Cybersecurity leaders are hitting their limit. A new report from Nagomi Security shows that most CISOs are stretched thin, dealing with nonstop incidents, too many tools, and growing pressure from their boards. The pressures are so intense that many say they are burned out and thinking about walking away.
CISOs under strain
The personal cost is beginning to affect business readiness. Nearly half said burnout has already hurt their ability to prepare for breaches. The researchers warn that when leaders reach this point, the entire organization becomes more vulnerable.
The findings show that the job has moved far beyond technology oversight. CISOs are expected to stay on alert around the clock, manage growing tool stacks, and reassure executives and boards that the business is secure. With smaller teams and tighter budgets, many say they have little time to recover between incidents.
Breaches are routine and blame is personal
Most CISOs surveyed experienced a major security incident in the last six months. For most, that level of disruption has become normal. More than half said they are personally blamed when breaches occur, and fear their job would be at risk if a serious incident happened under their watch.
That sense of personal accountability stands out because many breaches occur despite defenses being in place. Fifty-eight percent of CISOs said at least one recent incident happened even though a tool was supposed to stop it. The researchers say this gap between investment and outcome has left security leaders exposed to reputational and career risk for problems that are often beyond their control.
When every incident can lead to professional fallout, CISOs tend to focus on short-term survival instead of long-term strategy. The report suggests this cycle of incident, blame, and fear is wearing down leaders and weakening trust between CISOs and their organizations.
Tool sprawl adds risk
The report also shows how tool sprawl is making things worse. Many CISOs manage dozens of security tools, yet incidents still slip through systems that were supposed to prevent them.
Integration gaps are a common complaint. More than half of respondents said their tools do not connect well, forcing teams to rely on manual workarounds. A similar share said fewer than half of their tools show measurable return on investment. The researchers describe this as a structural issue that adds complexity and blind spots at a time when security teams need simplicity and speed.
The boardroom becomes the biggest stress point
For many CISOs, the greatest pressure comes from inside the organization. Forty-four percent said board and executive expectations are their top source of stress, compared with 33 percent who cited external threats.
Most CISOs say they can quantify risk, but more than half admit they lack standardized, business-focused metrics that make sense to leadership. Boards often want trendlines that show risk is declining or metrics that link incidents to business outcomes. Without these, the conversation between CISOs and directors can break down.
This disconnect means security leaders are often held accountable without being equipped to demonstrate progress in the terms boards expect. The researchers note that aligning on a shared understanding of risk is key to reducing tension and helping CISOs do their jobs.
“CISOs are managing nonstop risk with limited support and even less time,” said Emanuel Salmona, CEO of Nagomi Security. “They’re expected to be strategic leaders and first responders all at once. The best way to support them is to share accountability across the business, make outcomes clearer, and give them the space to focus on what actually reduces risk.”
AI brings new threats and conflicting expectations
Agentic AI attacks are the top concern for security leaders. Fifty-nine percent of respondents named them as the most pressing threat over the next year, and nearly one in five recent incidents were already AI-related. Looking a few years ahead, almost half expect AI-driven attacks to dominate their threat landscape.
Many CISOs say they’re being pushed to use AI to cut costs and automate tasks, with some already under formal mandates and others feeling growing pressure from leadership. That puts CISOs in a difficult position. They are expected to defend against AI-powered attacks while also adopting AI to streamline operations and reduce staffing costs. The researchers describe this as a growing contradiction that forces leaders to balance defense and efficiency in ways that could stretch them even thinner.