It’s no big surprise that overseeing and maintaining a company’s information security program comes with stress. CISOs are generally resilient characters, but everyone has their tipping point, and excess stress is becoming more common in the CISO position. This article takes a look at why CISO stress is on the rise, the impacts of this stress on organizations’ security postures and why outsourcing might provide the ideal answer to the problem.
Modern science defines stress as physical and/or mental tension or strain resulting from a challenge or threat. In prompting people to deal with challenges or threats, stress is not an inherently bad thing (especially for CISOs who want to prevent breaches). However, stress becomes harmful when it’s chronic, constant and overwhelming.
To get some perspective on the extent of CISO stress, it’s worth taking a look at some statistics that portray the current levels of stress in this position:
Now, why might CISO stress be on the rise?
Lacking the depth of resources required to keep out adversaries, CISOs face a constant uphill struggle. It can feel overwhelming trying to constantly plug security gaps with insufficient skilled personnel available to assist with the important tasks. Not only is it hard to find the right hires, but it’s also difficult to retain talent in a competitive market where new job offers inundate the best talent.
As highlighted in our CISO Research on Challenges and Buying Trends, attracting and retaining highly skilled and better-trained cybersecurity professionals is the second most significant challenge CISOs face. From vulnerability management to security operations, these shortages make the job of implementing an effective security program that much harder. The worry is detecting an attack when it’s too late, and valuable data has already been exfiltrated.
As hacking tools become more easily available, underground services proliferate on the dark web, and cybercrime continues to prove profitable, making the threat landscape harder to cope with. Cybercrime is more accessible and widespread than ever, with companies facing an influx of attacks ranging from the basic to the complex every week.
There is also the high stakes cost of a data breach to consider. Data privacy regulations come with hefty punishments and reputational impacts. More states are starting to recognize the importance of protecting customer privacy, and a slew of new laws are coming into force that resemble California’s flagship data privacy laws (CCPA and CPRA).
Modern threat actors focus much of their efforts on precisely this valuable data because they know how valuable it is and how costly a breach is to targets. The result is often constant worry and associated stress among CISOs about potential breaches and the regulatory consequences.
There is often a contrast in expectations about what CISOs should bring to an organization. In taking responsibility for implementing a company’s security program, the CISO position is obviously pivotal in improving security. But the misconception is that it’s the CISO’s job to make their company 100% secure – and that 100% security is even feasible.
These unreasonable expectations go alongside a lack of understanding at even the executive level. The perceived responsibilities of the CISO in striving for 100% protection against breaches are not realistic, and the misunderstanding here can drive excess stress. CISOs may believe their jobs will become untenable in the event of any breach, which is not conducive to minimizing stress.
Multiple studies show that excess stress leads to bad decisions. This is a really important point from the perspective of an organization’s cybersecurity defenses. In an executive-level position, it’s consistent, high-quality decision-making that often stands out as what differentiates those who succeed. When CISO decision quality suffers due to stress, the risk profile changes, and companies are more likely to suffer from the impacts of lower-quality decisions.
However, it’s also the case that burnout and a dearth of sufficient resources results in lower time spent on those more important strategic decisions. Instead, stressed CISOs take on more of the burden of daily tactical decisions. The big-picture decisions then often either get neglected or not enough thought goes into them.
It’s important to also mention the personal impact of excess stress. Physically, fatigue is a big problem. Stress can also impact one’s private life, whether due to missing important family events or not being able to relax (or even take a vacation). All of these personal impacts also get felt in the functioning of a security program. Well-rested CISOs with a degree of work-life balance are more likely to get the big decisions right.
There are several possible ways to reduce CISO stress, from realigning expectations about their roles to improving end user training and awareness. Outsourcing, though, might provide one of the most effective stress reduction methods. Given the challenges of hiring and retaining security talent, turning to managed security services can provide CISOs with the resources they need, in a scalable and cost-effective manner.
Nuspire’s range of managed security services can ease the burden on your CISO. Managed detection and response helps thwart attacks on endpoints, networks and in the cloud; managed gateway provides expert and customized network protection; and a range of cybersecurity consulting services provide guidance to help improve decision-making.