CISO: Holding the Line started with a question we thought we knew the answer to. We called it CISO: Worst Job I Ever Wanted, until the CISOs we interviewed showed us a more honest framing. Through conversations with security leaders at MGM, Justworks, Texas Mutual, Alera Group, and others, we explore what the role actually costs: the sleepless nights, the personal sacrifices, the isolation of accountability without applause, and the quiet weight of being the last stop. Not a cautionary tale. A portrait of people who choose this role anyway, and why that matters.
By Melissa Goldberger – CMO, Nagomi Security
What We Got Wrong About the Hardest Job in Security
At Black Hat 2024, our team sat down with CISOs for a series of intimate, off-the-record conversations. No panels. No talking points. Just people telling us what the role actually costs them, what it demands, and why they stay anyway.
Our former director of brand and content walked away from those conversations with a clear conviction: these stories needed to be told, and they needed to be told as a series. Not a single documentary that airs once and disappears. A series, because the CISO story does not end after one episode. It keeps going. New threats, new pressures, new leaders stepping into the role every year. One film could never hold all of it.
She came back and pitched it to us. I understood immediately why she felt that way.
We called it CISO: Worst Job I Ever Wanted. It felt right at the time. A little dark, a little self-aware, a nod to the pressure, scrutiny, and impossible tradeoffs that come with the role.
Then we started listening.
Across interview after interview, CISOs did not describe a job they regretted. They described a job they chose, deliberately. Challenging, relentless, sometimes unforgiving, but meaningful. Some told us directly they almost did not participate because of the original title. It did not reflect how they saw the role, or the pride they take in it. In a few cases, the title stopped the conversation before it started.
That mattered to us. So we listened harder. And a different truth came into focus.
They hold the line.
What Holding the Line Looks Like
Holding the line means carrying pressure so others can keep moving. It means standing behind judgment calls when the scrutiny arrives, knowing that success passes quietly and failure never does.
As Tyson Kopczynski, Principal at Cymetry One, puts it, the CISO is the structural fail-safe of the modern enterprise. Without them, there is a “greater propensity for Black Swan events”—those rare, high-impact disasters that cause the total collapse of interconnected systems. The CISO’s job is to ensure the organization can sustain the failure of a single part before it breaks the whole.
Branden Newman, CTO of MGM Resorts International, knows the weight of that responsibility firsthand. He told us about getting the call in the middle of the night. The first words made it clear the situation was bad. Within hours he was out the door, and he would not return to normal life for months. This wasn’t just a technical glitch; it was a battle to prevent the very collapse Kopczynski describes. Hundreds of hours responding to one of the largest cyber incidents in recent history while his wife and son watched from home, unable to fully understand why he had to leave or when he was coming back.
When it was over, he still carried it. Not because the response failed. Because that is what the role does. You translate risk when others do not see it. You make the call. And the weight of that call stays with you long after the incident closes.
That is holding the line.
Carrying Tension So Others Can Move
The data supports what our team heard. The CISO Pressure Index shows that 80% of CISOs report operating under high or extreme pressure, and 44% say burnout has already impacted their ability to prepare for a breach. Accountability without authority. Personal liability exposure. Constant readiness.
But numbers only describe the surface. The interviews took us deeper.
Yabing Wang, CISO at Justworks, told us “there is no black and white in this role. Every decision is a tradeoff, and if security becomes friction, people work around it.” So the CISO absorbs the tension instead, holding it so the business can keep moving.
Yonesy Nuñez, a five-time CISO and global cybersecurity executive, framed it another way. “Our job is to deliver bad news in a hopeful fashion.” That one sentence captures the emotional discipline the role demands. You walk into every room carrying information no one wants to hear, and your job is to make it useful instead of paralyzing.
John Sapp Jr., VP of Information Security and CISO at Texas Mutual Insurance Company, compared it to parenthood. You think about every threat. You plan for every scenario. You do everything in your power to protect what is in your care. And when something still goes wrong, when the breach happens despite the preparation, someone turns to you and says it is your fault. His voice caught when he told us that part. How dare someone say you’re a bad parent, he said, when you gave everything you had.
That is what holding the line feels like from the inside.
The Line Is Personal
What stood out across these conversations was how deeply the role bleeds into personal life. Not in the way people talk about work-life balance at conferences. In the way a phone buzzing at dinner changes the air in the room. In the way your partner learns to read your posture before you say a word.
Yonesy talked about the quiet weight of being the last stop. “You’re the one people look at when there’s nowhere else to go. You don’t get to pass it off.”
That responsibility does not end when the meeting ends. It follows you home. It sits in the background during family time. It hums when things are quiet. It is there when you wake up at 3 a.m. and check your phone before you check on your kids.
He also told us he recently picked up his guitar for the first time in ten years. His wife saw him playing and asked why. His answer: “You’re asking the wrong question. Why did I stop?” That is what the role does. You stop doing the things that make you who you are, and you do not notice until years later. The guitar does not disappear in a dramatic moment. It just quietly collects dust while you are busy protecting everyone else.
Edna Conway, former Chief Security Officer at Cisco and Microsoft, put it as plainly as anyone could. “You can have everything in your life. The key is to recognize that you can’t have it all at the same time.” She also gives us hope!
Holding the line is not dramatic. It is controlled. Measured. Repetitive. And exhausting.
Leadership Without Applause
One theme surfaced repeatedly: isolation. Not loneliness, but a form of accountability that cannot be delegated.
Charles Blauner, former CISO of JP Morgan, Deutsche Bank, and Citigroup, framed it in stark terms. “This is the only C-suite role with an active adversary trying to make you fail.”
Consider the structural reality behind that statement. No one runs coordinated campaigns to sabotage the CIO. No criminal marketplace trades exploits designed to embarrass the head of HR. The CISO operates against a persistent, adaptive, well-funded ecosystem whose sole objective is to break what they build. Intent does not matter. Effort does not matter. Only outcomes matter. And when something goes wrong, headlines compress complexity into blame.
That pressure reshapes the role. It forces CISOs to evolve from technologists into leaders who absorb volatility without transmitting panic.
Matthew Mudry, CISO of Alera Group, described his hardest transition in deceptively simple terms: “taking off my tool belt.” He had to stop solving problems himself. He had to trust the people he hired. That shift from operator to leader required more than delegation. It required an identity change.
The technical expert earns credibility by fixing things. The leader earns credibility by building a team that can fix things without them. In a role defined by adversarial pressure, that transition becomes existential. A CISO who cannot let go becomes the bottleneck. A CISO who does let go must motivate, coach, and steady a team working under constant threat.
Yonesy has watched peers collapse under the strain. One colleague suffered a heart attack during legal proceedings. He describes self-care with the same logic CISOs apply to infrastructure. “It’s really difficult to give your best when you yourself are not at your best.” He posed a question that lingered long after the interview ended: when was the last time you checked your own numbers?
Leadership in this role requires more than resilience. It demands disciplined self-management. The operator is part of the system. If the operator fails, the system degrades.
Why They Stay
None of the CISOs we spoke with framed the role as martyrdom. Not one.
They talked about responsibility, protection, and impact. Tyson Kopczynski put it plainly: if the role did not matter, it would not be this hard. That belief runs deep in the community.
Charles Blauner has mentored 66 people who went on to become CISOs themselves, carrying forward a tradition started by Steve Katz, the first CISO in history.
Matt told us he never planned to be a CISO. The role found him the way it finds most people, through a series of choices that felt right in the moment. When we asked him why anyone would want this job, he paused. “I can’t understand why people want to be a CISO,” he said. “I’m trying to make sense of it myself.” Then, without any prompting: “I really do enjoy being a CISO.” Both things were true at the same time. That contradiction is the role.
Branden, asked whether he would relive the worst incident of his career, answered without hesitation. He would do it again in a heartbeat.
They hold the line because someone has to. And because they believe it matters.
Why This Series Exists
CISO: Holding the Line exists to reflect the role as CISOs actually experience it. Not the worst job. Not a cautionary tale. A demanding, consequential leadership role carried by people who choose it anyway.
This is about the people who quietly manage risk when there is nothing to announce. The ones who get the call at 2 a.m. and do not come home for weeks. The ones who absorb the blame when things go wrong and receive silence when things go right. The ones who mentor the next generation even when they are running on fumes.
CISO: Holding the Line premieres in April.
If you are a CISO, this series will feel familiar in ways most content never does.
If you work with one, it will change how you understand the role.
If you depend on one, it will finally make visible what has been quietly carried on your behalf.
They did not sign up for the worst job. They signed up to hold the line.
Stay in the know
The people in this series did not wait for someone else to hold the line. Do not wait to see their story. CISO: Holding the Line premieres in April. Join the list for premiere details and updates as the series rolls out.
