Checking in – addressing the mental health challenges of the CISO
The Chief Information Security Officer (CISO) is often championed as a bulletproof superhero, effectively shielding their organisations from an ever-widening array of sophisticated cyber threats and attacks.
This is reflected in ClubCISO’s latest Information Security Maturity report, with 88 per cent of surveyed CISO’s indicating that their existing security capabilities held up well over the course of the pandemic. That’s despite an unprecedented increase in the number and sophistication of cyber-attacks in the past year, which have caused widespread damage to some of the world’s biggest organisations.
However, while we all know that CISOs are some of the most resilient people that businesses have, their fortitude can’t come at the expense of their mental health.
According to the latest ClubCISO report, a considerable portion of CISOs (22 per cent) say that the stress of their jobs affects their performance or is unbearable. This trend has sharpened over the last 12 months, with pandemic fuelled disruption adding to CISO workloads across the board.
The good news is that there are a few things that CISOs can do to alleviate their stress levels. The first step to addressing this trend is recognising its existence and it’s important – for both CISO wellbeing and business performance – that organisations provide adequate support.
Breaking down the causes of CISO stress
While the CISO’s role is challenging at the best of times, it’s clear that the pandemic has certainly exasperated things. Our report reveals that stress has gotten worse for 64 per cent of CISOs over the last 12 months, with 21 per cent saying this increase has been “significant”.
As Helen Patton, advisory CISO of Cisco Secure and former CISO at Ohio State University said at an RSA Conference recently, “When COVID first hit, we jumped in like ‘we do insecurity all the time.’
“We went into firefight mode, and we’re good at it, and we practice it. We’re hitting the cadence of this going on for so long. You can feel the stress; you can feel the overworked-ness.”
According to the ClubCISO report, the top three causes of stress for CISOs are:
- Security team skills and resourcing
- Challenging stakeholders
- Inter-function relationships
It’s not surprising to see skills as a major pain point for CISOs, as the already difficult task of securing cyber security talent has gotten even harder over the COVID period.
However, CISOs shouldn’t be put off, as they can use some out of the box thinking to lure talent to their organisations. This includes focusing on aptitude as a number one consideration for cyber talent and leaning on vendors for some additional support.
They should also look outside traditional recruitment channels. Our data suggests 20 per cent of CISOs say their best recruits came from non-infosec sources, with 18 per cent indicating success in putting in apprentices.
The other two major causes of stress are related to stakeholder and team-based communication and relationships. CISOs would benefit here by broadening their business and communication skills, which was also a big theme of the ClubCISO report.
By becoming more engaged with business objectives, thinking more strategically, and building relationships outside of the IT team, CISOs can start having more productive conversations across the business, and take pressure of their own teams.
It’s interesting to note that “security incidents” and “threat landscape” rank quite low (6th and 8th respectively) by comparison to other causes of stress, further demonstrating the stressful nature of the ‘non-IT’ elements of their jobs.
Engaging with the wider security community
Addressing CISO stress will be crucial going forward, with 10 per cent of CISOs indicating they left their last job due to its impact on their mental health.
Part of achieving this will involve fostering a culture that champions security throughout the organisation, demonstrating the value that the function has for the wider organisation. Thankfully, this is an area that we’re getting better at.
Our report found that 60 per cent of CISOs say their organisations have a positive security culture, representing a significant increase from 45 per cent in 2020.
However, another way for CISOs to alleviate their stress levels is to make sure they’re constantly engaging in open communication, both with their teams, and the wider security community.
Collaboration has historically been an issue within the cyber community, as we’ve always eager to keep our ‘secrets’ close to our chest. This needs to change going forward, especially considering our cyber adversaries are collaborating like never before.
Through mediums like ClubCISO, security executives can have open and honest conversations with their contemporaries, swapping best-practices and confessing pain points.
This can be a huge help for overworked and stressed CISOs, especially as the role shifts and evolves beyond the realms of IT and becomes more business focused.
To learn more about how CISOs are handling pandemic-related uncertainty and the stresses that go along with that, download the 2021 ClubCISO Information Security report here.