Under Pressure Analysis reveals increased stress amongst CISOs

The concept of CISO burnout is not a recent phenomenon. Studies throughout the course of this year in particular have highlighted this concerning trend and prompted thought-provoking discussions.

In this article we run through the potential reasons for the high levels of stress based on quantitative data and conversations with CISO’s, CSO’s, BISO’s and Heads of Security. Barclay Simpson’s Security practice was established in 2001 and as such we have long standing relationships with both global and regional security leaders. Our perspective takes into account the changing landscape of security over the years and how this has affected levels of stress.

As always, feedback and thoughts are valued.

Barclay Simpson is an international recruitment consultancy that specialises in recruiting professionals for the interrelated disciplines of governance, namely Information / Cyber Security, Risk, Resilience, Audit, Compliance, Legal and Treasury

CISO Stress

The ever changing threat landscape coupled with regulatory pressures, which can be both legislative and industry specific, has raised security’s profile. We have seen the direct benefits of this over the last few years and they are not limited to:

• Acknowledgment from the board to address internal and external threats to operations often resulting in increased security budget.

• High levels of job security on a permanent and contract basis

• Relatively well paid industry with only 20% of UK candidates moving for a salary increase (Barclay Simpson 2019 Security Market Report)

• The reduced stigma of security perceived as a blocker to the business

Paradoxically whilst the majority of security candidates enjoy the relative high level of security, in no small part to high profile breaches, this luxury is not afforded to the CISO.

A study by Nominet found that 37% of UK CISOs believe that, if a sizeable breach occurs, they will likely receive a final warning, or lose their jobs. It is understandable that many CISOs feel a great deal of stress in their roles.

Cultural Change

When assisting a business to recruit CISO’s; unfailing traits they look for are combinations of both soft skills and strong technical knowledge. When qualifying a CISO search, we ask: “What challenges is this CISO expected to face?”

In the majority of cases the challenge is in creating cultural change in the approach to security and risk. It is questionable that this weight should be carried solely by the CISO.

Changing the culture of an organisation is a huge and ongoing task, a task that cannot be successfully completed by just one person or one function for that matter. Buy-in from the top down is necessary with an unwavering resolution for change. The CISO must be supported in this rather than seen as the person solely responsible.

Unreasonable expectations?

“Our job is not to make a firm 100% secure – that’s not possible”

Unrealistic expectations coupled with a lack of understanding, are common themes when discussing the perceived responsibilities of the CISO.

The misconception that a business should be 100% secure from breaches is akin to the strive for perfection; honourable, but not realistic. In many cases, with businesses having a black and white approach; it is argued that this has perpetuated the emergence of “The disposable CISO”

A study by Symantec and Goldsmith University found that 82% of CISO’s experienced burnout and 64% of CISO’s admit to considering resigning due to stress. With the average job tenure of CISO’s reducing, this can in turn have a negative affect on the business, particularly when it comes to recruiting a replacement; the role can be perceived as a “poisoned chalice” in some cases.

I am confident we will agree that Security can be a close-knit industry, but CIO’s and COO’s are not often privy to how the Security community perceive their firm particularly in times of hiring.

BISO’s: A solution?

The purpose of a Business Information Security Officer is to integrate security to the main lines of business.

The BISO should be able to analyse the business and operational risks and recommend business improvement actions as well as creating a solution that delivers the correct amount of security control against the value gained from the initiative. Their alignment to the business area will provide them with knowledge specific to the business function and the potential challenges of deliverables.

This level of strategic delegation has proved largely positive by CISO’s. The introduction of BISO’s have allowed them to focus on higher level strategic and visionary goals.

We are not however suggesting that the BISO function is the sole remedy to the high levels of stress faced by CISO’s. This level of strategic delegation has proved largely beneficial to CISO’s who are more likely able to focus on higher level strategic and visionary goals.

To conclude

The mismatch of expectations between the CISO function and the C-Suite is a common theme in conversations with CISO’s and whilst we cannot hope to cover every stress contributing factor in great detail; cultural change, risk appetite and hiring challenges were recurring contributions. To task the CISO with full accountability for many of these responsibilities is an insurmountable task and arguably falls outside the realms of practicality.

One solution in supporting a CISO achieve these aims is the creation of a BISO, to implement and execute security strategy to business units.

Whilst organisations respond to the regulatory and legislative pressures and ensure adequate measures are in place to safeguard assets; as a solutions provider and recruitment firm – we believe a company’s most important assets are its employees.

The CISO function is to support the business in their decision making within the perimeters of the risk appetite; Let us not forget that the CISO is also to be supported. The increased levels of stress experienced by CISO’s must be taken more seriously and addressed in a practical manner.