An eye-popping 82 per cent of executives in a chief information security officer (CISO) role feel burnt out, with nearly two thirds thinking of either leaving their job or quitting the industry altogether, according to a report by Goldsmiths, University of London.
The number-one cited source of stress is the need to comply with regulations, such as the European Union’s General Data Protection Regulation, with two out of five respondents worried about being held responsible in the event of a security breach.
But there is also deep concern about everything from skills shortages and the size and complexity of IT environments to the ever-growing volume of threats.
What is causing CISO burnout?
So what is going on here? Are things really as bad as they would appear, with those in the CISO role on the verge of a mass walkout? Or are they simply being melodramatic and overreacting to the everyday pressure that comes with a high-level position?
For Amanda Finch, chief executive of the Chartered Institute of Information Security, neither scenarios ring true. While she is sceptical that the levels of stress burnout and disaffection are quite as bad as the figures would suggest, she believes people are undoubtedly feeling stretched and require more support.
“The situation’s definitely not great,” says Finch. “Most CISOs are stressed and are working at very high levels, so if they’re not burnt out, they’re probably working towards it. There’s certainly a big problem there and this report is highlighting that.”
However, she adds that most CISOs are very committed to what they do, which means more than anything she views the findings as a “signal of their frustration and desire to be heard as it’s a very challenging role”.
Anthony Young, director of information security specialist Bridewell Consulting, agrees. While he believes most people in the CISO role are unlikely to switch career paths entirely, the frustration they experience does tend to lead to a “fairly high degree of churn” in the hope that life will be better elsewhere. It’s a scenario that can prove expensive in recruitment terms for their employers.
Coping with the challenges
“The job of the CISO is extremely stressful, especially considering the cyberthreat landscape, the risk of attack and the increasing sophistication of cyberattackers,” he says. “However, the CISO’s job is made even more stressful by a lack of budget and support at board level.”
Both are imperative if security bosses are to be in a position to build the team they need around them and to implement an effective risk-based strategy supported by adequate tools and policies. But the problem is all too often organisations bring CISOs in to “appease regulators, shareholders and customers without granting them the necessary power of mandate and resources” to perform their role adequately, says Young.
This situation is also not helped by the cybersecurity industry’s skills crisis, coupled with a lack of desire, in some instances, to pay the high sums necessary to hire scarce expertise. While such skills gaps are undoubtedly worse in areas where specialist technical know-how is required, such as penetration testing or cloud security, the difficulties involved in finding experienced talent are across the board.
As a result, most CISOs have vacancies in their teams they struggle to fill, which simply adds to the pressure of them having to be both constantly available and being held accountable for situations that are not always under their control.
Therefore, to try to address the issue and help those in a CISO role “get off the merry-go-round”, Finch recommends widening the potential talent pool beyond trained individuals, who can hit the ground running from day one.
Most CISOs are stressed and are working at very high levels, so if they’re not burnt out, they’re probably working towards it
Instead she suggests targeting people with transferrable skills, who could benefit from cross-training. An example includes reskilling individuals with analytical expertise, such as business analysts and project managers, as risk managers.
Another potent means of helping to reduce workloads and take the pressure off is for the board to sponsor, and invest in, security awareness training for the workforce as a whole to make it clear that everyone, not just the CISO, is responsible for organisational safety.
Everyone working together
Azeem Aleem, vice president of consulting at NTT Security, explains: “It’s about everyone working with the CISO to protect the organisation. Otherwise, security controls are bypassed as people see them as a hindrance, and so they unwittingly make themselves and the organisation vulnerable.”
But just as vital is that senior executives and those in the CISO role find ways to communicate with each other more effectively. For members of the board, this involves explaining what they need to know and helping their CISOs to express security risks in more of a business and operational risk context, not least to understand the support they require.
For CISOs, on the other hand, it is less about discussing individual security breaches and more about clarifying how such incidents could affect the business, its ability to function and the bottom line. It is also important to explain how cybersecurity can act as a business enabler.
Haroon Malik, cybersecurity consultant and strategist at Fujitsu UK and Ireland, explains the rationale: “It’s about digital trust. If cybersecurity is intertwined with new product development, customer trust is heightened. Ten years ago, people didn’t care, but some companies won’t do business with you now if you can’t prove you’re taking security seriously.”
Once CISOs can carve out some space and move beyond their usual firefighting mode, it frees their time up to develop a more strategic risk-based approach to activities, thus creating a virtual circle.
As Aleem points out, even though there will never be such a thing as 100 per cent security, CISOs are currently made liable and accountable for securing everything in the organisation, which results in high levels of stress as they attempt to mitigate every risk.
But he concludes: “It’s much more effective to adopt a risk assessment approach. The idea is that if you can identify your crown jewels, you know what to protect and where to focus your budget. If you don’t, you just end up running around like a headless chicken and that’s way burnout lies.”