A quarter of chief information security officers (CISOs) polled in the UK and US suffer from physical or mental health issues because of stress, with just under one in five turning to alcohol or medication, and more than half failing to switch off from their work, research has revealed.
Almost one-third of just over 400 CISOs polled fear for their jobs as cyber attacks continue to threaten their organisations, while other board members do not recognise the inevitability of an attack, according to a study commissioned by the .uk domain registry, Nominet, which recently launched a cyber security division.
More than half of respondents feel they do not have enough budget or resources to deal with the growing threat landscape, as they struggle to spot existing vulnerabilities within their business, according to the study, which aimed to examine the external and internal stresses and pressures facing a modern CISO.
The report found that every CISO is experiencing stress in their role. Almost all (91%) say they suffer moderate or high stress, and 60% say they rarely disconnect from their job.
They are also working long hours, with 88% working more than 40 hours a week, and 22% saying they are available 24/7. The US CISO is particularly bad at disconnecting, with 89% saying they never have a break from work for two weeks or more.
All of this is causing a physical response, with 26.5% of respondents saying stress is affecting their mental or physical health, 23% saying the job is eroding their personal relationships and 17% admitting to turning to medication or alcohol to deal with job-related stress.
Pressure from within
Only half (52%) of the CISOs said they feel the executive teams value the security team from a revenue and brand protection standpoint, while 18% believe their board members are indifferent to the security team, or see them as an inconvenience.
Only 60% of CISOs believe their CEO agrees that a breach is inevitable. This, coupled with the fact that nearly one-third (32%) of all those questioned believe that, in the event of a breach, they would either lose their job or receive an official warning, adds significant individual pressure from within the business.
This is worse in the UK, where 37% of CISOs polled believe they would receive a warning or be fired, compared with just 28% in the US.
Despite awareness about the pervasiveness of cyber threats, 60% of CISOs questioned admitted to having found malware on their infrastructure which had been there for an unknown period of time. The average length of time for discovery was 14 days, which the report said allows plenty of time for data to be exfiltrated and sold on or exploited.
More than half of the CISOs (57%) believe a lack of resources is holding back an effective security posture, and 63% said they were struggling to recruit the right people.
Echoing the internal pressures, CISOs also said a lack of senior buy-in to the problem is an issue, with 65% saying this is a barrier within their organisation.
There is also a budget deficiency, with only 43% of respondents saying they have an adequate, or very adequate, budget to tackle cyber attacks, and only half (51%) think they have adequate or very adequate technology.
Russell Haworth, CEO at Nominet, said CISOs around the world are facing mounting pressures amid a rapidly shifting cyber landscape. “Criminals are forever finding ways to exploit vulnerabilities, and do not discriminate against the businesses they attack. Everyone is a target,” he said.
“It’s no surprise that CISOs are facing burnout. Many lack support from within their organisations, and senior business leaders need to face the facts: the threats are real, and CISOs need to be given the resources and support to tackle them. If not, the board must face the consequences.
“The risk is not only personal to a CISO, but to a business’s hard-won reputation. The growing economic cost is also a worrying trend. A recent report put the cost of global cyber crime at $600bn in 2017. With that cost likely to rise in the future, we must all work harder, and cooperatively, to mitigate potential losses by having the right strategy, tools and resource in place to prevent breaches in the first place.”
Dimitrios Tsivrikos, a business psychologist and lecturer at University College London, said is it of “paramount importance” to address organisational stress.
“Extra emphasis ought to be paid to CISOs,” he said. “As a group of employees, they are faced with overwhelming pressure. Errors in their judgement, caused by excessive work-related stress, can indeed have detrimental effects on business and personal data.
“In addition, individuals who are stressed at work are often not living their best lives privately, either. Most of us find it difficult to suppress the pressures from work, and they do indeed spill over into our private life. This poses significant health-related threats to personal wellbeing as individuals rely on alcohol and other non-constructive behaviours in order to relax and find relief from those pressures.”
Writing in the report, Haworth said a cultural change is needed at board level. “To really empower security leaders, cyber security must be reclassified as a strategic, business-critical function and have a solid seat at the table instead of the current lip-service many appear to be paying it,” he said.
Responsibility for ensuring this happens lies on both sides of the equation, said Haworth. “CISO and management team alike must have an open dialogue. This will, in turn, foster transparency and understanding.”
According to Haworth, a CISO who is afraid of losing his or her job when the inevitable happens is stressed and, ultimately, less effective.
“However, in a collaborative environment where the risks are well understood, not only will they have confidence to do their job effectively, but they will have a greater chance of receiving the resources required to perform,” he said.
As well as investing in the necessary technology and extra headcount to reduce stress levels, organisations should not overlook investing in the personal wellbeing of CISOs, said Haworth.
“Progressive organisations should ensure HR teams recognise this and are able to provide sufficient resource to address the strains of operating on the front line of the modern threat environment,” he said.
“Finally, whatever a CISO believes about AI [artificial intelligence] and automation, done correctly it has a role to play in reducing stress by making workloads more tolerable. With increasing threat datasets, human monitoring will only ever either become overloaded, or cross a cost/benefit line. Neither is sustainable.
“Successfully using automation lies in the details, from being selective in the choice of suppliers to ensuring any new deployment is ‘trained’ correctly before being put live. CISOs who are given the time and budget to do so, will reap the personal benefits from decreased stress and, as we have seen, security posture will improve as a result.”