Syda Productions - stock.adobe.c

How can we adapt work practices to protect CISO mental health?

Cyber leaders are finding it harder to keep up with security requirements than just two years ago, risking a domino effect of dissatisfaction, burnout and eventually, resignation

Today’s CISOs face a rapidly expanding threat landscape. And it’s not only the volume of threats adding mounting pressure to the CISO role. Their increasing sophistication is weighing heavier, with social engineering, ransomware and operational technology (OT) and the internet of things (IoT) cited as three principle attack types keeping CISOs up at night.

According to a recent Splunk report, more than half (53%) of security and IT leaders are finding it harder to keep up with security requirements than just two years ago. Working hours are racking up, with 12 plus hour working days an everyday reality for many CISOs. This can risk leading to a domino effect: dissatisfaction, burnout and eventually, resignation. 78% of CISOs state that workload has led them to consider looking for a new role entirely. Estimations of average tenures vary, but they are notably short, especially when compared to other executive roles – ranging from just 18 months to four-and-a-half years.

An ever-evolving cyber security landscape makes complete elimination of CISO stress impossible. However, there are a list of factors CISOs can consider to alleviate pressure and protect their mental wellbeing: 

Establish a ‘new normal’

86% of CISOs say their role has changed so much since they started out it’s almost a different job entirely.  This doesn’t need to be a negative shift. CISOs should take advantage of this and use it as an opportunity to set standards and demonstrate what ‘normal’ should look like. Redefining the perception that busy isn’t synonymous with being effective will cascade to team members, promoting better wellbeing all round. CISOs should be more empowered about what is deemed as acceptable and try to carve out a more sustainable work-life balance.

Take a secure approach to adopting AI

A third of security teams are already using AI for positive applications.

Investment in technical automation is a worthwhile investment for CISOs themselves, their teams, and their company. AI can help monitor, triage, and prioritise cyber alerts, and suggest methods of addressing specific issues. This frees up valuable human resources, reducing strain and offsetting potential burnout at many levels.

Empower your team and define responsibilities in the C-Suite

Delegation is valuable in freeing up precious CISO time. Investing time and money in training colleagues to take responsibility and deputise in meetings will spread the load, so it’s not CISOs shouldering total responsibility alone.

Upwards management is equally vital. Almost half (47%) of CISOs report directly to their CEO. CISOs should educate them that successful cyberattacks are inevitable and are not a failure of CISO leadership. Judgement should be made on the way attacks are responded to, rather than their existence.

Push for bigger budgets

Businesses and organisations recognise that investment in cyber security defences is non-negotiable, and it’s a sensible idea to increase security budgets in line with wider business growth, any growth in threats, etc.. 93% expect to increase cyber security spending and CISOs should push to make sure, where appropriate, that this translates into action. Bigger budgets will enable bigger investment in resources, whether human or tools, helping better respond to threats, particularly as they grow in volume.

Read more about mental health for IT pros

  • Any ransomware attack causes significant challenges for the victim organisation, but ransomware attacks also have tremendous impact on the staff – especially IT teams – working on mitigating the attack’s effect.
  • Software development methodologies that provide a framework to improve productivity may be inadvertently leading to project delays and stress.
  • A substantial number of cyber security leaders are plotting their great escape, saying the industry is leaving them too stressed to go on, according to a study.

We are at a pivotal moment. Businesses must not ignore the growing pressure mounting on their security teams, much of which is absorbed by the individual(s) at the top – the CISO. A role in cybersecurity can be one of the most exciting out there, but like any role, it is not worth sacrificing personal wellbeing.

As a collective industry, working practices must be adapted to protect and better CISO mental health, with adequate budgets, D&O insurance, resources, and processes in place to support the wellbeing of this group and keep them in a position to do their most critical job.

Mick Baccio is global security advisor, SURGe at Splunk

Read more on Business continuity planning