It ain’t easy bein’ a CISO. That’s a sentiment heard around the halls of business and in security departments around the globe. But there is also plenty of research that backs up the notion that running a security department is difficult, stressful, tireless work, and those who do it are prone to burnout.
The most recent evidence supporting this is a study of hundreds of CISOs globally from Nominet, which finds 91 percent of those surveyed rank their stress levels as moderate or high. Also telling: eighty-eight percent said they work more than 40 hours a week and 27 percent work up to 60 hours. And so much for taking a vacation to decompress after long work weeks, because 89 percent of U.S.-based CISOs said they have never had a two-week break from their job.
Perhaps the most disturbing statistic contained in the report, titled “Life Inside the Perimeter: Understanding the Modern CISO,” was that 17 percent of CISOs say they use medication or alcohol to deal with professional stress.
Always Pushing Uphill
There are a number of factors causing CISOs to experience levels of stress that are higher than many other professions. Chief among is the distinct lack of interest and buy-in for security that still exists in many organizations. Among the Nominet findings:
- Only around half (52 percent) of CISOs felt executive teams valued the security team from a revenue and brand protection standpoint;
- Of those polled, 18 percent thought their board was indifferent to the security team or saw them as an inconvenience;
- While most CISOs know a breach is inevitable, only 60 percent of CISOs felt that their CEO agreed a breach was likely.
These findings mirror what many others in the profession echo from first-hand experience. In a presentation this year at RSA Conference, Gary Hayslip, vice president and CISO at Webroot, gave a presentation titled “Why the Role of CISO Sucks and What We Should Do to Fix It!”, which examined some of the stressors of the role and offered ideas for mitigating stress to instead thrive in the role.
Among some of Hayslip’s cited reasons for extreme stress and burnout in the CISO role:
- Entrenched business culture.
- No budget for FTEs.
- Legacy networks that can’t be touched.
- Critical partners with unknown risks.
- Unrealistic goals for the security program.
Managing Burnout in a Stressful Role
Where do CISOs go from here? Just accept the fact that stress is simply part of the job? Despite the constant pressure, leaving the role is not an option for many CISOs, Hayslip noted.
“It can be a thankless, never-ending job, and the stress is relentless at times,” he wrote in a post on Forbes. “But we continue to serve because for many of us, it’s not a job—it’s a calling.”
In a post on LinkedIn, Jamil Farschi, who has served as a post-breach CISO for both Home Depot and Equifax, offered his personal suggestions for handling and minimizing stress in a difficult position. His ideas included self-care, exercise, sticking to routines, limiting distractions and keeping things in perspective. Many other security pros weighed in with their techniques for stress reduction, including meditation, sleeping more and truly taking a break on weekends.
Dr. Dimitrios Tsivrikos, a business psychologist and lecturer at University College London, provided his insight into the Nominet report findings: “Be vocal about your levels of stress to both work colleagues as well as family. You will be surprised by the support and help that is often available via both official and unofficial channels. Silence kills when it comes to stress-related incidents.”
But clearly things need to change at the organizational level globally for the role of the security chief to feel less exhausting. Executive buy-in and understanding of security, adequate funding for security initiatives and access to the tools and staff necessary are essential—not only to security posture, but also for the well-being and future of professionals in security roles.