Intelligent CIO Q&A with Steve Bray, Head of Australia & New Zealand, Cloudflare, on the burnout risk facing CISOs.
Have you noticed a trend of burnout amongst CISOs?
I think the broad answer is yes. While this is mainly anecdotal, there’s plenty of surveys and research indicating that CISOs are under increasing amounts of work-related stress. A study conducted by Australian non-profit, Cybermindz and the University of Adelaide, found that cyber professionals scored higher on a burnout scale than the general population – with some scores exceeding those of frontline health workers.
What challenges are contributing to this rise in stress / burnout as they navigate their work life?
I think there are four sources we can point to. First, the complexity of IT environments and architectures means there’s a larger number of threats that CISOs need to address which all require their own specific strategies, objectives, plans and projects in place to manage. Second, criminal’s methods of attacking organisations are becoming increasingly sophisticated and the advent of cloud and multi-cloud environments has created a challenging landscape for CISOs to provide protection for. Third, is that internally it can be hard to translate technical information on security and threats into business conversations or impact statements that CEOs or CFOs might better understand. This can then impact how CISOs respond to threats such as timeliness and prioritisation of resources for projects that protect certain assets.
Finally, we’re currently facing a talent shortage in the technology space. Sometimes teams are having to manage on very tight budgets and few resources, and that’s especially true in relation to security specialists across every layer and into senior levels.
What can businesses and society do to assist CISOs in their day-to-day work?
The responsibility is on executives and boards to seek to understand the complexity of cybersecurity challenges that CISOs are trying to respond to, ensuring it’s a regular topic of review. Just like they would review financials or a strategic marketing plan, boards should regularly seek to understand their organisation’s capabilities, readiness and resiliency in relation to cybersecurity threats. More broadly, Tertiary institutions and education play a role in influencing how future leaders manage these new stresses. Whether this means investing in new skills, so graduates better understand the systems they’re working with, or providing on the job experience, to better prepare them for those working environments, so upon entering that senior level, they’re equipped with the skills to better manage those pressures
Can the adoption of AI and other innovations help reduce the workload and stress experienced by CISOs?
AI offers great opportunities for low value work to be automated through machine learning, however, it’s also another threat plane that CISOs need to address and respond to. CISOs are being asked to answer questions around how AI uses data that’s held within the business, and what access is being provided into and out of those systems that they are responsible for securing. Currently, AI is being tested and experimented with by organisations, without necessarily having clear data use policies or the means to secure that data from threats.
What strategies could they implement to secure what they have in front of them and then get additional support to do this?
I think that’s a great question. Balancing the risk posed by threats from bad actors with the business needs of organisations is key. Companies are looking to use technology to be more open and provide better service to customers, share information about products and services, and engage with all stakeholders more effectively, including vendors, suppliers and customers. However, this openness can increase risk. Nowadays, it’s much easier for individuals to access data that would have been inaccessible 10 or 20 years ago. CISOs need to protect this data, as well as intellectual property, systems and employees from threats, while enabling the business to be more transparent and interactive with the markets they serve.
On a personal level, what advice would you give to CISOs experiencing burnout?
My advice would be that CISOs seek higher levels of engagement from their organisations. They should regularly interact with C-level executives like the CEO and CFO and have opportunities to present challenges they face at the board level. Regularly communicating with the board about threats, not only helps build the CISO’s skill set in translating technology issues into business terms it also helps secure the necessary funding and resources to minimise threats. Additionally, CISOs should be actively involved in programs that build skill sets, whether through universities or internal career development paths for technology security professionals. It’s vital for CISOs to have a clear understanding of their role within the technology group of the business. In large organisations, security is just one part of a broader technology strategy, but effective collaboration with other parts of the organisation is essential.
What impact can burnout have on businesses?
If the person responsible for your security – and I mean ultimately responsible for the strategy, mission and delivery of security – is burnt out, you can only expect a suboptimal outcome. This is true for everyone, which is why there’s a strong emphasis on work-life balance and health. If CISOs are burnt out, tired and overwhelmed, it’s unrealistic to expect the best outcomes. Consequently, the organisation won’t be as well-protected, resilient or responsive to security breaches as it could be. Ensuring that CISOs are supported and not burnt out is crucial for maintaining the security and overall health of the organisation.