Continual cyber-threats, security updation and the constant need to justify their budgets has been building up pressure on CISOs, said research by Thycotic. The average CISO role lasts approximately 18 months, mental illness and stress are increasing among them and many face burnout, said the report.
More than 500 IT security professionals from the UK, USA, Germany, Australia and New Zealand were asked on how they measure success and their impact on overall business success. "Being valued by the company and meeting performance targets set by the board are the top definitions of success, while lack of skilled team resources is most likely to act as a barrier to achieve such successes," said the research report.
More than half of the survey respondents said they struggle to align security initiatives to business goals. Lack of skilled resources, security breaches being out of control and lack of security budget were the top three obstacles to achieving business goals, said the respondents.
Tackling these issues lead to the bigger issue of obtaining the right budget. CISOs face many hindrances while beefing up the cyber-security of their firms, but the issue of budget towers above all, SC Magazine UK reported in June.
A report by the Boston Consulting Group (BCG) earlier this year said the question "are you spending enough on cyber-security?" puts business leaders in a difficult position. "A ‘yes’ will leave you precariously positioned if—or when—your cyber-security falters. Say ‘no’ and you’ll likely trigger a scramble to purchase something—anything—that can reverse that answer and protect you from the perception of negligence," said the report.
"Many CISOs have become security enforcers: pushing security policies and controls on employees creating a negative experience and cause friction," said Joseph Carson, chief security scientist and advisory CISO at Thycotic.
"A successful CISO is a person who listens and asks from other departments about how they measure success and aligns those with IT Security. Our job is to help the business be successful, not just reduce the risks from cyber-attacks." he told SC Media UK.
Obtaining the employee feedback on how they perform their tasks makes one understand that they are accessing multiple applications using different credentials with different security controls, Carson explained.
The CISO will realise that this is an inefficient, time-wasting process and understand the need to implement a privileged access solution that will allow the employee to access those applications without the need to use different credentials, increasing productivity and reducing wasted time, he added.
"At the same time it reduces cyber-fatigue for employees who no longer need to remember multiple credentials. This makes security a positive experience for the employee as it is helping them achieve their goals more effectively."
Resource or headcount constraint is particularly tighter for CISOs. The report suggests using metrics to "demonstrate the broader business value of cyber-security initiatives" to secure an appropriate budget.
"Several years ago, a CEO and CFO of a utility company told me that I needed to demonstrate how security can help the business reduce risks. The CFO said that sometimes it can be simple, just calculate the cost of doing nothing against the cost of doing something and you get the cyber-risk gap the business is exposed to. Mitigating the risks can then be converted into business value," said Carson.
Another major issue that CISOs faced were the communication gap between the technology heads and the business executives. Just as CISOs struggle with finance, there management struggles with technology.
Many of the respondents pointed out that management sometimes set unrealistic goals for the company's security programme, said Carson.
"As a result of management’s lack of understanding about cyber-security, they tend to think it is one issue or just one big challenge, rather than many. Consequently, they will hire one person whose task is to solve all of those cyber-security challenges, which means the executive team consistently underestimates the complexities of cyber-security. The result is that they are also consistently set unrealistic goals, without adequate budget."
This lack of understanding leads management to set goals so high that the existing team have to go way beyond their normal duties, which leads to overworked and under-resourced security teams, Carson added.
"This causes cyber-fatigue, burnout and mental health issues within the IT security industry. Unfortunately cyber-attackers don’t sleep or take vacations and they mostly happen out of normal business hours."
"Many of us feel as though we’re in a no-win situation at work as multiple stakeholders and business interests require both collaboration and compromise," Nominet CISO Cath Goulding wrote for SC Magazine UK.
"For the CISO, however, this is more than just a battle of wills, it could put the company at risk of a data breach."