Compensation Grow#

Even with expanding responsibilities, limited protections, and relatively short tenure, most CISOs continue to justify security budgets successfully. According to the survey, compliance obligations, demonstrable business impact, and clear return on investment (ROI) are the top three drivers for budget approvals, regardless of whether the organization is public or privately held.

At the same time, CISO pay is still on the rise. Public company CISOs saw a 6.1 percent year-over-year increase in cash compensation. In larger companies and high-risk industries like finance and tech, pay and equity packages are even more competitive.

Overall, the role remains demanding but continues to gain influence and investment as organizations treat security as critical to business growth and risk management.