Sometimes, being an exec seems like a cushy job. A reward for years of hard work rising through the ranks. Yet being a CISO is far from an easy ride.

According to Nominet research in early 2020, 88% of CISOs reported feeling “moderately or tremendously stressed,” and a CISO’s average tenure was just 26 months due to stress and burnout.

Since that research, we’ve had a global pandemic that has naturally come with its own stresses. With that in mind, we’d wager that infosecurity personnel are now just as stressed as reported in the Nominet study, if not more so.

Chatter about the immense pressures of being an infosec leader is nothing new. But as a recruiter, it’s a concerning prospect. What do these stresses mean for those who are looking to enter the industry? And what does this mean for the massive cybersecurity talent shortage, being felt most acutely in middle to top management positions?

So let’s explore some of the pressures that CISOs face right now, some of the reasons we find that CISOs switch jobs, and just how employers can improve things for infosec executives.

The Current CISO State
of Play

Growing Threats and Not Enough Brains

It’s a situation that the cybersecurity community knows extremely well – cybercrime and digital threats are mounting and showing no signs of slowing down, yet there simply isn’t enough cybersecurity talent to go around.

The number of unfilled cybersecurity jobs worldwide has grown 250% between 2013 and 2021 – from 1 million to 3.5 million – according to figures from Cybersecurity Ventures. Given such immense growth, it’s hard to see how any industry would be able to keep up! This talent gap is largely due to infosecurity’s “newness” as a field; it has quite suddenly become an absolute requirement in business, so available, specialised talent hasn’t been able to keep pace with demand.

But the lack of cyber talent isn’t the only problem CISOs face. The number, complexity, and cost of cyber threats are through the roof. IBM discovered that the average total cost of a data breach in 2022 is at an all time high – USD 4.35 million. SonicWall’s Mid-2022 report noted a 132% rise in encrypted threats and a 77% rise in IoT malware – two very pernicious and tricky threat types to detect and eradicate.

Additionally, a UK government report found that nearly two-fifths (39%) of British businesses identified an attack in 2021; and of those businesses, a massive 83% of them identified phishing as a threat vector. Combating social engineering is hugely problematic as it involves retraining people’s hearts, minds, and habits. No mean feat.

So we’ve got a threat landscape that is growing in size, severity, and complexity; and we have a field that is professionally very much in its infancy, leading to a severe shortage in headcount up and down the chain of command. The result? Cyber experts that are overworked, burnt out, and generally running on fumes.

 

The COVID-19 Pandemic

The pandemic took a toll on us all – some gravely and tragically more so than others. However, in terms of cybersecurity, there were two main concerns: getting the entire clerical workforce working securely from home; and the growing, opportunistic threats that arose from cybercriminals puggy-backing on the disarray and distraction caused by Covid.

Under normal circumstances, efforts towards digitalisation and remote working can take weeks, months, even years to become properly embedded and secure. However, given the sudden escalation of measures to protect against Covid, remote working had to become a reality in mere days. Workarounds were needed quickly, and decisions generally prioritised functionality and cost over security. Some of these workarounds were truly spine-chilling to your average CISO!

Though the dust has considerably settled since, CISOs may still be reeling from the aftermath of some of those improvised solutions, with some maybe even picking up the pieces after a resulting attack.

 

No Rest for the Wicked… Or the CISO

Many of us do take work home over evenings and weekends – mentally, if not physically. However, cyber incidents can strike at any time – and are often timed deliberately to occur when the victim least expects it. This is a prospect that is never too far from a CISO’s mind.

It’s tough going through life knowing that you may well get a call from your SOC or your MSSP in the middle of the night where you have to suit up and get into full infosec crisis mode. You’re always wondering – “Am I alright to chill out for a bit? Or is an attack going to strike tonight?”

Always looking over your shoulder in this way is bound to lead to burnout eventually. But there’s more to it than that. When you’re constantly on alert, waiting for something dreadful to happen, it’s not out of the question that more deep-seated mental health issues may eventually creep in.

Most of the time, security measures are there to protect profits, reputations, and livelihoods; that’s a lot of weight for a conscientious CISO to bear. However when it comes to critical, national infrastructure, a breach could result in a threat to life and limb. With stakes like those, simply staying calm is a tough enough prospect.

 

Growing Personal Liability

At the time of writing, the conviction of Joe Sullivan, the former CSO of Uber, is freshly ringing in the ears of everyone in the IT security space. The court found that Sullivan concealed information from the FTC about a massive hack affecting customer data that took place in 2016.

Though surely none of us would knowingly withhold information like this from investigators, it does add extra strain to an already stressful role. Could one missed protocol here or one forgotten detail there result in a CISO behind bars?

Dave Shackleford, owner of Voodoo Security, puts it plainly for the Washington Post: “Personal liability for corporate decisions with executive stakeholder input is a new territory that’s somewhat uncharted for security executives. I fear it will lead to a lack of interest in our field, and increased scepticism about infosec overall.”

But zooming back out to the whole issue for a second, just how liable is the CISO personally when something goes awry? As legislation and liability continues to be a moving feast, where do infosec leaders stand? This is alien territory for executives, and can potentially lead to concerns around psychological security at work.

 

What This Means for
Infosec Leaders

A OneLogin study of IT leaders reported that 80% of CISO respondents were using exercise, and 40% meditation, to handle work pressures. However, more worryingly, almost a quarter (24%) said they were self-medicating with alcohol, prescription medication, or narcotics.

One figure from Nominet implies a worrying vicious cycle – that 31% of CISOs said stress had affected their ability to do their job. If a CISO isn’t working at their best, then security suffers. If security suffers, they have to work harder, further adding to their stress.

With figures like these, is it any wonder why people shy away from cybersecurity careers? If we want to encourage more fresh talent into the space, we need to make things a lot more attractive for cyber workers – especially for those at the top of the tree.

 

Why CISOs Leave
“Good” Positions

We recruiters generally get involved when a security leader is ready to move on, giving us a unique insight into the stresses of the CISO. There’s a saying in recruitment and HR circles (and beyond), that “people don’t leave positions, they leave managers.” Though this may be true in some circumstances, I think there is another element that is sometimes more apt: “people don’t leave positions, they leave cultures.”

When the team here at Bestman Solutions talk to infosec leaders who are looking to work elsewhere due to stress, there are a few concepts that are somewhat reliably cited as issues with their current/former employer. And, with all of the above talk about mental wellbeing, you may be surprised; none of these factors relate to health perks, they’re all cultural:

  • The Employer Doesn’t Support or Listen: One of the main complaints we hear from job-changing security leaders is that their organisation didn’t support them or listen to them. CISOs are top execs that have been called in for their expertise, and as such should be trusted with the infosec reins wherever possible.
  • The Employer Won’t Avoid Disaster: Because of various factors, the organisation may be slow to address known potential cyber risks. Because CISOs naturally want to preserve their professional reputation, they simply don’t want to be associated with a breach that they know is inevitable. So they move on.
  • The Employer Sees Security as a Tick-Box Exercise: Some organisations see security as an annoying chore. They feel that infosec input slows everything down, and only ever follow security guidance begrudgingly – often after much nagging (which in itself can lead to a “CISO who cried wolf” situation!). CISOs naturally get burned out from the sceptical view towards security and the constant feeling of “being the bad guy”.
  • Poor Security Staffing: Alas, this issue is going to be present in the industry until we get more talent flowing in. Some infosec managers simply don’t have the number of boots on the ground to engage in projects that would proactively improve security posture, or they just don’t have access to the right kind of talent.
  • The Company Lacks Maturity: When new companies have seen massive, rapid growth due to investment or acquisition, oftentimes things have moved at such a speed that an established security culture can’t form and/or security practices haven’t had the opportunity to bed in properly.

Though these are just a few of the reasons that CISOs move on, there’s one thing that remains to be said: any company afflicted by any of the above problems will see security suffer.

How We Place
Stressed CISOs

You may be wondering how recruiters like us place CISOs where stress has formed all or part of their reason for leaving a role. The answer is “carefully”.

Put simply, we establish what factors caused that stress and place them with organisations that we know don’t suffer with those same problems. This can be as simple as placing an individual somewhere with a better cultural fit; somewhere that truly values security expertise; somewhere that has good mental health support in place; or somewhere that gives their employees space to flourish.

How Employers Can Better
Look After Their
Senior Cyber Talent

Better Establish The Boundaries of the CISO Role

One way to make CISOs’ lives easier is to better define the role internally. Talking to Diana Kelley at Microsoft, TM Ching who is a Security CTO at DXC Technology says “Demonstrating my role to the organisation can be a challenge – a role like mine may be perceived as symbolic”. For the same piece, Jason Golden, CISO at Mainstay Technologies, adds “making sure that business leaders understand the difference between IT Operations, Cybersecurity, and InfoSec [can be challenging because execs] often think all of those disciplines are the same thing”

Kelley suggests that educating the CISO’s fellow execs is therefore an important step in making their lives easier. Explain the CISO’s remit within the tech field and help the other execs understand that IT security is crucial. It’s not an obstacle, it’s a business essential.

Encourage a Team Response to Risk

There’s a lot at stake in cybersecurity nowadays. It’s no wonder that, especially in light of cybercrime statistics, CISOs feel like the company’s whole wellbeing rests on their shoulders. This one-sided relationship with risk can be an incredibly isolating and tiring experience.

Yet risk rears its ugly head in myriad ways in myriad departments – procurement, HR, compliance, finance, and more. All of these departments’ leaders likely feel the same way at some point.

So one idea to reduce this draining and isolating sensation for all concerned is to set up a risk panel; a cross-disciplinary group who deal with corporate risk every day. They can support each other by maintaining a joined-up approach to risk, by passing other departments’ risk aversion knowledge on to their own departments, and through solidarity during tough times.

Integrate Security at the Outset

Ask any DevSecOps/Application Security expert: whenever embarking on a new tech project, it’s always far easier (and more effective) to bake security into a system from the outset rather than slap it on afterwards like a sticking plaster. Having to deal with “security as an afterthought” is a corporate mindset we often see security leaders battling with; whether it’s developing apps, adopting new software, or other decisions where managers focus on function first, security later.

This all comes back to educating fellow decision makers of the importance of security and its required seat at the table within all business decision making.

Build a Supportive Culture Around Mental Health

More than 50% of Americans will be diagnosed with a mental illness during their lifetime. In England, 1 in 4 people will experience a mental health condition every year. And recent Deloitte figures found that poor mental health costs British employers up to £56 billion a year.

Therefore, it literally pays to build a supportive workplace wellbeing strategy that prioritises mental health. The Mental Health Foundation reports that addressing wellbeing at work can increase productivity by up to 12%. There are countless resources online around creating a supportive workplace for those suffering with mental health issues, but Mind’s Thriving at Work guide is clear, sensible, and in-depth.

 

In Conclusion

As recruiters, our job is to place the right people, within the right culture, at the right time. When you get that balance correct, security leaders can truly flourish.

Yes, being an infosec and/or cybersecurity leader comes with immense challenges. But let’s not forget its rewards. The vast majority of professionals we speak to love what they do, and though some of them may be changing jobs, they wouldn’t leave the infosec industry for all the money in the world.

Infosec personnel get to stop the online bad guys, keep people safe, and restore order – just like digital superheroes. It would be rather glib of me to say “not all heroes wear capes”, so I’ll end on a different saying.

Employers – help your CISOs to help you!

Back to Publications

More Publications

Everything Employers Need to Know About Cybersecurity Recruiting

Read more

Recruitment vs. Reality: What You Need to Know Before Becoming a CISO

Read more

5 Top Senior Cybersecurity Jobs in Highest Demand in the UK [2022]

Read more