CISOs weathered the pandemic well, but at personal cost

Despite a surge in cyber attacks and other security incidents, the chief information security officer (CISO) community appears to be generally satisfied with their performance during the course of the Covid-19 pandemic. Indeed, 88% say their existing security capabilities weathered the storm with little negative impact seen on their organisational capabilities.

This is according to a study of members of ClubCISO, a 500-strong private members forum of security leaders, which has just released its eighth annual Information security maturity report. The report seems to show that years of innovation and hard work from security professionals has paid off in the past 12 months. In fact, the pandemic had less of an impact on its members than might, at first, have been anticipated.

Stephen Khan, chair of ClubCISO, commented: “This year, our ClubCISO Information security maturity report highlights some significant improvements to global business security functions and improvements to organisations’ security culture.

“Though the pandemic has increased the risk of security breaches, with more sophisticated and numerous attacks taking place, security teams have adapted well and have used the unprecedented situation brought about by the pandemic to highlight the importance of security and increase their organisations’ understanding of it.”

However, the report also showed that this resilience came at a steep cost in human terms, with new ways of working and fragmented, understaffed teams piling unprecedented levels of pressure on security professionals, making stress and burnout an even more pressing issue for the community than it was before Covid.

Over 60% of the CISOs surveyed for the study said they had experienced an increase in stress over the past 12 months, and detailed similar feelings among their direct reports. Even now, as restrictions ease in many countries thanks to the success of vaccination programmes, 6% reported that their team was experiencing “unbearable” stress, and 36% believed the stress their teams were under was having a damaging effect on their ability to perform as the organisation needs.

Skills and resourcing shortages were also amplified during the pandemic, and understandably are also a big contributor to stress and poor mental health among security staff. Just under half (45%) of respondents said skills and resourcing problems greatly contributed to their stress levels, and just over half (53%) said staff shortages were a key issue stopping them from delivering against this.

ClubCISO said it was clear that stress remained a problem for the security community, and that it was imperative that employers work with their CISOs and security teams to try to address this.

Manoj Bhatt, ClubCISO advisory board member and head of cyber security advisory at Telstra Purple, said: “Given today’s unrelenting threat landscape, CISOs have arguably the toughest job on the organisational chart.

“CISOs have arguably the toughest job on the organisational chart. They must be available to many different departments and remain ahead of the curve in an ever-changing threat landscape, across all areas of cyber security”

“The CISO must be available to many different departments and remain ahead of the curve in an ever-changing threat landscape, across all areas of cyber security. This causes added stress which will filter down to members of the team.”

In spite of skyrocketing pressures, the report also found security professionals tended to be fairly positive in their thinking. For example, 78% of respondents either agreed or strongly agreed with the statement, “I love my job”.

As noted, this positive sentiment extended to their organisational security performance, with improvements noted in both culture and resilience. With the benefit of hindsight, the vast majority said their security capabilities had held up during the pandemic, and many also thought the Covid-19 crisis had delivered a “unique” opportunity to drive change in their organisations, and reinforce – or in some cases establish – cyber security as a key function.

As proof, 55% of CISOs said their boards took a balanced view of security, prioritising both incident prevention and response equally, up from 38% this time last year. Furthermore, 86% of CISOs said their organisations now viewed security as being as important as they did, up from 65% before the pandemic.

ClubCISO’s report also noted how the pandemic had reinforced the need for strong cyber security and demonstrated many tangible improvements that show CISOs are performing effectively at making their organisations safer. More security leaders said they had driven measurable improvements in security training and felt more comfortable that people were listening to them.

Nearly 70% of respondents agreed that their organisations had a positive security culture, a huge jump from 45% in 2020, and 61% said their organisations were either making progress towards, or already exemplified, cyber best practice, up from 39% last year.

CISOs did, however, acknowledge issues in organisational culture and team subcultures as a potential blocker to their agenda, with 43% of respondents saying they were concerned that organisational culture negatively affected their ability to deliver against objectives.

Bhatt said: “It’s encouraging to see that security is being taken even more seriously than before. Accelerated digital transformation during the pandemic has allowed projects to move at a faster rate, such as security awareness programmes, enabling remote access and security monitoring.

“Confidence in the ability to meet security objectives has improved against last year, too. Board members are realising the importance of balancing prevention and response capability, although it remains to be seen whether this has become an enduring sentiment in the boardroom. CISOs and board members must now continue to work and maintain those relationships beyond just crises and emergencies.”