The role of the CISO is one rife with challenges. Ultimately responsible for protecting an organization’s data, they must overcome issues such as an ever-evolving threat landscape, a widening attack surface, resources management and business alignment. It goes without saying that, whilst a CISO’s job can prove exciting and rewarding, it can come with high levels of stress and feelings of burnout.
Evidence of high stress levels in CISO/security leadership roles has been plentiful. In April 2019, research from Symantec revealed that 82% of IT security leaders across Europe were suffering from mental and physical burnout, with nearly two-thirds thinking about leaving their job (64%) or quitting the industry altogether (63%) as a result.
Earlier in the year, a report from Nominet discovered that 27% of CISOs felt stress was impacting their mental or physical health, with 23% saying the role was damaging their personal relationships. What’s more, 17% admitted they had turned to medication or alcohol to deal with workplace stress.
In fact, Infosecurity explored the issue of dealing with stress in information security job roles as far back as 2015.
What’s clear is that stress and burnout within security leadership occupations has been prevalent for some time, but new research from Nominet has revealed that the problem is continuing to intensify.
The firm surveyed 400 CISOs and 400 C-suite executives in the UK and US on the challenges of the CISO role and compiled it’s findings into The CISO Stress Report: Life Inside the Perimeter, One Year On. This research expanded on Nominet’s report from a year earlier and looked deeper into the causes and impact of stress on CISOs.
“CISOs are facing poor work-life balances, they are missing family events and milestones, they fear losing their jobs”
The research found that the vast majority of CISOs (88%) remain moderately or tremendously stressed, and although this marked a slight decrease from 91% in 2019, stress appears to be taking a greater toll on CISOs’ lives.
For example, 48% of CISOs said work stress has had a detrimental impact on their mental health, almost twice as high as last year, whilst 31% reported that stress had impacted their physical health. What’s more, 40% of CISOs admitted that stress levels had affected their relationships with their families, with just under a third (32%) stating it had repercussions on their marriage, romantic relationships and personal friendships (up from 23%). In terms of coping mechanisms, the number of CISOs turning to mediation or alcohol as a result of stress has increased to 23%.
Almost three-quarters (71%) of CISOs said their work-life balance was heavily weighted towards work, with 95% working more than their weekly contracted hours (something that 87% of CISOs felt compelled to do by their organization). As many as 83% of CISOs admitted to spending half their evenings and weekends thinking about work, with just 2% always able to switch off from work outside of the office. Interestingly, almost all surveyed CISOs (90%) would opt for a pay cut if it improved their work-life balance.
However, it’s not just CISOs themselves suffering more from stress. Nominet’s report also discovered that 31% of CISOs (a 2% increase on last year) feel the impact of stress has affected their ability to do their job. This could be having negative impacts on organizations as a whole, not to mention exacerbating the fact that the average tenure of a CISO is just over two years.
“While there have been positive steps in mental health and stress-related issues, the essence of tackling these issues has not received as much attention as needed”
Speaking to Infosecurity, Stuart Reed, VP of cyber at Nominet, said that there are inescapable elements of a CISO’s job that, by nature, make it a high-pressured role.
“In many cases, the pressures of the CISO role are being exacerbated into stress by internal organizational factors. On top of their day-to-day job, CISOs are facing poor work-life balances, they are missing family events and milestones, they fear losing their jobs and, in almost 100% of cases, the board is expecting them to deliver more. While the remit of the CISO will remain a constant, these factors could be controlled better.”
Dr Dimitrios Tsivrikos, lecturer in Consumer and Business Psychology, University College London, concurred: “While there have been positive steps in mental health and stress-related issues, the essence of tackling these issues has not received as much attention as needed. We do anticipate that stress levels will continue to rise until we address the issue of stress, mental health and wellbeing at work.”
“If boards want their organization to be effectively protected, they need to reduce the stress being placed on the CISO”
So what must be done to do exactly that? For Reed, the responsibility for and ability to reduce the stress load on CISOs lies largely with the board.
“One of the key findings of the report was that, while boards were cognizant of the stress faced by their security teams, they were doing little to address the issue. If boards want their organization to be effectively protected, they need to reduce the stress being placed on the CISO – otherwise they risk it leading to burnout. Urgent red flag issues that need to be addressed are CISOs being expected to work overtime, CISOs feeling like their job is on the line in the case of a security breach and, most importantly, a lack of support for mental health problems. The board can address all of these areas. Doing so will significantly reduce the internal pressures on the CISO and foster a healthier working environment.”
Reed also told Infosecurity that, to help CISOs recognize and gauge their stress levels, Nominet has (today) launched the CISO Stress Calculator, or ‘Stressulator.’
“We created the CISO Stressulator off the back of the dedicated research report,” he explained. “We used the key findings from the report to identify areas where CISOs felt particularly stressed. While it is not a scientific assessment of how stressed a CISO might be, it should give an indication as to where they sit on the scale. Our aim with the CISO Stessulator is to generate awareness around the issue of CISO stress.”
By raising the issue of CISO stress, Reed concluded, “we hope that wellbeing will be taken more seriously.”
Infosecurity will be exploring strategies for combatting burnout and stress in security leadership roles in a live session as part of its next Online Summit, taking place on March 25 and 26 2020. Find out more and register for the event here.