Under Pressure: Why Companies Must Mitigate the Churn of Cybersecurity Leaders
The role of the cybersecurity leader has always been fraught with challenges. Taking on the responsibility of prime custodian for the safety and security of data and systems comes with enormous responsibilities.
From the breakneck speed of changes in the threat landscape to regulatory demands and industry-wide skills challenges, cybersecurity leaders are grappling with a growing list of priorities, responsibilities and expectations from stakeholders.
However, the increasing pressures and the ‘always-on’ nature of the role are compelling many leaders to consider quitting – which should sound a warning bell across the industry.
The expertise and guidance of experienced security professionals is needed more than ever as attackers adapt their techniques to launch increasingly damaging and dangerous attacks. More needs to be done to prevent the cycle of burnout and churn which affects leaders, their teams and the overall security of the organization.
High Stakes and High Costs
Whilst the role of the cybersecurity leader has always been demanding, a perfect storm of converging issues is piling on more pressure.
With the average global cost of a data breach reaching a record $4.88M, security leaders have a heavy burden to shoulder. These costs, increasing year-on-year, make overwork and stress an inevitable outcome. Research shows that 98% of security leaders are working beyond their contracted hours – on average an additional nine extra hours per week. Nearly a quarter, 24%, of respondents are actively looking to leave their position and, among those, 93% cite stress and mounting demands as significant factors for their decision to leave.
The evolving nature of cyberthreats is a key factor. Ransomware attacks continue to grow in sophistication, with adversaries leveraging AI to execute data exfiltration and other tactics, further raising the stakes for security leaders.
Growing Personal Liability for Breaches
As the regulatory landscape changes, there are new concerns for leaders who not only need to consider company-wide compliance but also the risks of being held personally liable for cybersecurity incidents.
Following the 2019 SolarWinds attack – in which the company was the victim of a supply chain attack – the U.S. Securities and Exchange Commission (SEC) brought charges against an individual executive as well as the company for the first time.
High-profile instances of senior executives being held accountable are adding to the mounting demands on security leaders. An overwhelming majority, 70%, feel that stories of CISOs being held personally liable for cybersecurity incidents have negatively affected their opinion of the role. Around a third of respondents, 34%, believed that the trend of individuals being prosecuted following a cyberattack was a ‘no-win’ situation for security leaders: facing internal consequences if they report failings and prosecution if they don’t.
While this may compel Boards to sit up and take more notice of cybersecurity, there’s evidence to suggest that this has not translated into additional resources being allocated. Only a small minority, 10%, reported that the trend of cybersecurity leaders facing increased scrutiny has led to any additional money being devoted towards cybersecurity.
Managing the Stresses and Strains
With the demands piling up, security leaders are using a range of strategies to cope – some healthy, others more worrying. Many are taking great care to manage their physical well-being, allocating time for sport, getting enough sleep, setting work/life boundaries and understanding that their health is important. However, some signs suggest the use of more worrying coping mechanisms, such as alcohol use or social withdrawal, are also being used to handle stress.
These behaviors can affect both work performance and personal life and, over time, may result in lower productivity, a decreased ability to handle challenges and strained relationships. Certainly, organizations could do more to support leaders in their roles, such as increasing budgets and resources and allowing leaders more time to focus on critical priorities.
Support for Security Leaders
There may be growing awareness of, and discussions around, the stresses faced by cybersecurity leaders. However, until this is backed up by changes – from resources to a supportive culture – the cycle of burnout and churn will likely continue as security leaders shoulder the heavy weight of responsibility, accountability and personal liability. High-profile instances of individuals being charged will undoubtedly add to the pressures they feel but could also be the catalyst for Boards to allocate the resources, budget, and manpower that security leaders need to effect real change.
Many security leaders likely enter the industry compelled by the motivation to make a positive impact, to be the protectors of their organization and to build robust strategies that will improve resilience. Accountability is part of every role, but it’s also important to recognize that security leaders need the support of their executive management team and the Board. This is essential not only for the security of the business but also for protecting the welfare of its leaders. Replacing senior leaders is costly and time-consuming, so organizations must address the root causes of stress to reduce turnover.
