Marc Menninger

The CISO role has a dirty secret. 69% of CISOs are actively looking to leave. Not for better pay. For sanity. Here's what they say: audits, board updates, vendor questionnaires, regulatory deadlines - all arriving in parallel, all urgent, none with any off-ramp. Meanwhile they're still seen as "the security person," not a business executive. Higher title, same broken structure. This isn't a retention problem. It's a design problem. The role hands you enterprise-level accountability, then starves you of the influence to act on it. If you're new to security leadership, understand this BEFORE you take the job - not after you're six months in and exhausted. Know what you're walking into. Ask hard questions before day one. And build systems that give you breathing room, not just a roadmap. The ones who survive long-term aren't the most technical. They're the ones who protected their capacity to think clearly.

CISO turnover hit 15% in 2025 (up from 11% in 2024). Average tenure: 39 months. 77% fear getting fired after a breach. Here's what nobody tells you: You can do everything right and still lose your job. Why? Because security leaders are judged on outcomes they can't fully control. The solution isn't perfect security. It's documented risk communication. When leadership understands: • The risks you flagged • The resources you requested • The tradeoffs they accepted ...they can't blame you when incidents occur. Paper trail > perfect posture.

@AlexFinn Entry-level human workers are competing against an AI workforce.

Im building something world changing I'm building the first ClawdBot AI agent company. Doing work for me 24/7 Right now 2 employees are in office (local on a Mac Studio) and 2 are outsourced (Opus 4.6 and Codex 5.3) The 2 local employees (GLM 4.7 and GLM 4.7 Flash, my senior and junior research assistants) work for me 24/7. They do not eat, they do not sleep, they do not complain, they do not require insurance. All they cost me was an up front life time $20,000 contract (2 Mac Studios w/ 512gb memory and 4tb SSD) Not bad compared to the human candidates I interviewed that would have cost me $100,000 a year Henry, my Chief Strategy Officer outsourced from Anthropic, manages all of them. He's lucky. He doesn't have to work so hard with the local employees doing most of the heavy lifting. My senior developer from OpenAI is rather cheap, altho outsourced as well. I hope to replace him with a local employee Kimi in the next week. While I sleep tonight, they will be working. While I watch the Patriots win the Super Bowl tomorrow, they will be working. They will be scrolling X and Reddit, finding challenges to solve, and building software. Without any oversight at all. This is Alex Finn Global Enterprises. I will set up a website for the business in the coming days so you can watch everyone work in real time. I'm confident nobody else in the world is building anything like this. A first of its kind autonomous, 24/7 work force Welcome to the future

Most breach notifications are probably useless. New report shows 70% don't explain how it happened - just that it did. CISOs spending millions on compliance theater while missing the actual lessons. Maybe we should focus on the uncomfortable truth: incident response without root cause analysis is just expensive cleanup.

Quantum computing will probably break encryption within the decade, but most orgs haven't figured out what encrypted data they have. My advice: before post-quantum panic, start with data inventory.

15% of CISOs switched jobs last year. Half of them didn't even get a pay raise. Think about that for a second. In a market supposedly desperate for cybersecurity talent, experienced CISOs are moving companies for lateral moves. Why? They're probably just moving from one dumpster fire to another. Same problems, different company logo.

7️⃣ Final Takeaway 🔑 Access reviews reduce risk, boost compliance, and force teams to think critically about who has access to what and why. ✔️ Start small ✔️ Focus on impact ✔️ Make it a habit 📌 Bookmark this thread if you’re building your review process or prepping for an audit. 💬 How often does your org review access? Monthly? Quarterly? Never? Let’s talk 👇

6️⃣ How to Make It Happen (With Minimal Hassle) ✅ Pull reports from your IAM or HR system ✅ Highlight high-risk users first (admin, elevated, contractors) ✅ Pre-fill recommendations: Keep, Remove, Review ✅ Set a due date and follow up Add a dashboard if you want to be fancy. But emails work too.

🧾 Access Reviews: Why They Matter and How to Get Them Done Most orgs say they do access reviews. Few do them well. Fewer do them consistently. If you want to reduce risk, pass audits, and avoid awkward breaches, this thread is for you. 🧵

Great question, @LubosKolouch! I think it’s about weaving proactive habits into the daily routine, such as regular vulnerability scans or monitoring, while keeping reactive processes, like incident response, ready to go. It’s a 70/30 split: 70% proactive to stop threats early, 30% reactive to handle what slips through. What do you think?

@MarcMenninger Love the quiet victories angle—so real. How do you think teams balance being proactive vs reactive in that daily grind?

What does success in cybersecurity look like? It's not about big wins or public praise. It's about staying ready, preventing chaos, and leading with discipline when no one’s watching. Check out my article to see why real security leadership looks more like quiet victories than glory. 👇

🔑 Final Takeaway: Access control is one of the highest-impact areas you can clean up - if you take it seriously.  ✔️ Least privilege ✔️ Timely reviews ✔️ No shared accounts ✔️ Scoped, contextual, accountable access 📌 Bookmark this thread to tighten your access strategy. 💬 What’s the one access control practice you think every org should adopt? 👇

7️⃣ No Ownership or Accountability Who owns access reviews for Salesforce? For GitHub? For that legacy database? If it’s “nobody” or “just IT,” that’s a problem. ✅ Fix it: Assign business owners to key systems. They know who should have access - and who shouldn’t.

🔐 The 7 Most Common Access Control Mistakes (And How to Avoid Them) Access control isn’t glamorous, but it’s one of the biggest sources of risk in every organization. Here are the mistakes I see most - and how you can fix them before they lead to a breach. 🧵