Chief Information Security Officers (CISOs) are increasingly suffering from pronounced physical or mental health issues due to stress, a new survey warned today.
The report, “Life Inside the Perimeter: Understanding the Modern CISO” [pdf] was commissioned by cybersecurity company Nominet.
It was based on interviews with 408 CISOs around the world.
Among its key findings: A quarter of CISOs worldwide suffer from physical or mental health issues due to stress, with just under one-in-five turning to alcohol or medication, and more than half failing to switch off from their work.
Almost a third fear for their jobs, as cyberattacks continue to threaten their organisations, while other board members don’t recognise the inevitability of an attack.
The report comes after the equivalent to 291 records were stolen or exposed every single second in 2018, according to Gemalto.
CISO Stress: More Resource the Answer?
Over half feel that they don’t have the budget or resources to deal with the growing threat landscape, and already struggle to spot existing vulnerabilities.
(Despite awareness about the pervasiveness of cyber threats, 60 percent of CISOs questioned admitted to having found malware on their infrastructure which had been there for an unknown period of time. The average length of time for discovery was 14 days, plenty of time for data to be exfiltrated and sold on or exploited.)
Russell Haworth, CEO, Nominet said: “It’s no surprise that CISOs are facing burnout. Many lack support from within their organisations, and senior business leaders need to face the facts: the threats are real, and CISOs need to be given the resources and support to tackle them. If not, the board must face the consequences.”
“The risk is not only personal to a CISO, but a business’ hard-won reputation. The growing economic cost is also a worrying trend – A recent report put the cost of global cybercrime at $600 billion in 2017. With that cost likely to rise in the future. We must all work harder, and cooperatively, to mitigate potential losses by having the right strategy, tools and resource in place to prevent breaches in the first place.”
Broad Responsibilities
As CISO for Webroot, Gary Hayslip puts it in a recent piece for Forbes: “The position of CISO also comes with authority that covers a wide swath of technology, policy and procedures. CISOs are given the authority to build and manage a security stack, aligning its technologies with core policies that support the business.”
“CISOs are also given the authority to train their staff and employees to view cybersecurity as a fundamental business practice. They have the authority to select vendors who meet their requirements, build an incident response program and support business continuity. Coupled with this authority is accountability. A CISO’s actions will impact their business, whether for good or ill.”
Dr Dimitrios Tsivrikos, a business psychologist and lecturer at University College London, says: “It is of paramount importance that we address organisational stress and extra emphasis ought to be paid to CISOs. As a group of employees, they are faced with overwhelming pressure. Errors in their judgment, caused by excessive work-related stress, can indeed have detrimental effects upon business and personal data.”
Dr Tsivrikos continues: “In addition, individuals who are stressed at work are oftentimes not living their best lives privately, either.”