Chief Information Security Officers (CISOs) face a rapidly expanding threat landscape. They’re not only up against an increased volume of threats, but also threats that are growing in sophistication.
More than half (53%) of security and IT leaders are finding it harder to keep up with security requirements compared with just two years ago , with social engineering, ransomware, and OT/IoT causing the greatest concern among CISOs.
Working days are getting longer as a consequence, with 12+ hour shifts an everyday reality for many of today’s CISOs. This can risk leading to a domino effect: dissatisfaction, burnout and potentially eventual resignation. In fact, three quarters (78% ) of CISOs have considered looking for a new role entirely due to workload.
An ever-developing and fast-moving landscape makes some level of stress inevitable. However, there are some basic factors CISOs should consider in terms of relieving the pressure on them and safeguarding their wellbeing:
1. Push for greater investment
Organisations recognise that investment in cybersecurity defences is essential, and it’s a sensible idea to increase security budgets in line with wider business growth. 93% expect to increase cybersecurity spending and CISOs should push to make sure, where appropriate, that this translates into action. The greater the financial investment, the greater the investment in resources, whether human or tools, helping better respond to threats, particularly as they grow in volume.
2. Consider your core role in redefining what is accepted as ‘normal’
86% of CISOs say their role has changed so significantly since they started out it’s almost a different job entirely
This can be used for positive change, and an opportunity for CISOs to set standards and demonstrate what ‘normal’ should look like. Redefining the perception that being busy doesn’t equate to effectiveness will cascade to team members, promoting better wellbeing all round. Arguably, CISOs should be at least partially empowered to define what is deemed as acceptable and try to carve out a more manageable work-life balance for one of the most valuable and hard-to-rehire teams.
3. Delegate to team members to share responsibilities
The need to delegate sounds obvious but, given the highly-immediate nature of many security roles, delegation hasn’t always been a skill senior security figures have demonstrated well.
Being able to deputise work is vital in helping CISOs best manage their valuable time. Investing time and money in training colleagues to take responsibility and deputise in meetings will spread the load, so it doesn’t solely fall to the CISO alone. It also somewhat de-risks the team.
Managing upwards is equally important. Almost half (47%) of CISOs report directly to their CEO . CISOs should educate them that successful cyberattacks are inevitable and are not a failure of CISO leadership. Judgement should be made on the way attacks are responded to, rather than the fact they happen.
4. Consider how AI-enabled tools can help you scale
A third of security teams are already using AI for positive applications . Investment in (human-in-the-loop) AI-enabled tools can be a highly worthwhile investment not only for CISOs themselves, but also their teams, and their company. AI can help monitor, triage, and prioritise cyber alerts, and suggest methods of addressing specific issues. This frees up valuable human resources, reducing strain and offsetting potential burnout across many team levels.
Businesses must not ignore the growing pressure mounting on their security teams, much of which is absorbed by the individual(s) at the top – the CISO. A role in cybersecurity can be one of the most rewarding out there, but like any role, it is not worth sacrificing personal mental health.
As a collective industry, working practices must be adapted to protect and better CISO wellbeing, with adequate budgets, D&O insurance, resources, and processes in place to support this group and keep them in a position to do their most critical job.
Mick Baccio
As a global security advisor, SURGe at Splunk, Mick Baccio leverages his background and expertise to help customers solve complex security problems.
Prior to joining Splunk, Baccio held the title of Chief Information Security Officer at Pete for America, becoming the first CISO in the history of presidential campaigns.
