“Firing the CISO might seem like a necessary reset for CIOs or boards, but it’s not always a strategic move. If the incident response plan was followed, the detection tools worked, and recovery was within SLAs, then replacing the CISO often sends the wrong message internally,” Avakian maintains. “It shows that the security role is more about optics than substance. But if basic hygiene was neglected — such as with no segmentation, no backups, no tabletop exercises — then change might be justified.”
Frank Dickson, group VP for security at IDC, agrees with Avakian’s assessment, but adds that some CISOs leave of their own volition after a ransomware attack, leading to higher replacement numbers.
“Addressing a ransomware event is extremely taxing. A security person may choose to leave due to burnout or be asked to leave due to conflict that results from the remediation process rather than the attack itself,” Dickson says.
