Skating on thin ice - CISOs crack under stess of job insecurity & lack of resources

News by Jay Jay

CISOs are turning to drink, drugs & meditation to overcome the inevitability of breaches in the face of inadequate human or financial resources to defend their organisations; as 1 in 5 are available 24/7.

The persistent threat of cyber-attacks, the need to constantly act as a bridge between highly technical IT staff and business-focussed leadership teams, the perennial threat of being fired in the event of a major breach, and struggling with a lack of resources is overwhelming CISOs, so much so that 91 percentof them are suffering from moderate or high stress and 17 percent are either medicating or using alcohol to deal with job stress.

While a lot has been written about certain CISOs at large enterprises not being able to completely secure their IT environments, maintain visibility over their applications and endpoints, and failing to elevate cyber security into a major business issue, not much has been written about the threats they have to deal with every day, the lack of job security, the difficulty in convincing business-oriented leadership teams, and their ability to maintain a work-life balance at all times.

A recent survey of CISOs at large organisations with 8,942 employees on average in the US and the UK carried out by Nominet Cybersecurity has found that such challenges are taking a heavy toll on CISOs. The job of keeping their networks secure at all times consumes them so much that a vast majority of them are suffering from stress, are finding little time to spend with their families, and a fifth of them are resorting to medication or alcohol to maintain their work-life balance.

A major reason why the profile of a CISO is so challenging is that a majority of them, even at large organisations, don’t have enough resources, human or financial, to defend their organisations. The lack of resources reduces their organisations' security effectiveness and also puts their jobs in peril.

A third of CISOs said that since a majority of board members do not have an in-depth understanding of cyber, they resort to firing or disciplining CISOs in the event of a breach without getting into the root cause of why a breach happened. As a result, fewer than a third of CISOs have been able to keep their jobs for more than three years. A greater percentage of UK CISOs think they would receive a warning or be fired (37 percent) in the event of a breach compared to just 28 percent in the US.

Among British CISOs, a quarter of them believe that board members and executive management teams at their organisations have zero understanding about the nuances and implications of cyber-security issues, 42 percent believe the understanding is little, and only 10 percent believe their board members have a great deal of understanding about such issues.

The lack of resources has also restricted CISOs' ability to detect malware in their IT systems, so much so that over two-thirds of CISOs in the UK have admitted to having found malware which had been hidden in their networks for an unknown period of time. This fact has led CISOs to be unanimously convinced about the fact that cyber-breaches are, ultimately, inevitable.

The basic fact that a breach is inevitable, that an organisation does not have sufficient resources to respond to all kinds of threats, and the penchant of boards to fire or discipline CISOs have put the latter in an isolated and stressful position. According to Nominet's research, to compensate for the lack of resources, CISOs are working extremely hard with 60 percent of them "rarely or never" staying disconnected from their jobs and 22 percent being available 24/7.

In fact, 88 percent of CISOs are now working more than a 40 hours every week, 54 percent are working between 41 and 50 hours, 27 percent between 50 and 60 hours and seven percent are working more than 85 hours per week. In the UK, this has resulted in tremendous stress levels for 36 percent of security teams and moderate stress levels for 53 percent of them.

While a quarter of CISOs in the UK said such stress levels eroded their personal relationships outside of work, 27.4 percent said they affected their physical and mental health, almost a third said stress impacted their ability to do their jobs, and 26.9 percent said their relationships at work were also getting impacted.

To deal with such stress levels, 23 percent of UK CISOs are taking frequent breaks during working hours, 7.5 percent are resorting to medication, 13.9 percent are doing meditation, 16.9 percent are dreaming about their next vacation, and almost 15 percent are resorting to alcohol.

Commenting on the tremendous/moderate stress levels that CISOs have to deal with, Naaman Hart, cloud services security architect at Digital Guardian, told SC Magazine UK that CISOs should depend on Security Managed Services to bolster their workforce as there is simply not enough talent out there to cope with the demand.

"In terms of mental stress, nowadays that comes from being ‘always on’ and having to respond to incidents in real time. A CISO should be putting in place a structure and process that can be consistently followed 24/7 by internal staff or security partners. This results in the CISO being notified of the issue but not finding themselves involved intrinsically in every incident. The ability to switch off is necessary to maintaining your sanity, and overworked and under-rested CISOs are likely not making their best decisions at that point," he added.

Stephen Moore, vice president and chief security strategist at Exabeam, says that CISOs have unenviable jobs as they are responsible for safeguarding every piece of corporate, employee and customer data within an organisation around the clock, against an army of unknown adversaries that are constantly ahead of commonly deployed defences and controls.

""For CISOs to succeed in today’s hostile security climate, they must be able to identify and address as many of the potential pitfalls surrounding them as possible. These are both internal and external, including failure to properly align with senior management expectations and lacklustre c-suite support and visibility when/where it counts. Doing so helps minimise the chance of unwelcome ‘nasty surprises’, which often only appear at the most inopportune moments. Unfortunately, many CISOs fail to do this, making what’s already a hard and stressful job almost impossible," he said.

When asked in what ways can CISOs reduce their workload to relieve themselves from mental stress, Mark Rogan, application security supervisor at WhiteHat Security, said that the key to any workforce is teamwork. The benefits of getting to know your employees, their lives and struggles cannot be underestimated.

"Taking the time to ensure you are treating your team well and that they are comfortable in their jobs will help ensure they will put the extra effort into their day jobs and should result in better cohesion throughout the company – all of which helps to relieve stress," he said.

When asked if CISOs can afford to take board members head-on when negotiating cyber-security budgets or listing out security tools their organisations have to invest in, he added that CISOs stand a better chance of getting their budgets hiked if they make cyber-security relevant to the current business.

"Identifying other companies within the industry that have been targeted by a malicious actor helps drive home the need to invest in cyber-security, not only to ensure sensitive employee and customers data is kept secure, but that the reputation of the business does not take a hit," he said.

While there are ways CISOs can somewhat reduce their stress levels, get their budgets enhanced, or increase visibility over their infrastructure, a quarter of CISOs in the UK are convinced that the introduction of automation and AI in cyber-security will make their security roles less stressful, compared to 50 percent of them who feel the adoption of automation and AI will make their jobs "somewhat" less stressful.

"With increasing threat datasets, human monitoring will only ever either become overloaded, or cross a cost / benefit line. Neither is sustainable. Successfully using automation lies in the details, from being selective in the choice of vendors to ensuring any new deployment is ‘trained’ correctly before being put live. CISOs who are given the time and budget to do so, will reap the personal benefits from decreased stress and, as we have seen, security posture will improve as a result," said Russell Haworth, CEO of Nominet.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews