CISOs report high levels of stress. Automated tools can help ease the burden, but management can help by prioritizing risks and protecting them from unnecessary paperwork.
If your chief information security officer is looking stressed, they have good reason. They are on 24/7/365 alert against global networks of always active hackers. They also have to understand and comply with an ever-lengthening list of regulations and prove their compliance.
It is no wonder that nearly three quarters of CISOs experience burn out, according to a 2023 study of 1,600 cybersecurity leaders conducted by security firm Proofpoint. This is bad not only for the CISO but for their employer, as the CISO either takes their hard to replace skills elsewhere or stays and does an inadequate job.
The stresses are real at companies of every size. Here is why I see CISOs getting overwhelmed, how to detect their burnout and most importantly how to prevent it.
A CISO’s Sources of Stress
CISOs are struggling to protect a growing number of applications against an ever-increasing number of attacks. That requires them, and their staffs, to monitor and manage ever more security tools. A 2024 survey by security vendor CrowdStrike showed nearly 90 percent of respondents relied on at least three tools to detect and prioritize application vulnerabilities and threats alone. Databases, networks and end-point devices such as PCs may all require additional security tools.
CISOs are also responsible for meeting the requirements of an ever-increasing number of security regulations. These include, in the European Union alone, the NIS2 Directive on cybersecurity, the Digital Operational Resilience Act for fintech players and the Markets in Crypto-Assets Regulation for cryptocurrency. In the US, merchants that process cardholder data must comply with the Payment Card Industry Data Security Standard. If you do business in financial services, you may have to comply with the New York Department of Financial Services cybersecurity regulation.
Proving compliance with these and other rules poses an ever-rising burden. So does the sheer amount of paperwork involved with answering questions and filling out forms from customers and business partners about their security practices.
A little psychology also helps to understand the burnout phenomenon. The best CISOs are those who do not think they are doing a good job. They are always questioning whether they are doing enough, and enough of the right things, to counter the latest threats. This is good if it leads them to appropriately upgrade their security technology and processes. But it can lead to a downward spiral if their worry leads them to launch more security initiatives or deploy more tools than they can effectively manage.
Detecting Burnout: Three Warning Signs
I have found three CISO burnout indicators that should concern CIOs and other management executives:
1. The overfull plate. A good rule of thumb we have found is that a CISO can effectively manage 3-5 major initiatives at once. If their anxiety is leading them to do more than that, there is a risk at least one of those projects will fail and you will see the overwhelmed CISO show signs of burnout.
2. Overlooking critical needs. Another warning sign is if these security initiatives fail to include “must haves.” Today that means initiatives such as zero-trust security, in which every user, application or infrastructure component is considered untrustworthy unless it can prove otherwise; and end-point management, which ensures the proper security and access controls on devices such as PCs, point of sale terminals and smartphones.
3. Rising alert levels. Yet another metric to watch is key performance indicators (KPIs) such as the number of alerts from your security monitoring systems. You should see a steady reduction in important and medium priority problems. If these numbers are only holding steady, or increasing, it is a warning sign that all the effort your CISO is putting in is not paying off in improved security.
Management’s Role in Reducing CISO Stress
There are technical means to reduce some of the typical CISO stress burden, but the responsibility for retaining talented security executives – and elevating an enterprise’s risk management performance – rests with management.
First, the technical point. AI-enabled security tools can help eliminate some of a CISO’s drudge work by streamlining as many trivial, repetitive cybersecurity tasks as possible. For example, an AI-based application might ask your users whether they have remembered to use a password manager. Usually, we find that while companies have an approved policy for using such tools, around 10 percent of users are not using such tools or are even unaware they exist. Automated tools can spot and fix such discrepancies swiftly, saving time and effort and reducing the workload on the CISO.
But technology is not the most important part of a comprehensive anti-burnout plan. The CIO, who oversees the CISO’s work, has a vital role to play as does senior management in setting priorities for the security leader and the function they manage.
Set business-driven priorities. The most important thing a CIO can do is to proactively relieve some of the pressure on their CISO by focusing them on the most business-critical security risks and relieving them of some of the most onerous reporting work.
Leaders at many companies still think such prioritization is the responsibility of the CIO or CISO. But they are often too focused on technology to have the in-depth understanding of the business that allows them to understand which security risks are most critical and must be addressed before other worthwhile, but less urgent issues.
For example, the CEO or board might decide that extending its existing end-point security tools to a newly acquired subsidiary meets more business-critical needs than starting the compliance process for a regulation that won’t go into effect for a year. But the CEO or board must then accept responsibility if their choice proves wrong and results in a security breach, a noncompliance fine or bad publicity. Failing to take the heat will signal to the CISO – or their replacement – that whatever the business managers might say, the CISO will be on the hook for any breaches and must prevent them at any cost, burnout or not.
Streamline security documentation with business partners. Another step boards and CEOs should take is to use their clout to push back against excessive demands for security-related information from customers and business partners. It does not take too many repetitive, 130-point surveys asking the same basic questions about a company’s firewall or patching processes to eat up a CISO’s day and keep them from more important work.
One alternative is to give a customer or partner a standard description of the company’s security policies, offering to answer only the specific questions the document does not cover. This can be a great time and stress saver for the CISO but is a change a CEO can argue for more effectively than a CISO.
Let the C-suite manage crisis communications. Yet another area where boards and CEOs can help is helping to prepare, and then handle, the internal and external communications after a security incident. Depending on the scale and severity of the incident, a CISO may be bombarded by dozens or hundreds of questions from everyone from regulators and customers to business partners and the press. If the board or CEO can handle at least some of these inquiries, it can dramatically reduce the stress and likelihood of burnout for a CISO.
Watching out for the signs of CISO burnout – and stepping in before things get too bad – will both help you keep a valuable member of your team and improve your security.
Add a Comment