By James A. Martin
You don't need to look far to witness the toll that cyberattacks, natural disasters, and other crises take on enterprises. One example is Marriott International, Inc., whose recent cybersecurity breach cost the hotelier as much as $1 billion.
Less obvious is the impact crises take on those tasked with keeping the enterprise safe and resilient — especially Chief Information Security Officers (CISOs).
"When everything's going well, the CISO is often seen as the person who's always crying wolf about potential threats to the security of the organization. Some may think their cries are overblown, that they're trying to build an empire, or that they don't provide value back to the organization," notes Herbert Schreib, Security Consulting Solution Principal for Sungard AS. "And yet, when a crisis like a cyberattack hits, the CISO is often the first one fired."
Here's a look at the stress CISOs face, the impact stress can have, and the steps they can take to survive and thrive at work.
Under Pressure — Without a Clear Career Path
One problem is that too often, business leaders only give lip service to the need for cybersecurity and resilience, Schreib says. "They're just not that interested in it until something bad happens."
When it does, the CISO likely takes the blame — even if the CISO warned enterprise leaders about the potential for the crisis before it happened and advocated for preventative measures to avoid it, Schreib adds. "When cybersecurity breaches are made public, suddenly you've got global eyes on your organization," he says, "and there may be pressure to fire the person, the CISO, who was supposed to protect the organization."
Given the competition for cybersecurity talent these days, a fired CISO may not have too much trouble getting another job. "On the other hand, if they were fired for a breach that made the news, it's a lot harder for them to land on their feet," Schreib says. "That alone keeps a lot of CISOs and other security leaders up at night."
On top of all that, CISOs often lack metrics to demonstrate the great job they're doing, unlike sales or marketing leaders, Schreib adds. "If you're doing your job well, nothing bad happens," he explains. "That means you don't have much to show to the board or other C-suite executives to show your value, and that can limit your career path."
Stress-Related Illnesses + Long Work Weeks = High Turnover Rate
Recent research reveals the toll that these challenges can take on CISOs.
Earlier this year, Sungard AS asked 500 C-suite respondents at U.S. companies with 500+ employees about the crises their businesses have faced. When answering the question "How do crises impact your personal life?," a third say they experience stress-related illnesses when their company faces a crisis and roughly the same proportion say their mental health suffers.
Separately, a study of 408 CISOs in the U.K. and U.S. provides additional insights into the impact of crises on CISOs. Some 70% of respondents have found malware hidden on their networks for an unknown period of time. And yet, 57% say they must contend with inadequate budgets for securing the enterprise and 63% struggle to hire and retain the right people for the job.
The accumulated impact is significant, with 91% of CISOs saying they experience moderate-to-high stress levels; 88% are working more than 40 hours per week; 60% rarely disconnect from work; and 17% medicate or drink alcohol to cope with job-related stress.
Given the pressure, the CISO turnover rate can be high. For example, the Department of Homeland Security's National Risk Management Center's deputy director Mark Kneidinger estimates that the average U.S. government CISO's term of service was once about 36 months, but is now closer to 18 months or less. Other estimates are that the average CISO tenure is 24 to 48 months. As a comparison, a Korn Ferry study finds that the average tenure for Chief Financial Officers is just over 60 months.
How CISOs Can Survive and Thrive
Fortunately, there are steps CISOs can take to handle job-related stress and avoid burnout.
1. Prioritize. "Too often, CISOs treat all risks and threats as a priority," says Shawn Burke, Sungard AS' Global Chief Security Officer. "But you can't always be that person whose hair is on fire. It drives up your stress level. A better approach is to prioritize your plans for responding to the particular threats that face your organization."
2. Exercise. Develop a variety of what-if scenarios that show what might happen to your organization in the event of a cyberattack, weather-related disaster, or other crisis and test them advises Kathy Schneider, Sungard AS's Chief Marketing Officer.
Test exercises work well in driving home the realities to board members and C-suite leaders to increase their commitment to resilience and cybersecurity. For example, if your headquarters is located in California, you might use interactive maps to illustrate the potential resilience risks to your organization from earthquakes and wildfires.
3. Delegate. "Cybersecurity is everyone's job at an enterprise," Burke says. "But ultimately, it's the CISO's job. You have to drive the policies and procedures for security and resilience. And you have to accept that you can't do everything. So, you must delegate responsibility for enforcing policies and procedures and hold team members accountable."
"If you don't have confidence that your team members can take on that responsibility, you need to find people who can, whether it's from an internal hire or an external consultant," adds Schreib.
4. Disconnect. It's not unusual for a CISO to work 48 consecutive hours or more during a crisis — it's part of the job. At the same time, you can't always be on red alert, Burke advises, and it's essential to detach from work on occasion for mental health reasons. If you've prioritized and delegated properly to responsible employees or consultants, you should be able to take a week or two off and disconnect at least part of the time.
5. Flex and vent. Take care of your physical health by getting regular workouts, Burke suggests. For mental health, he recommends getting together socially with colleagues who understand your pressures to vent frustrations and share ideas.
(Related reading: How to Combat Data Breach Fatigue at Your Enterprise)
Above All, Communicate
It's imperative for CISOs to develop a clear communications plan for how disruptive events will be handled, Schneider says. Such a plan can help reduce the stress of the CISO and others in cybersecurity, risk and resilience roles as well as demonstrate their value to the organization.
"For example, if you're in a hurricane-prone area and there's a big storm on the way, communicate internally and externally how you're preparing for it," Schneider advises. "Then if your organization is hit hard, you'll have demonstrated that you took the threat seriously and were proactive in taking appropriate measures. You'll have shown that you and your team were on the ball."
James A. Martin has written about security and other technology topics for CSO, CIO, Computerworld, PC World, and others.