We all have the odd bad day at the office. For some of us, this can often be remedied by spending time with a loved one or friends. For others, the burden of responsibility can weigh heavier and have a profound impact on wellbeing.
Increasingly so, CISOs are falling into this second category. Against a backdrop of increasingly sophisticated cyberattacks that threaten to impact businesses both financially and reputationally, as well as dealing with a skills gap and talent shortage, this C-suite role has become highly challenging. Recent headlines have reported on charges levied against SolarWinds and its Chief Information Security Officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.
The consequences of an incident could be severe for CISOs today. Kirsty Paine, Field CTO, Splunk, told Intelligent CISO: “There is no denying that a role in cybersecurity can be one of the most exciting and diverse out there. As the threat landscape expands and the pace of attacks gets faster, the pace of defence speeds up in tandem, which means there is always something new to learn.
“However, as cybercriminals become more persistent and workloads increase, the rate of change can also bring challenges. Many organisations, for example, have been impacted by the wake of the Great Resignation, the pressures of increasing digitisation, and the security challenges of remote work, exacerbating the already on-going talent shortage within the industry.”
Splunk’s State of Security research supports this assertion. According to the research, 76% of security leaders globally said their team members had been forced to take on responsibilities they were not ready for in the past year, and 70% said that the resulting increase in their workload had led them to consider looking for a new role.
“With two thirds reporting that talent shortages directly led to the failure of one or more projects/initiatives, it’s concerning – yet unsurprising – that 73% say that workers have resigned due to burnout. This churn has a snowball effect, with those workers left taking on extra duties and stress, leading to more resignations,” Paine said.
“And at a basic level, stressed workers are unhealthier and often more prone to mistakes. Whichever way you look at it, ‘CISO stress’ is very real, and it’s bad for our industry. While CISO tenure estimates vary, they’re pretty short – from roughly 18 months to 4.5 years – especially when compared to the average for other execs.
“In terms of working hours ‘more is not always more’. ‘Hours worked per week’ is not a measure of effectiveness (and actually has a negative impact once it reaches around 65 hours per week). And, arguably, no other C-suite exec thinks that being miserable and stressed should be a constant expectation of the job. Who would
routinely have the CFO on-call at 3am, for example, and what CFO would routinely accept the call?” Niko Mastropaolo, CISO at CCI Global, Africa’s leading BPO and customer service outsourcing provider, reiterated the pressure on modern CISOs.
“Cybersecurity specialists, practitioners and particularly the modern CISO, along with the support resources and complex systems driving InfoSec functions, are undergoing significant changes in an intensely competitive landscape, while maintaining high levels of performance within organisations, as they confront ever-growing cyber-risks like never seen before,” he said.
“These changes aim to assist CISOs and practitioners in better coping with the constantly evolving nature of cyberthreats. Security teams must remain informed, updated and, most critically, vigilant. Moreover, the consequences of a cyberattack can be severe, encompassing financial loss, brand damage and even harm to the personal wellbeing of others. Long hours and on-demand responsibilities often lead to burnout, escalating stress levels. Additionally, a global skills gap and rapid technological changes foster feelings of inadequacy and pressure to perform, among other challenges.”
So, what can under pressure CISOs do to get a better grasp on that coveted work-life balance?
The establishment of peer networks and connecting with fellow professionals facing similar challenges is one approach that cybersecurity professionals should consider, according to Mastropaolo.
He said: “This provides validation, advice and a sense of community. Investing in continuous learning across all technical skill layers boosts assurance, confidence and competence.
“Recognising our humanity and actively seeking balance is perhaps the most effective coping mechanism. Whether it’s spending quality time with loved ones or connecting with nature, these escapes are crucial for establishing balance and maintaining a healthy sense of self. The keywords here being ‘quality time’. This cannot be done as means to merely ‘check a box’. It is crucial that downtime is spent well away from stressful environments and both body and mind are given the opportunity to fully recharge.”
In certain cases, seeking professional help is imperative, he said.
“When stress becomes overwhelming, mental health professionals or support groups can provide the necessary tools to cope and navigate these challenges effectively,” he added.
“It’s critical to remember that the mounting stresses experienced by cyber professionals are not vastly different from those of others. While the sources of stress may vary, their impact on performance and overall mental wellbeing is equally significant. Organisations must recognise the mental wellbeing of their cybersecurity personnel by providing adequate resources, support and fostering a culture that values work-life balance and self-care.”
Paine added her insights into how CISOs can address the stress of their role and said starting with the basics – a healthy diet, regular exercise and plenty of rest – are fundamental.
“The other fundamental question is simply ‘can you work less and find more leisure time’ in a way that establishes better work-life balance? While this might seem trite or overly simplistic, and many simply accept that CISOs ‘must’ be some of the hardest-working people with the longest hours, it’s ultimately about what we deem acceptable,” she said.
“We have the chance as an industry to set our own standards and norms and demonstrate what ‘normal’ should look like. CISOs that push for a healthy working culture also set an example for their teams. Redefine the image of being a CISO to yourself and your peers to acknowledge that being busy doesn’t equate to being successful.”