Company information security officers (CISOs) find themselves saddled with ultimate responsibility for any digital security breach taking place anywhere in the organization. On a bad day, this can mean becoming the corporate scapegoat for a major breach affecting the company’s share price or even its future viability. Given the rapidly-growing number of attack vectors now threatening every organization, this is psychologically unfair on the average CISO.
Any member of staff opening a harmless-looking but weaponized link apparently sent from a trusted friend or colleague can result in a successful ransomware attack, potentially exposing the company’s most confidential data. Most organizations also fail to keep a clear record of the number of contractors they use, leaving them open to increasingly sophisticated supply chain attacks. All of which has resulted in sleepless nights and unparalleled stress levels for many CISOs.
So far, 2023 has seen numerous reports clearly evidencing the high stress level now faced by CISOs. A report from cybersecurity company, The CISO Stress Report: Life Inside the Perimeter, One Year On from cybersecurity company Nominet reported that 88 percent of CISOs consider themselves to be under moderate or high stress. Almost half (48 percent) said that the stress of their jobs had negatively impacted their mental health. According to the report, the stress levels faced by CISOs in the US and the UK have now also begun to impact their families, with 40 percent saying that their stress levels had affected their families and children and 32 percent saying that their stress levels had negatively affected their marriage or romantic relationships.
In addition to the huge impact that these unacceptably high levels of stress are having on CISOs and their families, this untenable situation is also adversely affecting their ability to fulfill their role of protecting the organizations they work for against increasingly effective and well-orchestrated attacks by highly professional international cybercriminal groups and even hostile nation states such as China and North Korea.
Almost half CISOs will change jobs by 2025
According to Gartner’s report, Predicts 2023: Cybersecurity Industry Focuses on the Human Deal, almost half of all CISOs will change their jobs by 2025 as a result of unsustainable levels of stress stemming from their role.
“The psychological impact of this is profound, directly affecting decision quality and performance of cybersecurity leaders and their teams,” says Gartner.
The unsustainably high rates of CISO turnover results in a very disruptive corporate culture where each incoming CISO inherits the problem of the outgoing CISO and has the additional pressure of spending months researching the organization’s ever-expanding digital network. The incoming CISO is constantly reminded that failing to protect all entry nodes may result in him losing his job and taking several backward steps in what had previously been an otherwise promising career.
The underlying source of the stress stems from cybersecurity being essentially a gambler’s game. No CISO can possibly ensure 100 percent effective cybersecurity and must quickly become accustomed to playing the odds. An employee opening a single unauthorized link or executive logging onto a hotel wi-fi network can result in a devasting cyber-attack that impacts not only the entire corporation but also frequently its partners and customers. These are the kind of odds that are currently causing CISOs sleepless nights and stress-racked days.
According to Nominet, many company boards still have yet to accept the inevitability of being hit by a successful cyber-attack. For several years, it has been a question of ‘when’ and not ‘if’; many senior executives are unaware that they may also have ‘sleeper software which is maliciously installed, constantly copying and siphoning off confidential data such as sensitive customer records and business strategy.
“Nearly a quarter (24%) of CISOs said that their board doesn’t accept that breaches are inevitable. That view is confirmed by C-Suite respondents, with 24% saying they don’t view breaches as inevitable and a further 10% admitting they don’t know,” reports Nominet. And when a breach does occur, as it inevitably must at some stage, CISOs too often find themselves first in the firing line. This disconnect between the CISO and the boardroom was confirmed by C-Suite respondents to Nominet’s survey, with 24% saying that they do not believe that breaches are inevitable, with a further 10% admitting they “don’t know.”
Almost a third, 29 percent of CISOs believe that the executive team would fire the responsible party, which is likewise confirmed by the C-Suite (31 percent). And the message is not lost on CISOs, 20 percent of whom believe they themselves would be fired whether they were responsible or not, which is a considerable jump from just eight percent last year.
There is no one-stop solution to solving the stress problems faced by today’s CISOs. But the first step must be to educate company boards that cybersecurity is a shared responsibility. Placing the entire onus of a successful cybersecurity breach on the shoulders of a single individual benefits the attackers alone.
