Corporate security
Heavy workloads and the specter of personal responsibility for incidents put a strain on safety leaders, so much so that many of them are looking for a way out. What does this mean for enterprise cyber defenses?
08 February 2024
•
,
5 minutes. Light
Cybersecurity is finally becoming a board-level issue. This is as it should be, given the increasingly important role that cyber risk management plays in strategic decision making. Cyber risk is basically a fundamental business risk that can potentially make or break an organization. This is certainly the thinking behind the new regulatory rules in the United States.
But recognizing its importance, boards of directors and regulators are also putting more pressure on CISOs, without necessarily providing them with adequate recognition and reward. The result: increased stress, burnout and dissatisfaction. Three-quarters (75%) of CISOs are believed to be open to change, up eight percentage points from a year ago. And 64% are satisfied with their role, down 10%.
These challenges have serious implications for cybersecurity within organizations. Addressing them should be an urgent priority.
An increasingly stressful role
CISOs have always had a stressful job. Among the drivers recently there are:
- Increasing cyber threat levels, leaving many organizations in constant firefighting mode
- Industry skills shortage leaving key teams understaffed
- Excessive workload due to increasing demands on the board of directors
- Lack of adequate resources and funding
- Workload that forces CISOs to work long hours and cancel vacations
- Digital transformation, which continues to expand the enterprise cyber attack surface
- Compliance requirements that continue to grow with each passing year
Not surprisingly, a quarter (24%) of global IT and security leaders admitted to self-medicating to relieve stress. Increasing levels of stress not only increase the likelihood of burnout and/or early retirement, but could lead to poor decision-making (as observed by this study, for example), as well as impacting cognitive abilities and the ability to think rationally. In fact, it has been suggested that even the anticipation of a stressful day can impact cognition. About two-thirds (65%) of CISOs admit that work-related stress has affected their ability to do their job.
Scrutiny puts additional pressure on the CISO
Added to this underlying stress is additional regulatory, legal and board scrutiny in recent months. Three recent events are instructive:
- May 2023: Uber’s former CSO Joe Sullivan was sentenced to three years’ probation after being found guilty of two felonies related to his role in an attempted cover-up of a 2016 mega breach. Supporters say scapegoating was then-CEO Travis Kalanick and Uber’s in-house lawyer Craig Clark, with Sullivan explaining that Kalanick had signed off on his controversial $100,000 payment to the hackers.
- October 2023: At first, the SEC accused SolarWinds CISO Timothy Brown of downplaying or failing to disclose cyber risk by overstating the company’s security practices. The complaint relates to several internal comments made by Brown and alleges that he failed to resolve or raise these serious concerns within the company.
- December 2023: The SEC’s new reporting rules take effect, requiring publicly traded companies to report “material” cyber incidents within four business days of determining materiality. Companies will also have to annually describe their processes for assessing, identifying and managing the risk and impact of any incidents. And they will need to detail the board’s oversight of cyber risk and its experience in assessing and managing that risk.
It is not just in the United States that regulatory oversight is developing. The new NIS2 Directive, which will be transposed into the legislation of EU Member States by October 2024, places direct responsibility on the board of directors for approving cyber risk management measures and overseeing their implementation. Members of the management team can also be held personally liable if found negligent in the event of serious accidents.
According to analyst Jon Oltsik of Enterprise Strategy Group (EST), the increasing pressure that such initiatives are placing on CISOs is making their core job of responding to threats and managing cyber risk more challenging. A recent ESG study reveals that tasks such as collaborating with the board of directors, overseeing regulatory compliance and managing a budget are transforming the CISO’s role from technical to business-oriented. At the same time, the growing reliance on IT to fuel digital transformation and business success has become overwhelming. The survey states that 65% of CISOs have considered leaving their role due to stress.
Takeaway for CISOs and boards
The bottom line is that if CISOs are struggling to cope with their workload and in fear of regulatory retaliation and even criminal liability for their actions, they are likely to make worse day-to-day decisions. Many may even abandon the sector. This would have an extremely negative impact on an industry already struggling with skills shortages.
But this doesn’t have to be the case. There are things both boards and their CISOs can do to alleviate the situation. It is in both of our interests to find a solution. Consider the following:
- Boards should evaluate the mental health, workload, resources and reporting structures of CISOs to optimize their effectiveness. High churn rates can lead to long gaps without a full-time CISO, which demotivates teams and impacts security strategy.
- Boards should compensate their CISOs in line with the elevated risk their role now entails.
- Regular board and CISO involvement is essential, with direct reporting lines to the CEO where possible. This will help improve communication between the two and elevate the position of the CISO in line with their responsibilities.
- Boards should provide their CISOs with directors and officers (D&O) insurance to protect them from serious risks.
- CISOs should stick to the industry they love and take on more responsibility rather than running away from it. But they must also remember that their role is to advise and provide context to the board. Let others make the important choices.
- CISOs should always prioritize transparency and openness, especially towards regulators.
- CISOs should be aware of what is circulating internally and ensure that controversial decisions or requests from executives are always recorded in writing.
When finding a new role, CISOs should hire a personal attorney to review their potential contract in detail.
To optimize cybersecurity strategy, boards should start by reevaluating what they want the CISO’s role to be. The next step is to ensure that the cybersecurity professional in that role has enough support and enough reward to want to stay there.