Cyber Stress: The growing threat facing CISOs

A man standing in front of a rack of servers inside a data center.
(Image credit: / Gorodenkoff)

With their organization’s security resting on their shoulders, CISOs have always worked within a high pressured, fast-paced environment. However, the world shifted gears in 2020 and now this fast-paced environment is turning toxic, causing CISOs’ mental wellbeing to suffer. The pandemic accelerated many organizations’ digital transformation plans which resulted in years’ worth of IT innovation being crammed into a few months, causing increased internal pressure for all those working within IT. 

About the author

John Donovan, CISO at Malwarebytes.

Further, cybercriminals took advantage of global uncertainty and doubled down on their efforts to infiltrate corporate networks, creating increased external pressure. Compounding both these external and internal pressures was the mental duress of being a key worker during a global pandemic.

The changing work conditions have resulted in many security professionals burning out. Burnout can lead to a number of issues from reduced productivity to seeking new roles, all of which are more critical issues than ever. To combat this, businesses need to focus on the mental wellbeing of their CISOs (and extended staff) by understanding the resources they need, addressing skills shortages, instilling strong cultural beliefs, implementing the necessary technology and providing initiatives to help nurture mental wellbeing. Otherwise, not only will the mental wellbeing of CISOs suffer but so too will the security posture of the organization itself.

1. Provide the necessary resources

For CISOs to tackle their workload effectively they need the appropriate resources. Business leaders need to work with security teams to make sure their business needs are catered for. Studies indicate that security budgets are actually increasing, which is the perfect opportunity for businesses to have an open dialogue with their security leaders. It is critical to understand the issues the teams are facing and how the budget can be appropriately allocated to help alleviate these pressures, both on a daily basis and during busier time periods.

Indeed, a CIISec survey found out that funding gaps are usually seen during busy periods and holidays, with nearly two-thirds of IT security professionals (64%) claiming that their businesses expect them to simply cope with the high demands when necessary. Alarmingly, over half (51%) confessed to overlooking routine or non-critical tasks during these busier times.

Moreover, the digital transformation during the pandemic resulted in more assets (cloud servers, SaaS apps, remote working endpoints etc.) requiring protection against security threats and increased business demands placed on cybersecurity professionals.

To help solve this problem, companies need to ensure they are listening to their IT teams to provide them with the tools that they need, such as enhanced threat detection and response tools which use machine learning. These can be a key enabler in reducing the overall workload by helping organizations prioritize and minimize alerts.

2. Mitigate the effects of skills shortages

The cybersecurity industry has famously been facing a global skills shortage crisis. According to a 2021 report, almost 6 in 10 of cybersecurity firms (57%) had at least one vacancy that they considered to be hard to fill. This isn’t surprising when you consider the immense pressure security teams are under, and often without a lot of internal reward from the wider organization. Further, these understaffed teams are handling excessive workloads and extra hours.

60% of cybersecurity professionals struggle to balance their professional and personal life due to working longer than their contracted weekly hours, which can be a major factor contributing to stress levels. Unfortunately, there is a reason why this skills shortage continues to be an issue, as there is no one easy solution.

However, on a day-to-day level, businesses can make sure they are listening when their teams are expressing times of increased workloads and try to compensate for their time with either work benefits, time in lieu, and a concerted effort with HR to try and source more security talent. From a technology perspective, automated workflows and improved tooling can also help address the issue of time-poor security professionals.

3. Have an ally at the top

A great source of stress for cybersecurity decision-makers can result from a breakdown in communication between the security team and the executive board. Miscommunications on expectations, workload and company culture can easily make employees feel underappreciated by their companies and make employees feels as resigning is their only option.

Having an ally, someone that has previous experience in cybersecurity, on the board who can fully understand the demands and challenges of the role can be immensely helpful in making IT and security teams feel like they are being heard and understood.

It’s crucial to understand from the outset that security is a transformation enabler. Both the executive board, and the security leadership need to listen to each other. Effective communication between security practitioners and the executive board reduces unrealistic expectations placed on security teams while also making sure the investment goes where it is needed the most.

4. Foster positive mental health across the organization

Cybercriminals and nation-states-backed threat actors are continuing to deploy new methods and nefarious tactics to infiltrate networks at an unprecedented rate. Therefore, security teams have to be on constant alert to make sure the adversary is counterbalanced by increasingly sophisticated defenses.

According to the IT accreditation organization CREST, cybersecurity practitioners find high-pressure tasks exciting as well as challenging, while many security leaders are often seen as “adrenaline junkies” who are driven by their potential to make a difference. However, everyone has their limit when it comes to stress and too much stress can seriously impact performance levels and many cybercriminals lie in wait for IT teams to make simple mistakes.

Without the support from the wider business these threats can easily change a security practitioner’s mindset from motivated to overwhelmed. Organizations need to remember their compassionate side and ensure they are fostering an environment that is beneficial and nurturing for all employees. 

From providing access to stress management and counselling programs, to offering childcare services, flexible working, and employee appreciation schemes, organizations have a duty of care for their employees and should not expect their employees to tackle their stress alone. The less stress on the average employee, the better their interactions with IT and security, reducing stress levels for everyone along the chain.

Improved mental wellbeing delivers benefits across the business

Business leaders need to prioritize the mental wellbeing of their staff, and in particular their security teams. If left unchecked, organizations will be faced with not only burnt-out staff but a vulnerable network: problems that won’t go away on their own. By listening to staff and truly understanding the pressures they are facing, organizations will have a better perspective on how to protect the mental health of their security teams, retain valuable talent, and reap the benefits of having consistent and well supported cybersecurity professionals across the organization.

John Donovan, CISO at Malwarebytes.