Rick McElroy, Principal Security Strategist, VMware Carbon Black, discusses three ways to alleviate CISO stress and explains why security should be a team sport and a business imperative.
A CEO will last 8.4 years in the position, while a CFO clocks in at 6.2 years in average length of tenure. But a look around the boardroom will tell you that longevity isn’t on the cards for overworked, overwhelmed CISOs, with most only spending an average of two years in the role before calling it quits.
This trend is no coincidence – CISOs are at the top of the list for burn-out, especially this year as organisations accelerated Digital Transformation nearly overnight and employees continue to work remotely. In fact, a recent Nominet study found that 88% of CISOs remain moderately or tremendously stressed.
This Cybersecurity Awareness Month, it’s time to tip our hats to CISOs and together as an industry adopt a few best practices that will help alleviate the burden of our valuable security leaders.
Understand the shared responsibility
More CISOs ranked the responsibility of securing the business/network as the most stressful part of the job, slightly ahead of long gruelling hours. That’s because traditionally, organisations carry an assumption that security is the sole responsibility of the CISO. In reality, security needs to be a team sport – everyone from the CEO to the seasonal intern should prioritise cybersecurity hygiene to keep the business protected. It’s no longer a CISO request; it’s now a business imperative.
To instill this notion of shared responsibility, organisations should prioritise regular cybersecurity training, which should be mandatory for all employees. Simple measures such as not clicking on a malicious phishing link from an unknown alias can have big, positive effects on the business at large, and most importantly relieve pressure from the CISO.
Close the skills gap
InfoSec has endless job opportunities but not enough talent to help fill the skills gap. As a result, CISOs and their security teams are working in overdrive to meet the demand for increased security while short-staffed. This has daunting repercussions, with 23% of CISOs turning to medication or alcohol to manage their stress and 40% admitting their stress levels had affected their relationships with their family or children.
The reality is we will never out-hire the talent shortage, but we can all pitch in to help lessen it. Don’t just look for overqualified external candidates to fill security openings. Instead, look internally to see what type of talent translates well into a security career. Is there a QA analyst that has great communication skills and attention to detail? Consider piquing their interest in a career in cybersecurity. Additionally, tap your professional network to help bring in top talent, regardless of technical backgrounds. Lastly, organisations at large should offer continual education from internal and external resources, and retain by advancement — reward a job well done and be a regular advocate for promotions and/or raises in the industry.
Offer a helping hand
Sometimes CISOs just need to know someone is in their corner supporting them within an organisation. If serving in another function, don’t overlook the power of lending a helping hand – ask a CISO how they’re doing or how your department can help. CISOs are known to support every department but the reality is this support is not always reciprocated. Look to leaders in finance, marketing, customer service or HR, who often take priority when allocating budgets, for support not only financially but for sound business advice based on what they’re seeing across the organisation.
If we all played a small role in helping alleviate the burden of today’s CISO, it would amount to a vast difference. CISOs would feel less stressed, have a better quality of life and enjoy a longer tenure protecting their organisations. It’s a win/win situation. Now, let’s get the industry on board.