Maksim Kabakou - Fotolia
Security Think Tank: CISO stress – moving from recognition to action
Cyber criminals are enjoying a boom during the Covid-19 pandemic, and security teams are working overtime as a result. How can security professionals manage their increased workload, safeguard their mental well-being and avoid burnout?
Protecting a company from constant cyber attack is not easy, and chief information security officers (CISOs) are very aware of the challenge they face. Combined with the fact that many CISOs believe they are not getting enough support from the board, this can result in a significant amount of stress.
In our report released earlier this year – CISO stress: Life inside the perimeter: one year on – we spoke to CISOs for the second year running to find out what their stress levels are, what impact this has had on their lives, and what the relationship with the C-suite is like. The results indicated a much worse picture than we might have thought.
Our research showed that stress is now taking a greater toll on CISOs’ mental and physical health, as well as their personal relationships. Even when they are technically out of the office, only 2% of CISOs said they were always able to switch off. Adding to that, 83% said they spent half their evenings and weekends or more thinking about work, blurring that line between personal and work lives even more.
A lack of work-life balance is one of the key components that contributes to work stress, so trying to fix this is imperative.
Part of that is a work culture shift: 39% of CISOs said they found long hours to be one of the most stress-inducing parts of their job. Adding to that, 95% said they worked more than their contracted hours, with 59% of CISOs working an extra 10 hours or more per week.
Looking at the average British CISO who earns £88,324, this means they give their employer £19,873 of unpaid work a year. Perhaps not surprisingly, the report found that they would sacrifice £7,509 a year for a better work-life balance.
Overall, 88% of CISOs considered themselves to be under moderate or high stress – only slightly down from 91% last year – and we can see why. Although there have been positive steps in mental health and stress-related issues, actually implementing and making changes has, arguably, not received as much attention as needed.
The short-term tenure
This stress could also be why CISOs have a shorter tenure. In fact, the average CISO stays in their role for just two years. This high rate of turnover becomes a vicious circle as professionals burn out and switch to new careers, exacerbating the skills shortage.
As well as the risk to the CISO’s own mental and physical well-being, burnout is also bad news for companies because it means they could miss a threat or security issue, and have to constantly be on a recruitment drive for the next CISO.
Improving mental health and well-being at work would therefore not only improve the life of the CISO, but also benefit the security of the entire organisation.
The c-suite and the CISO
These high levels of stress are not lost on the C-suite – 74% of the board say they believe their security team to be moderately or tremendously stressed. Taking all that into account, it becomes difficult to understand why 97% of the C-suite still want the CISO to deliver more value to the business, despite the stress they know they are under.
It is understandable, then, that CISOs say the most stressful part of their job is the responsibility of securing the business and network – slightly ahead of the long hours. This burden of responsibility and a perceived lack of support from the board, coupled with the long hours, only adds to CISO stress.
It is widely accepted that a security breach, at some point, is inevitable. Also, given that new technology and digital transformation are expanding our surface area of attack, new ways for hackers to exploit vulnerabilities are opening up. That said, 24% of CISOs said their board didn’t believe breaches were inevitable and 24% of C-suite respondents agreed.
The kicker is that 31% of the C-suite believe the CISO is ultimately responsible for the response to a security breach. With their jobs potentially on the line – 20% of CISOs believe the executive team would fire them if a breach happened, whether it was their fault or not – it is not wonder they are so stressed.
Talking about mental health and stress has come on leaps and bounds, but more action needs to be taken if we are to support our CISOs properly. While CISOs are essential to the continued running of a business and cyber health, the C-suite needs to recognise that cyber security is a collective responsibility.
We have made the first crucial step in solving the stress crisis among CISOs – having the conversation. In the next step, we should look to rectify some of these drivers of stress.