CISOs Under Stress as Cyberattacks Increase, Study Finds

As the number of cyberattacks around the world increases, and the public grows more aware of what these incidents mean for their personal data, the stress is growing for chief information security officers (CISOs) who are on the front lines.

Right now, nine in 10 CISOs are reporting suffering from moderate or high stress due to their job, while another 60 percent report that they rarely, if ever, disconnect from work due to the responsibility.

Then there are the long hours. Around 88 percent of CISOs report that they are working over 40 hours a week. Another significant group (around 22 percent) believe that they are on-call 24/7.

The accumulated stress of dealing with cybersecurity, and how CISOs are managing it, can be found in a new study released by Nominet, a UK-based security firm, entitled: Life Inside the Perimeter: Understanding the Modern CISO, which questioned 408 CISOs in the U.S. and UK about their jobs and how they handle the responsibility. On average, each CISO in the study was responsible for a company with more than 8,900 employees.

The study also looks at the types of issues CISOs are dealing with inside their companies, especially when it comes to protecting the infrastructure with finite resources and the high expectations of the board of directors.

For instance, about 70 percent of those surveyed reported that they have found malware hidden on their networks, and that this malicious software could have been sitting there for a year or longer. One reason why: A lack of resources and the proper staff to hunt down threats and properly monitor anomalies in the network traffic.

Then there’s the board of directors. While many boards pay lip service to the role security plays in the company, claiming that they value the input of security executives, most CISOs believe that their role is not considered strategic to the organization’s goals. At the same time, 60 percent believe their bosses understand the inevitability of a breach, and a third expect to be fired or disciplined following a massive cyberattack or data loss.

This can create turnover, with only a third of those surveyed believing they will stay in their job three or more years. Terence Jackson, the CISO for Thycotic, a Washington D.C.-based provider of privileged access management (PAM) tools, has seen some of the stress first-hand, especially as the head of security for a cybersecurity firm.

“The stress levels of a CISO can indeed be overwhelming,” Jackson tells Dice in an email. “The constant fear of a breach, continuously evaluating third-party risk, looking for Shadow IT, talent shortages, budget constraints … it never seems to end.”

While the stress and pressure will remain, Jackson believes that executives such as himself need to find an outlet. “My approach to handling the stressors of the job are deeply rooted in my faith and family,” he added. “I also have an accountability group that keeps me focused on work/life rhythm (no such thing as balance in my opinion) and I exercise 3-5 days a week. Although the stressors of this job seem never-ending, we must keep it all in perspective.”

Mukul Kumar, the CISO at Cavirin, which focuses on cybersecurity risk posture and compliance for the enterprise hybrid cloud, noted in an email that the complexity of modern networks, with some corporate data residing in the cloud and other data remaining on-premises, is complicating the role of security executives at a time when expectations are high and budgets are contracting.

He also noted that external issues, such as the recent government shutdown in the U.S., adds to the stress. Looking to colleagues for help is one way to gain some perspective.

“Hybrid infrastructures are becoming more complex, especially with multi-cloud deployments, while security budgets are not expected to grow as they have in the past,” Kumar wrote. “The CISO is basically being told that they had free reign with security tool investment, and now it is time to show results. How? The CISO can’t live on an island. He or she has to network with others in her respective industry, adopt well-documented best practices and automation, and build a rock-solid cyber posture business case for senior management, drawing on external resources for help.”