Nearly every week, a massive data breach, ransomware attack or some other type of security failure grabs headlines across the internet and creates buzz on Twitter and social media.
A quick look at reports such as the Verizon 2019 Data Breach Investigations Report or Emsisoft’s analysis of publicly reported ransomware attacks over the last year shows that these attacks are not likely to stop in 2020.
The result of all this attention to cyber security and the risk it brings to companies, however, is the same: More stress on those chief information security officers (CISOs) who must either stop these attacks before they happen or reckon as effectively as possible with the aftermath and fallout.
CISO Stress on the Job
All C-Level executives suffer from stress, but CISOs and security leaders tend to feel the pressure more acutely, according to a recent report conducted by Nominet and market research firm Vanson Bourne called “The CISO Stress Report - Life Inside the Perimeter: One Year On.”
In the fall of 2019, Nominet and Vanson Bourne conducted 800 online interviews of CISOs and other C-Level executives in the U.S. and U.K. These executives worked in public and private organizations with over 3,000 employees, and were asked about job stress and the toll it takes on their professional and personal lives.
The results show that 88 percent of CISOs consider themselves under moderate or high levels of stress, only a slight decrease from the 91 percent of executives who reported similar results in 2018, according to the report.
This level of stress is one reason why the average tenure of CISOs is only 26 months. That pressure also snowballs into executives’ work/life balance, with security leaders telling researchers that they are working an extra 10 hours a week over and above their contractual obligations.
“Even when they are not at work, they are unable to switch off, and this means their personal lives are disrupted,” stated the report. “CISOs reported missing family birthdays, vacations, weddings and even funerals. They’re also not taking their annual leave, sick days or time for medical appointments—contributing to physical and mental health problems.”
The study also finds that 48 percent of CISOs believe that the stress of their jobs had a negative effect on their mental health over the last year.
Much of the stress and wear-and-tear on CISOs is a combination of internal and external factors, suggested Stuart Reed, vice president at Nominet. There are the attacks coming from the outside in the form of ransomware and data breaches, and then there’s the pressure from the board and other executives to respond to these incidents and answer questions.
“The urgency of today's threat landscape is a pressing challenge for all CISOs. However, it is when this is combined with a need to communicate risk and defense strategies to the board, that stress quickly builds up,” Reed told Dice. “The dual nature of the CISO role, of both technical expert and a board level consultant, means they are being pulled in many different directions. This issue is exacerbated by the fact that the role of the CISO is actually relatively new and evolving, so it is quite ill-defined.”
Coping With Hiring
If there is a small silver lining in the report’s results, it’s that boards of directors have started to see these effects on their security executives: The study finds that 74 percent of board members believe that their CISOs are moderately or tremendously stressed.
For those on the front lines of security, as well as those involved in IT in general, hiring the right support staff—those cyber security professionals, techies and developers who keep the lights on day in and day out—can help relieve some of the stress that builds up over time, said Gary Foote, the CIO of Rich Energy Haas F1.
“It is absolutely critical to have the right team in place, and having a blend of technical expertise and good business acumen is vital. For me, the most important skills to have in my team are solid personal skills, such as level and methodical thinking and keeping calm under pressure, as well as a solid technical background and the ability to work well within a team towards common objectives,” Foote told Dice. “This balance of skill types ensures we’re able to take a wide ranging and holistic view to proactive security. If incidents do occur, these blended skills help quickly mitigate any breach, with effective communication and collaboration ensuring maximum efficiency in the process.”
Another way to alleviate some of the stress on CISOs is to know more about the business and the risk that executives such as the CEO and CFO are willing to take.
While technical know-how is a must, Cath Goulding, the CISO of Nominet, believes that security leaders need to have an open dialogue with their boards and corporate leaders, which can help create a joint sense of responsibility for cyber security.
“While I have to be responsible for the security within Nominet, there is a wider discussion around risk and investment that needs multiple different stakeholders,” Goulding said. “From a more human perspective, generating awareness around the stress faced by many in IT is also important. The more appreciation the wider business has for the issues faced by CISOs, the more work can be done to improve the situation so that they can work to the best of their abilities and the business can truly become more secure.”