Tasked with protecting all but their own health, nearly 1 in 5 CISOs turn to alcohol or medication to cope with stress.
We sometimes forget to think about people in machine-dominated sectors. This is unfortunately exacerbated among cyber security professionals who, constantly facing emergencies, place concerns for individuals’ well-being second to their capacity to respond to a threat. And there are many, many threats to respond to. But living on an adrenaline loop is unsustainable in the long-run, as CISOs are learning the hard way.
Life Inside the Perimeter: Understanding the Modern CISO, a new study commissioned by Nominet, examines the external and internal pressures a modern CISO faces and how their personal and professional lives are being affected as a result. The study surveyed 408 CISOs in the UK and US, each overseeing the cyber security of businesses with an average of 9,000 employees. The results point to alarming trends: a quarter of worldwide CISOs suffer from physical or mental health issues due to work-related stress, with just under one-in-five turning to alcohol or medication to cope.
91% of CISOs say they suffer moderate or high stress, over a quarter say stress is impacting their mental or physical health, and 17% admitted turning to alcohol or medication to deal with it.
Meanwhile, almost one-in-five (18%) believe their board members are indifferent to the security team or see them as an inconvenience, and only half (52%) of CISOs feel that executive teams value them from a revenue and brand protection standpoint.
This lack of engagement is troubling because superiors often don’t understand the inevitability of breaches, leaving almost a third of CISOs fearing for their jobs as cyber-attacks continue to increase and threaten their organisations.
Also worrisome is that more than half of CISOs don’t feel as though they have enough budget or resources to deal with the growing threat landscape as they struggle to spot existing vulnerabilities within their business.
In tune with the digital era, social media memes used to communicate anxiety problems with humour constantly refer to CISOs’ deprivations in the struggle to make do with few resources and enormous pressure.
Dr Dimitrios Tsivrikos, business psychologist and lecturer at University College London, says “it is of paramount importance that we address organisational stress, and emphasis ought to be paid to CISOs. As a group of employees, they are faced with overwhelming pressure. Errors in judgment, caused by excessive work-related stress, can indeed have detrimental effects upon business and personal data.”
Russel Haworth, CEO at Nominet, isn’t surprised that CISOs are facing burnout. “Many lack support from within their organisations, and senior business leaders need to face the facts: the threats are real, and CISOs need to be given the resources and support to tackle them. If not, the board must face the consequences,” he warns.
CISOs are disaster managers. As such, this position will probably always entail some level of stress. But perhaps, just as the cyber security industry is still defining itself, the roles within it might be too. Is it wishful thinking to strive for working in security without taking the industry’s stress-related harm for granted?
It might sound utopian now, in the midst of cyber security’s skills gap and workforce shortage crisis, to think of better working hours and larger teams to share the pressures and challenges of work with. But it is possible to aim for improvement from where we stand – such as through the promotion of open dialogue to help normalise conversations about mental health in the workplace. Addressing the problems of this industry entails understanding how they affect its people. From there, we can begin to construct better relationships and build a working culture that allows space for a better quality of life.
Unfortunately, certificates and diplomas don’t provide coping mechanisms for getting through the field immune from its stressful environment. But although easier said than done, CISOs must remember that they need caring for too, before mind and body outages end up crippling their capacity to protect their businesses.
#
Written by Paula Magal for CS4CA Europe, the annual Cyber Security for Critical Assets Summit taking place in London, October 1st – 2nd 2019. Stay tuned for more content like this by subscribing to the event’s newsletter at: www.cs4ca.com/qg-community-newsletter/
