Adjusting Organizational Culture and Improving Cyber Maturity to Counteract CISO Burnout
The job of a chief information security officer (CISO) is notoriously grueling. CISOs often only remain in their roles for a year or two, with high stress levels and unrealistic organizational expectations among the leading factors that drive CISOs from the job. Underscoring the degree of difficulty for CISOs in this era of heightened cyber threats, a study shows that 90 percent of CISOs would be willing to take a pay cut in exchange for improved work-life balance.
In today’s age of smartphones and connected devices, many organizations have shifted expectations about when employees should be accessible and on-call, especially for fast-paced, high-visibility roles like CISOs. These dynamics have been compounded during this pandemic year. With many professionals in the security field and other industries now working from home full-time, the separation between professional and personal life has become blurrier than ever.
On an episode of the ISACA Podcast, “Understanding and Addressing CISO Burnout,” Frank Downs, senior director, cybersecurity advisory and assessment solutions at ISACA, and Dustin Brewer, principal futurist, ISACA, sized up many of the major factors that lead to burnout for CISOs and other security professionals, and what organizations can do to foster a healthier work culture.
What Leads to CISO Burnout?
In many cases, CISOs are set up to fail. Downs said the array of responsibilities foisted upon CISOs – not only do they drive cybersecurity strategy, but they also manage reporting, security infrastructure and must understand legal and regulatory considerations – stacks too much strain and responsibility on CISOs’ shoulders. This is especially true when factoring in the inherent stress that comes with being accountable to executive leadership and the board of directors for staving off a cyber threat landscape that is expanding both in volume and sophistication.
In general, people view CISOs as this panacea, and an excuse, from my perspective, to not think about certain things and throw broad requirements upon these people as a result,” Downs said.
“No wonder the stress is monumental and they become workaholics trying to juggle everything.”
Downs pointed to ISACA’s annual State of Cybersecurity research that has shown not only are technical security skills in high demand, but also security leaders who have a detailed understanding of organizations’ missions, are strong communicators and possess advanced leadership capabilities.
“That’s a whole lot to ask for anyone in any field,” Downs said. “I know of very few people in any field that can both understand deep level technology and technical aspects, and then clearly communicate them in an appropriate fashion that everyone will understand. It is difficult. It is a very rare talent, and it’s an even harder-learned skill.
Unrealistic Expectations
In addition to being asked to work long and odd hours, CISOs are the subject of intense scrutiny from organizational leaders and often can be the fall person if something goes wrong. Cybersecurity has become an area of deep interest to boards of directors, given the potential of a cyber attack to inflict massive damage to an organization’s bottom line and reputation with customers.
While putting in place strong security procedures and controls is a must for modern enterprises, there is no such thing as a foolproof security program. Stopping every attack is not realistic, given today’s daunting and ever-changing threat landscape. This reality often leads to underreporting of cyber attacks because CISOs and other security team members may fear for their job security.
I long for the day where people realize just because something failed doesn’t mean people are failures,” Downs said. “And that’s relevant across all jobs.
Mitigating Cybersecurity Risk: A CISO Solution
Downs said one effective way for CISOs to make their roles more manageable and to increase their peace of mind is by measuring, assessing and reporting on cyber maturity using a risk-based approach, such as ISACA’s CMMI® Cybermaturity Platform. The platform allows organizations to see which aspects of their security program are strong, which are weak and how they can efficiently address gaps with a customized roadmap based on an organization’s unique risk profile. This can provide a concrete and measurable way for CISOs to convey the organization’s cyber maturity to the board and executive leaders, and provide substantive data as questions inevitably arise.
Downs cautioned, though, that even when enterprises are relatively well-prepared for cyber threats, it “doesn't completely mitigate you from being exploited. As often as these great technical solutions come out, these awesome enhancements to our capabilities emerge, there’s always (somebody) out there who vows 'I'm going to break it. I'm going to exploit you.'"
Practical Tips to Protect CISOs and Staff
While CISOs have an especially stressful set of responsibilities, work-life balance challenges and dealing with burnout often applies to other security practitioners as well. There are several reasonable steps organizations can take to improve morale and the mental health of their security teams, Downs and Brewer said. One starting point is to simply have those conversations – both among the security team and, if necessary, with higher-ups in the organization – to acknowledge that the threat of burnout is real and discuss common-sense solutions that can be helpful.
For example, if team members are likely to work at night or on weekends, they should be encouraged to take time for themselves during the day to run errands, enjoy a walk or spend time with their families – and completely unplug from work in the process. Some organizations have found more dramatic steps need to be taken to promote work-life balance. Volkswagen configured servers so that emails would only be sent to employees’ phones for half an hour before the start and after the end of the working day – and not during weekends.
It turns out, at the end of the day, we’re still human,” Brewer said of security professionals. “We still need time to recharge, to shut down a little bit.
If organizations are not empathetic toward their employees’ need for balance and flexibility, it is usually only a matter of time before security professionals decide the organization is not the right fit and begin looking elsewhere. That type of attrition can be devastating for organizations, given the well-documented cybersecurity skills gap that often leads to searches that drag on for months to recruit suitable candidates for security roles. Finding qualified CISOs can be especially problematic, especially for smaller and medium enterprises that cannot compete financially with larger competitors.
Brewer said security professionals’ job performance and attention to detail suffer when they are overworked and overstressed. It is important to be proactive in addressing those concerns, he said.
“Whether you’re a CISO or whether you’re the person on the front line of a Security Operations Center (SOC), it’s something that you need to take into account, and it’s something that you need to understand is going on, and you need to convey that to the rest of your C-suite,” Brewer said.
Shift the Culture
The study conducted by Vanson Bourne that showed most CISOs would take a pay cut for improved work-life balance also noted that 88% of CISOs are moderately or tremendously stressed in their jobs, and nearly half report that their work stress is having a detrimental effect on their mental health. That study was released before the effects of the pandemic, which have only added to the personal and professional strain for many professionals.
Brewer said CISOs will be more effective in their roles, and likely more motivated to remain in their jobs long-term, if organizations do not saddle them with unreasonable expectations.
“If you pay them the same and just shifted the culture around a little bit to make it better for them, I think you would definitely get a return on investment from that,” Brewer said, later adding, “We need a cultural change. We need a shift to happen.”
Take the Next Step to Reduce CISO Burnout
Leveraging a cutting-edge enterprise solution to mitigate cybersecurity risk is an effective tool to reduce CISO burnout. ISACA’s CMMI® Cybermaturity Platform equips large corporations and government entities worldwide to measure, assess, report and improve cyber resilience, aligned with global industry standards including NIST and more.