An interview is a two-way street. While the company is evaluating your technical skills to see if you can protect their network, you must evaluate their culture to see if you can protect your sanity.

Security burnout is real. It is rarely caused by “too much work”; it is almost always caused by poor management, under-resourcing, and/or political gridlock.

Before you accept an offer in 2026, you need to look under the hood. Here are some questions to ask your future manager to see what life is really like on the inside.

1. “Can you tell me about the last significant incident you handled? How was it resolved, and did the team get comp time afterwards?”

What this reveals: This tests their empathy and their planning.

• Green Flag: They have a specific story, a defined process, and they mention sending people home early the next day to recover.
• Red Flag: They struggle to recall an incident (meaning they don’t track them), or they brag about “working 36 hours straight” without mentioning recovery. This is a “Hero Culture,” and it leads to burnout.

2. “Who does the CISO report to?”

What this reveals: This reveals the political power of the security team.

• Green Flag: The CISO reports to the CEO, CRO (Chief Risk Officer), or Legal. This suggests security is viewed as a business risk, not just a tech problem.
• Red Flag: The CISO reports to the CIO (Chief Information Officer) or CTO. This is a conflict of interest. The CIO wants to ship fast; the CISO wants to ship securely. In this structure, security often loses budget battles to “feature velocity.”
• If there is no CISO (Common in Mid-Sized Orgs):
  • Red Flag: The Security Lead reports to an IT Manager or Help Desk Lead. This implies security is viewed as “maintenance” or “fixing computers,” not corporate defense. You will have zero budget authority here.
  • Green Flag: The Security Lead is a peer.

3. “What is the relationship like between Security and Engineering/Development?”

What this reveals: You are checking for friction.

• Green Flag: “Collaborative,” “We are embedded in their sprint planning,” or “We are trying to shift left.”
• Red Flag: Sighs, eye-rolling, or language like “policing,” “enforcing,” or “it’s a battle.” This indicates a culture where Security is the “Department of No,” and you will spend your days arguing with developers rather than fixing vulnerabilities.

4. “How does the on-call rotation work?”

What this reveals: This tests your future work-life balance.

• Green Flag: A rotating schedule (e.g., 1 week on, 5 weeks off) with clear escalation paths and “alert fatigue” tuning.
• Red Flag: “Everyone is kind of always on,” or “We have a small team, so we just handle it as it comes.” This means you will never truly be off the clock.

5. “How is the security budget determined?”

What this reveals: This tests if they are Proactive or Reactive.

• Green Flag: “Based on our annual risk assessment” or “A percentage of IT spend.”
• Red Flag: “Whatever is left over,” “It’s tight right now,” or “We usually get money after something goes wrong.” This means they are reactive, and you will only get the tools you need after you get breached.

---

Discussion

• The “Gut Check”: Have you ever ignored a red flag in an interview and regretted it later?
• The Wish List: What is the one question you wish you had asked before taking your current job?

Sources

• OWASP: CISO Guide to Interviewing
• Dark Reading: 5 Signs of a Toxic Security Culture
• IANS Research: What is the Ideal CISO Reporting Structure?

Burnout in cybersecurity leadership

This video discusses the silent symptoms of burnout in security leadership, reinforcing why asking about “comp time” and “recovery” during your interview is critical for your long-term health.