In a follow up to Dan Roberts' State of the CISO article, leading CISOs share their insights and strategies for addressing the greatest challenges they face today.
Cybersecurity is a high-stakes job that puts people under enormous pressure to perform, and that’s particularly true at the leadership level. Amid escalating risks, a changing regulatory environment, concerns about personal liability and the need to balance risk exposure and innovation, the cyber agenda grows more complex and demanding by the day. The daily stresses of cyberleadership are compounded by a tight labor market that has companies scrambling to find, develop and keep cybersecurity talent.
By Dan Roberts
In 2022, Heidrick & Struggles added a question to their Global CISO Survey to assess the most significant personal risks CISOs face in their role. The top risks might surprise you — unless you are a CISO. The survey found that stress (59%) and burnout (48%) surpassed the fear of job loss due to a breach (25%) and feeling underpaid (21%). Gartner recently predicted that nearly half of cybersecurity leaders will change jobs by 2025, with a quarter of them moving to different roles entirely due to multiple work-related stressors.
When CISOs are experiencing burnout, it’s likely that their teams are, too. In fact, the latest Cybersecurity Workforce Study by (ISC)2 found high stress and burnout levels among all cybersecurity professionals, with 70% saying they feel overworked.
“Security professionals wake up every day with the mindset to protect their organizations,” as Barry Hensley, CSO at Brown & Brown Insurance, says. “And that means the nature of the business is stressful.”
With consequences ranging from cyber fatigue and increased human errors to talent retention and staffing issues, burnout is rapidly becoming its own threat to an organization’s cybersecurity efforts. I recently spoke with a number of distinguished CISOs about the underlying factors behind widespread burnout in the field and how those issues are affecting enterprise risk, leadership and engagement. They also shared some strategies for changing the culture around overwork and empowering people to navigate the demands of the job with greater confidence, resilience and purpose.
Overlooked Cybersecurity Leadership Skills
In discussions about burnout, many cyber leaders describe frustrations that, at first glance, seem out of their control. For example, as organizations transition out of the pandemic era and launch a new slate of technology initiatives, the cybersecurity agenda keeps growing. Yet many cyber leaders find themselves stuck in reactive mode, dealing with unrealistic expectations, budget constraints, a lack of business alignment and other factors that complicate their job even further.
Cybersecurity teams have the technical expertise as well as their finger on the pulse of the changing threat landscape. All too often, though, they’re not involved in the discussions upfront, which inevitably results in more work on the backend. Leaders are left with little time to focus on strategic issues, further reinforcing this reactive cycle. It’s no wonder CISOs say one of the top issues keeping them up at night is a frustration over not being consulted on business decisions.
While organizations need to reframe the role of cyber leadership as a fundamental business enabler, the CISOs I spoke with believe many of the leaders themselves aren’t equipped with the confidence and leadership skillset to manage these situations more productively and move cybersecurity up the value chain.
It’s not just about staying up to date on risk, regulatory issues and evolving threats, they point out. To change the narrative — to get invited to the first meeting as opposed to the fifth —cybersecurity leaders need to hone their human-centered skills. That includes areas like leadership presence, emotional intelligence, team-building skills, the ability to influence without direct power and the ability to communicate the right message to each audience, in addition to business acumen, change leadership and high-pressure problem solving.
“Many cybersecurity leaders today lack the storytelling skills to effectively communicate to their boards, executive team and IT partners. That skill gap creates a confidence gap that exacerbates burnout,” says Andrew Wilder, former Vice President and Global CISO at Hillenbrand.
Matt Modica, Vice President and CISO for BJC Healthcare, agrees that a deficit in communication and influencing skills is adding to the stress of the job, particularly as cyber leaders strive to shape decisions early on so they can avoid having to put out fires after the fact.
“I believe that a good portion of the burnout is due to the inability of many cybersecurity professionals to articulate the risk to the business and tangible, practical methods to reduce that risk,” he says. “It can be frustrating knowing that a seemingly simple action could be taken to reduce cyber risk only to be shut down because of the way you articulated the risk or the action needed to mitigate it.”
Ultimately, he says, these situations lead to burnout not just at the leadership level but also among the entire team as cybersecurity professionals lose faith in the organization’s willingness to do the right thing. As morale plummets and turnover escalates, the cycle of burnout only gets worse.
“You add on top of that the stress of the demands of the role plus the increasing move by regulators to impose fines and charges on the ‘victim’ of the crime in cybersecurity, and you have a situation where any little thing could be the last straw and cause complete burnout or even a break,” says Patrick Benoit, CISO at Brinks Global. “Enhancing skills will help, and it will reduce the stress of leading people, teams and programs, giving you more capacity to handle the rest, which is likely outside of your control.”
The fact that these skill gaps exist isn’t surprising when you consider that fewer than one quarter of cyber leaders have previous management experience, according to a survey by Lightcast.
As United Airlines CISO Deneen DeFiore noted in a recent episode of the Tech Whisperers podcast, “It’s great that a lot of us come with domain expertise and that gets you to a point, but you have to work on developing trusted relationships and being able to tell the story around what the issues are and what the risks are in a relatable, natural language way.”
Mitigating the Burnout Risk
If it seems like developing new skills is just adding one more thing to an already overflowing plate, these CISOs say it’s a necessary preventative step that will pay off many times over. By investing in the core interpersonal leadership skills on the front end, you’re better prepared to avoid the frustrations and negative consequences down the road.
It’s especially important when you consider that a cybersecurity leader’s behavior sets the tone for everyone else on team.
“The most important thing you can do as a leader is create a supportive, positive command climate,” says Hensley, who served as a battalion commander in Iraq. “Maintain an optimistic attitude. It’s contagious. And never shoot the messenger. The first time you have an incident, and your strongest reaction is ‘what can we learn from this,’ you take a lot of pressure off the troops.”
But you have to decide that developing your leadership skills is a priority.
“Many people say, I would have done that, but I didn't have time,” Wilder observes. “You always have time. Your time is allocated to what you prioritize. It is critical to prioritize a healthy work-life balance. Otherwise, you will burn out.”
There are a variety of techniques and tactics cyber leaders can employ to combat these personal risks, for themselves and their teams. Part of it is coming to terms with not just external pressures but the pressures we put on ourselves — and recognizing you can only control what you can control.
“I tie my psychological state to my own performance metrics and not my boss’s metrics for me, because I am competing against myself to be the best that I can be,” says Gary Chan, System VP & CISO at SSM Health Integrated Health Technologies. “Achieving my own metrics allows me to maintain a positive psychological state. Of course, if I can’t meet my boss’s metrics for me even if I meet my own metrics, it may be time for me to move on to another place — but I would feel fine about it.”
Benoit makes it a point to be fully present in whatever it is he’s doing, and that includes time away from work. It’s how he’s able to recharge his batteries so that he can continue to bring energy to his role and energize his people.
“The best stress management technique is being present with a focus outside of the job to keep you fresh,” he says. “If I am working, then I am paying attention to what I can do to get the job done. If I am not at work, then I am focused on the other 90% of my life that is important.”
To be able to completely disconnect and recharge, Hensley adds that leaders have to “build an operating system that can function successfully without their day-to-day involvement.”
These strategies not only help alleviate your own stress, they make you a better leader by giving you the space to focus more clearly on what your team needs. Wilder notes, “My role as a leader is to protect my team from external demands to allow them to succeed. I am a strong believer that we can only do a few things very well. So our goal is to focus on doing those few things well and cutting out the noise that comes at us from outside of the team.”
Hensley encourages leaders to adopt a variety of strategies to strengthen the resilience of their teams, noting that people perform their best when they have a healthy work-life balance.
“Make sure security positions have a ‘battle buddy’ who not only shares the load but also provides comfort that ‘you are not in this fight alone,’” he offers. “Then you’ll have the flexibility to provide teammates an opportunity to get out of the trenches from time to time, whether to do professional development or take time off with family.”
Again, it’s a choice that you have to make — to be present in the moment, prioritize with intention, and control what you can control.
Navigating Outsized Expectations
Given a plethora of factors, the expectations being placed upon the CISO and their teams have become unrealistic, which, along with a lack of support, has become a major source of stress and burnout. The question is, how do you manage these unrealistic expectations and gain the support you need to achieve critical organizational goals?
“To me, it’s all about risk reduction and an organization’s risk tolerance,” Modica says. “I will repeatedly remind both my team and the organization’s management team that it is unrealistic that we will resolve 100% of all cyber-related issues. Instead, we must have a risk-based approach to understand what are the highest risks to the business and focus our energy on what we can realistically mitigate. The remaining risk should be transferred through insurance, alternate business processes or accepted by the management team.”
Benoit echoes the point, adding that you have to be willing and capable of having that conversation.
“The best way to manage unrealistic expectations is with real talk about what expectations should be set. Unrealistic expectations result from a lack of or poor communications. Tell an authentic story about what can be done. Don’t waffle or hedge. Be real.”
Pioneer Natural Resources CISO Charles Osborn adds that there are a number of practical steps cyber leaders can take with their own teams to better manage the expectations and the associated stressors.
“Help the team reframe success within what is achievable based on the investment and risk tolerance of the company. Encourage the team to recognize after-hours threats that do not require after-hour responses. Invite them into a conversation to discuss the hard things, as sometimes a chance to be heard is enough.”
All of this reinforces the importance of developing those critical leadership skills and a business-first mindset. “We also need to tell the story in a way that helps those not as close to the discipline understand unrealistic expectations and think through art-of-the-possible approaches,” he says.
Modica agrees. “It’s on the CISO to ensure that there is a constant drumbeat of communication that while we will mitigate everything we can, there will always be residual risk; no security program can be perfect. We have to choose the most important things to protect against and take calculated risks on those we cannot.”
Overall, it’s about building trust, as Chan puts it. And if you can broaden your spheres of influence, it will make these conversations that much easier and more impactful.
“Consistently reinforcing that you are seen as a leader in industry — by speaking at conferences and publishing papers, for example — makes it a lot easier to speak with authority and guide others within the organization on appropriate expectations to have,” Chan says. “After all, if people at other companies are regularly quoting your work, shouldn’t your ideas be welcomed by your organization, too?”
Connecting People Back to Purpose
When she was writing the book “Impact Players,” researcher and bestselling author Liz Wiseman found that burnout is often caused because people don’t believe their work is making an impact. When people understand the “why” behind what they’re doing and the tangible difference they’re making, it not only motivates them to achieve more, it releases more energy and engagement. The work becomes more meaningful and personal.
Time and again, we see that the best leaders help their people connect their work to the mission of the company and the impact they are having. Chan uses a methodology he created called the “Goals Framework” to help team members tie their technical work to outcomes like end user impact. “It helps my team maintain perspective of why they are doing what they are doing by consistently following a standard process whereby this is discussed and reinforced.”
Modica makes a point to highlight those “mission moments” in meetings and daily huddles to reinforce how their organization’s work affects the lives of patients and their families as well as BJC Healthcare’s employees and the community.
Because those discussions are where the mission and impact really come to life, Wilder says, “It is important to reiterate it regularly and to ask people how they would describe it and what they are doing to contribute to the vision of the team and the overall organization.” This includes celebrating the step changes along the way, which is how Benoit emphasizes to his team that “the smallest tasks matter.”
In addition to connecting their impact and value to operations and safety, Osborn says his team is working to better measure the threat landscape and their ability to mitigate risk. “In some aspects,” he says, “gamification creates the sense that effort each day is winning the mission.”
The mantra that guides all of these strategies is simple: “Start with the why — why we do what we do,” as Hensley says. “One of my mentors always said that the purpose of a security team is to ‘ruin a hacker’s day every day’ so we can make the organization safer.”
A Threat That Can No Longer Be Ignored
Stress and burnout have become inextricably linked with the cybersecurity profession, and it’s a pattern that simply isn’t sustainable. Businesses are dependent on technology, and artificial intelligence and machine learning will continue to play a larger role. If the burnout issue isn’t addressed, we stand to lose too many talented people while leaving our organizations increasingly vulnerable to compliance issues, breaches and malicious attacks.
It’s business and it’s personal, as Wilder points out.
“I know a number of global CISOs who had significant health problems after running at 110% for years,” he says. “When you look back on your life, you will remember the time that you spent with your family and friends, not the extra hours you put in at the office. And we need to protect our team from this as well.”
If we don’t, the consequences will be as serious as any other looming threat on the horizon. Osborn puts it plainly:
“We will not develop the cyber capabilities the country requires if the talent we need leaves the profession. We have to offer our teams a work-life balance and rewarding work that gets them excited to come back each day. Otherwise, attrition could become the single greatest asset of our advisories.”
By Dan Roberts