Today’s Chief Information Security Officer (CISO) is often tasked with an extensive list of strategic and high-priority IT and security responsibilities. CISOs may need to establish a cyber security framework, lead an infosec team, manage the technology stack, oversee compliance, ensure security aligns with business objectives, and so much more.
And while stress is common for those in leadership roles, CISO burnout is becoming a critical issue. In fact, the average CISO tenure is estimated to be 18-26 months — far shorter than that of other c-suite roles.
This is unfortunate news for the overwhelmed CISO as well as the security of the organization. Excessive stress can make it hard to concentrate or carry out tasks, harming job performance and potentially leading to a weaker security posture.
With so much at risk, let’s highlight a few causes of CISO burnout and ways to manage the pressure.
Why is CISO burnout common?
The pressure of a continuously evolving threat landscape
The CISO role has become increasingly complex and demanding in recent years.
Not long ago, the job may have included putting up a firewall, installing antivirus software, and advising employees to use strong passwords. Then we started bringing new technology into the workplace.
More computers, tablets, and phones. Bluetooth-connected keyboards. Smart printers. Virtual private networks (VPNs). Web-based applications and cloud services. The list of new technology is long and grew substantially last year in the hurry to enable remote work.
However, as new users, technology, and connections are introduced, the threat surface expands, increasing the number of attackable points and overall risk.
Meanwhile, cyber threats continue to grow in both volume and sophistication. The new cybercrime-as-a-service (CaaS) economy allows anyone to buy or rent phishing and exploit kits, stolen account credentials, ransomware services, malware, and much more. The rise of this marketplace means more people can launch an attack.
As the threat landscape expands, so does the CISO job description. But the amount of cyber risk is becoming unmanageable, requiring infosec teams to work overtime and be available virtually all hours of the day. And with governance, risk, and compliance becoming increasingly important, CISO burnout is imminent.
The cyber security talent shortage
In early 2020, ISACA (formerly known as the Information Systems Audit and Control Association) published new global research of cyber security workforce challenges. More than 60% of the 2000+ survey respondents said their organization’s cyber security team is understaffed, and 57% reported having unfilled positions.
As strategic leaders, CISOs rightfully want to build a team of skilled, qualified professionals. However, the industry is experiencing a significant talent shortage which has left a shallow hiring pool. Whittle the search down to only candidates with formal training and years of on-the-job experience and your options may shrink even further.
When a role is left vacant, the pressure falls on the rest of the department — including the CISO — to take on more responsibility. Picking up that extra work can weigh down the whole team, especially if the vacant position requires specific technical know-how.
Not enough tools (or spending on the ones that don’t solve challenges)
Back to the budget issue. Recent reports suggest that most CISO budgets are not rising fast enough. Effective cyber security solutions can automate time-consuming tasks, but the challenge is finding the right technology for your needs — and at the right price.
And even with a healthy cyber security budget, building the right stack isn’t easy. Last month, we dove into the four things to consider when assessing cyber security vendors and their solutions:
- Scalability — how will the technology adapt to your changing needs?
- Completeness — how comprehensive is the solution’s approach to security?
- Expertise — how experienced is the team backing the solution?
- Time — how will the solution free up time in your busy schedule?
For security leaders that already feel stretched thin, a demanding stack can make things worse.
Trying to meet evolving expectations
Today, a CISO needs to be a jack of all trades. They’re expected to be technical and cyber security wizards with a solid grasp of software engineering and programming, network infrastructure management, and security forensics. Ideally, they’ll also bring a solid understanding of compliance and the increasingly complex regulatory environment. Strong leadership, communication, and critical thinking skills are part of the role as well.
But that’s not all.
Cyber security has become an area of concern for executive teams and boards. Due to the soaring costs of a public data breach, CISOs are often expected to achieve “zero risk” — a tough goal for any security department.
When leadership views security incidents as major failures, it can add to CISO stress and impact job satisfaction.
Symptoms of burnout
Anyone continually exposed to high levels of stress can get burnout — a state of emotional, mental or physical exhaustion. Unlike stress, where the person may be over-reactive and hyperactive, someone suffering from burnout may begin to disengage.
According to the experts at the World Health Organization (WHO), burnout is an occupational phenomenon, and symptoms are likely to include:
- Feelings of energy depletion or exhaustion
- Increased mental distance from, or negative feelings toward, one’s job
- Reduced professional efficacy
These symptoms negatively impact the person’s mental and physical health, affecting the ability to work and worsening the situation.
Fortunately, there are ways to reduce CISO stress and prevent burnout.
Five tips to prevent CISO burnout
Preventing CISO burnout is a shared responsibility for everyone in the organization, but here are a few things you can do:
1. Think outside the box to grow your team
We recently launched a poll to CISOs in our network about their biggest work-related stressors. More than 30% of those who responded said that building a cyber team was their main concern.
Hiring fully trained, highly qualified cyber security experts isn’t the only way to establish a strong infosec team. Think outside the box — train and upskill existing employees who are eager to learn. Using a cyber range, you can deliver realistic security education and training, deploy scenarios that meet your exact needs, and track learning outcomes.
Or leverage third-party experts.
By relying on an experienced cyber vendor, a managed service provider, or a combination of both, you can close the skills gap and access the expertise you need to secure your operations. You can even complement this with a virtual CISO service to get on-demand or longer-term support delivered by an experienced security team.
2. Foster a security-first culture
Cyber security isn’t only a job for the CISO and staff. In fact, employees are the first line of defence against cyber threats. Equipped with the right tools, like The 2021 Employee Cyber Security Handbook, employees can bear some cyber security responsibility and alleviate CISO pressure.
3. Recognize the signs of burnout
Don’t wait until it’s too late. Burnout may not come on suddenly — in fact, there are twelve phases of this stress syndrome.
It’s important that you’re able to recognize the early warning signs.
4. Set aside time for health
Don’t wait until you notice any red flags to practice good, healthy habits. Exercise, sleep, and a nutritious diet help improve both physical and mental health, so you’re better equipped to take on your critical responsibilities.
5. Set reasonable expectations.
Make sure you set reasonable cyber security goals. CISO stress can stem from unclear, undefined, or unrealistic expectations. Clarify your priorities and overall cyber security strategy with the rest of the leadership team.
The CISO role is definitely challenging, especially with a threat landscape that never stands still. Sign up for our newsletter for helpful insights about emerging risks, cyber security tips, webinar invites, and much more.