Cyberthreats are just one of many stressors for today’s CISOs
Chief Information Security Officers (CISOs) are vital to modern business, charged with securing proprietary data, sensitive customer information, systems, and more. But the role can be difficult, with vague or varied responsibilities contributing to high stress and ultimately burnout.
A 2022 CISO survey found that 18% of security leaders work 25 hours more per week than contracted, and 75% find themselves sometimes unable to switch off from work.1 The heavy workload leads to the biggest personal risks for CISOs globally being stress (59%) and burnout (48%), with those figures being even higher in the U.S.2
Burnout then leads to turnover, causing disruption for organizations when they need to hire and onboard a new CISO. While current turnover rate is about 18% year-on-year,3 Gartner estimates as many as half of cybersecurity leaders will change jobs by 2025, with about a quarter of them moving to different roles entirely due to work-related stress.4
Even if a CISO doesn’t leave, 65% said their ability to protect their organization is compromised due to being overwhelmed, and 100% said they need more help.5 More than three quarters of CISOs said work stress is taking a toll on their health. Organizations must understand the causes of CISO stress to enact positive changes to help their CISOs be more effective and avoid burnout.
Identifying the Causes of CISO Burnout
Several factors have been identified as contributors to CISO stress and burnout, from cyberthreats to a lack of organizational support. While some are out of the control of organizational leadership, others can be addressed through cultural change.
Many organizations underwent rapid digital transformation in 2020 and 2021 as employees transitioned to remote work and IT adopted new virtual or contactless technologies. The rapid changes in IT infrastructure placed a strain on security teams, who needed to protect a much larger than normal attack surface.
Hand-in-hand with new technology was an increase in threats, both internal and external. Ransomware breaches increased by 13% in 2021 over 2020, but 82% of security breaches involved a human element, from stolen credentials and phishing to social engineering and errors.6 As a result, security teams spend up to 600 hours per month investigating and remediating threats caused by human error.7
And while rapid technology changes and the evolving threat landscape make a CISO’s job harder, so can the organization’s culture. A number of CISOs don’t feel supported by the business, often due to a poor security culture within the company. For example, a Gartner survey found that 69% of employees had bypassed their organizations’ cybersecurity guidance in the past 12 months, and 74% said they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective.8 Employees who bypass security policies create even more work for the CISO and security team, who must now find and fix weaknesses or damage caused by other employees in addition to stopping external threats.
Finally, the lack of clear definition of the CISO’s role can be a challenge. Where the security organization sits, as well as the reporting structure, varies by organization. While the majority of CISOs (78%) now report to either the CIO or CTO, the number of CISOs reporting to the CEO has increased to 12%.9 Functional areas reporting to the CISO can also range from core security tasks to governance, risk, and compliance or business continuity. This creates challenges for a CISO faced with different responsibilities versus their prior role.
“There is currently no consistent description of what a CISO does or much agreement on the archetype of what a CISO should be doing. While the core mission of any CISO is to protect the firm, it has become a complex role evolving over time serving shareholders, clients, customers, the Board, and all of the employees of the organization.”
Craig Froelich, CISO, Bank of America as quoted by Marlin Hawk10
While abundant cyberthreats and an expanding attack surface will always remain a stressor for CISOs, supporting a strong security culture within the organization, along with setting clear expectations and consistent responsibilities, can help CISOs manage their stress levels and avoid burnout.
- Tessian, 1 in 5 Chief Information Security Officers (CISOs) Work More Than 25 Extra Hours Per Week, October 2022.
- Hendrick & Struggles, 2022 Global Chief Information Security Officer (CISO) Survey, September 2022.
- Marlin Hawk, Global Snapshot: The CISO in 2022, December 2022.
- Gartner, Gartner Predicts Nearly Half of Cybersecurity Leaders Will Change Jobs by 2025, February 2023.
- Cynet, Survey Report 2023: Implications of Stress on CISOs, March 2023.
- VZDBIR
- Tessian, 1 in 5 Chief Information Security Officers (CISOs) Work More Than 25 Extra Hours Per Week, October 2022.
- Gartner, Gartner Predicts Nearly Half of Cybersecurity Leaders Will Change Jobs by 2025, February 2023.
- Marlin Hawk, Global Snapshot: The CISO in 2022, December 2022.
- Ibid.