“In technology, it’s about the people – getting the best people, retaining them, nurturing a creative environment, and helping to find a way to innovate.”
– Marissa Mayer, Former CEO of Yahoo! and co-founder of Lumi Labs
The cybersecurity industry is facing a crisis. There is a shortfall in skilled labour with an estimated 3.5 million unfilled cybersecurity jobs predicted by 2021. In addition, Chief Security Information Officers (CISO), those who are responsible for maintaining an organization’s security vision, strategy and security programming, and ensuring that a company’s technology and assets are protected, have, on average, only a 24-48 month tenure. Short tenures mean high turnover in the CISO role, making it hard to establish company security norms and maintain a companywide cybersecurity culture.
A company’s cybersecurity successes are often due to the effectiveness of the CISO; therefore, when you hire a great CISO, you want to keep them. Data is an increasingly desirable commodity for cyber-criminals and cyber-attacks are on the rise. As a result, the role of CISO is growing progressively more stressful and challenging.
A new report by Nominet, titled Life Inside the Perimeter: Understanding the Modern CISO, makes clear the harsh reality of the role of CISO. The report states that every CISO experiences stress in their position, while 91% of those surveyed say that their work stress level is moderate to high. 60% of the CISOs surveyed say they rarely disconnect from their job. Long work hours contributed to work stress with 88% of CISOs working more than 40 hours per week and 22% of CISOs on call 24/7. The digital problems they are dealing with are causing a very physical response. 26.5% of the surveyed CISOs state that stress is negatively impacting their mental and physical health and 23% state that the job is causing the erosion of personal relationships. To deal with workplace stress, 17% of CISOs admitted to using medication and alcohol as a coping mechanism.
Business psychologist, Dr. Dimitrios Tsivrikos, says, “It is of paramount importance that we address organizational stress and extra emphasis ought to be paid to CISOs. As a group of employees, they are faced with overwhelming pressure. Errors in their judgment, caused by excessive work-related stress, can indeed have detrimental effects upon business and personal data.”
What makes the CISO position so stressful?
“Security leaders are under a lot of pressure to show quick wins while knowing full well that everything they do will be heavily scrutinized and challenged, and ultimately, they will pay the price for things that are not under their control,” says Yaron Levi, CISO, Blue Cross and Blue Shield of Kansas City. The fact is that cybercriminals only have to be right once, CISOs are expected to be right all the time – perfection, especially in cybersecurity, is not a tangible goal (having a robust incident response strategy, however, is).
The CEO of Nominet, Russell Haworth, says, “CISOs around the world are facing mounting pressures amid a rapidly shifting cyber landscape. Criminals are forever finding ways to exploit vulnerabilities, and do not discriminate against the businesses they attack. Everyone is a target. It’s no surprise that CISOs are facing burnout. Many lack support from within their organizations, and senior business leaders need to face the facts: the threats are real, and CISOs need to be given the resources and support to tackle them. If not, the board must face the consequences.”
Lack of Support:
36% of CISOs leave a corporation for greener pastures citing a lack of companywide cybersecurity culture. If the company isn’t committed to cybersecurity, then it makes it difficult for a CISO to execute a security strategy. A lack of support to a CISOs role or to security initiatives devalues them as employees, which detracts from job satisfaction and affects their commitment to the organization.
In the Nominet study, only 52% of CISOs felt that their executive teams valued the security team from the standpoint of revenue and brand protection. 34% of CISO respondents said that they are inclined to change jobs when they aren’t included as active members of the executive team or the board of directors. CISOs should not be treated as elevated system administrators; they are business managers who oversee a technology discipline. Sadly, 18% believed that their board members were indifferent to the security team, even seeing them as inconvenient.
Only 60% of CISOs believed that their CEO was in agreement that a breach is inevitable (which it most certainly is) and that a lack of senior management buy-in to the problem was an issue, with 65% claiming this factor as a security barrier within their organization. Add to that 32% of all CISOs questioned believed that, if a significant breach occurred, they would either be formally reprimanded or lose their job. Leaving in fear of a consequence like losing a job in the face of something inevitable, like a breach, creates a toxic and stressful work environment.
Lack of budget and skills
31% of CISOs change jobs when cybersecurity budgets don’t line up with the organization’s size or industry. Many organizations are willing to nickel and dime the CISO and settle for “good enough” security.
This low-budget approach isn’t a sound plan for CISO retention or strong cybersecurity. With cybercrime on the rise, and the threat it presents to modern businesses, 57% of CISOs believe that lack of resources is what is creating ineffectual security postures in their organization. 60% of CISOs admitted to finding malware on their infrastructure which had been there for an unknown period. The average length of time for malware discovery was 14 days, plenty of time for data to be extracted and sold or exploited. Only 43% of CISOs believe they have an adequate budget to defend against, and defeat, cyber attacks and only 51% think they have sufficient technology in place. 63% of CISOs stated they were struggling to assemble the right IT team due to budget restraints and a lack of skilled candidates.
With CISOs and cybersecurity professionals in high demand, salaries have inflated. 38% of CISOs left a company for a more lucrative deal. Some CISOs claim to have new job offers weekly. So, if you want to retain your CISO, you need to ensure that you are paying them their worth. Jobs aren’t just about money though. CISOs need to feel valued and supported, be given adequate budget and tools to do their job effectively, be able to employ a skilled IT department, and have an active role on the executive team. As Kathryn Minshew, CEO of The Muse says, “You know … that a company is only as good as its people. The hard part is actually building the team that will embody your company culture and propel you forward.”
Invest in your CISO and invest in your cybersecurity team. Make cybersecurity part of your corporate culture and help your IT team protect and propel your company forward. If your company invests in them, they’re more likely to invest in your company and stick around for years, not months. To our CISO friends, we, at ISA, have your back.