Another source of stress is that the job itself has changed dramatically over the past decade, said Tammy Moskites, CISO and CIO at Salt Lake City-based Venafi. She had previously served as the CISO at Home Depot -- before their big breach -- and at Time Warner Cable.
"It used to be about locking everyone out," she said. "Our metrics were all about how many viruses you blocked out."
But recently, CISO have had to deal with regulatory compliance and other business areas.
"The burnout of CISOs occurs when they're not qualified to work in these new areas," she said.
"In general its very difficult to find qualified CISOs that have more than just the technology, but the business background they need to be successful," she added. "And they're going to become harder and harder to find."
It's also hard to find qualified seniors managers, she said.
"We have a zero unemployment rate in the profession right now," she said. "It's hard for us as CISOs to find good people to work under us. And the CISO who tries to do the whole job themselves is the one who gets burned out."
To fight the unbeatable foe
Given the variety of cyberthreats faced by enterprises today, combined with the human failings of employees, it is unrealistic to expect that a company can have perfect security and never be breached.
CSO should be evaluated based on how much they've decreased a company's overall risks, and at what cost.
But that is a difficult metric to calculate. Meanwhile, the details of the latest breaches are conveniently available in the news headlines.
Accoding to IDC, 12 percent of CISO surveyed said they believe they would be fired after a breach.
"I do agree that some of my colleagues do operate under the 'was there a breach' metric," said Kyle Kennedy, CISO at Cyber Security Network LLC, an infosec staffing firm.
"They often must take the blame for the security breach, even though there could be a million reasons why it wasn't their fault," he added.
Those reasons include lack of staffing or funding, or a lack of senior leadership support for security, he said.
While some CSOs are finding ways to communicate security risks in business language to their boards and other senior executives, others actually make the situation worse, he said, by making comforting but unrealistic promises.
"Quite often that is the mentality of many CISO’s and CSO’s to their business leadership," he said. "We will be 100 percent secure. We will note have a breach. The phrases go on and on."
CISOs need to have a clear conversation up front with their boards and senior executives about what the company will do in the case of a major breach, said Todd Bell, CISO at Los Angeles-based consulting firm Intersec Worldwide, Inc.
Sign up for CIO Asia eNewsletters.