A new global study of cybersecurity professionals has revealed the true extent to which the stresses and pressures facing the average CISO impact upon both professional and personal life. It should come as no surprise that stress is part of the job description for the CISO, and every one of the 408 questioned for the Life Inside the Perimeter: Understanding the Modern CISO report, commissioned by Nominet, said they were indeed experiencing stress. However, that 17% said that they had turned to medication or alcohol to help deal with that stress should be a statistic that shocks us all.Stress is undoubtedly playing a part as far as the decline in the mental health of the modern CISO is concerned; 91% of the CISOs surveyed said the levels of stress they were suffering was moderate or high and 60% rarely disconnected from their work role. That 88% worked more than 40 hours per week isn’t a shocker, nor the 27% that work up to 60 hours, but with 1 in 5 being available 24/7 and 89% of U.S. based CISOs never having had a two week break from their job, the true extent of this disconnect problem becomes clear.
So, where does this stress that is hitting the CISO so hard come from? Largely the lack of engagement with the C-Suite and the board would appear to be the answer. The Nominet research found that only 52% of CISOs felt executive teams valued the security team, at least from the revenue and brand protection perspectives. Nearly 1 in 5 (18%) said that board members were ‘indifferent’ to the security team and even consider them an inconvenience. Engaging with the C-suite has historically been something of a mountain for the CISO to climb, but one would have hoped that in the cybersecurity-aware environment we work in today that had changed. It would appear not. Only 60% of CISOs felt that the CEO agreed a breach was an inevitability, something that 99% of cybersecurity professionals will likely insist is the case. Think that’s bad enough? Wait for this: a third of CISOs think that if a breach occurred they will face an official warning or lose their jobs. The U.K. (37%) is slightly worse than the U.S. (28%) in piling this pressure onto the CISO role.
I’m not even going to start down the road of lack of resources being responsible for a less than satisfactory security posture or the skills gap for that matter. Both are well-known issues within security teams at organizations the world over. I’m more concerned about the stress levels that CISOs are experiencing as this feels much more like a hidden problem, a crisis in waiting.
“It’s no surprise that CISOs are facing burnout” Russell Haworth, CEO at Nominet says, continuing “many lack support from within their organizations and senior business leaders need to face the facts: the threats are real and CISOs need to be given the resources and support to tackle them.” Support, both in terms of physical and mental health, is one of the things that never really seems to get talked about much when it comes to the C-suite. Once you have climbed to that level of leadership within the business you are seen as being somehow immune to such things. This has got to change if we are ever to reduce the skills gap in the cybersecurity world, if we are ever to attract and more importantly retain the right caliber of individual to lead a business through the threatscape. The retention problem is evidenced by the research which suggests the average job length for a CISO is now less than three years for 55% of those taking part, less than two years for 30%.
“It is of paramount importance that we address organizational stress and extra emphasis ought to be paid to CISOs” warns Dr Dimitrios Tsivikos, consumer and business psychologist at University College London, concluding that CISOs left in an emotional limbo “poses a clear threat to an employee’s well-being, a fact that has ramifications for a CISOs productivity, vigilance and overall performance.”
A cultural change needs to happen at board level, Russell Haworth insists, adding “to really empower security leaders, cybersecurity must be reclassified as a strategic, business-critical function and have a solid seat at the table instead of the current lip service many appear to be paying it.”
Original Source - Davey Winder, Forbes Magazine Online