Times have changed
In recent years the job of Chief Information Security Officer (CISO) has become more and more frenetic and involved. Already stretched CISOs have the added responsibilities of employee management in a time of a global pandemic, staff retention when priorities have changed and home-working has become the norm, and meeting ever more sophisticated threats from widening threat vectors in a world in conflict. They have to liaise with stakeholders (who are also under pressure) and who want to stay agile, develop faster, and move to remote working. With shifting business priorities they have to manage rapidly diminishing budgets, and juggle remote access and enterprise-wide protocols. They need to see clearly through the daily barrage of false positives and low-priority alerts, plus address evolving compliance requirements and a noticeable talent shortfall in their security teams. It’s no wonder that the average tenure of a CISO is just 26 months due to the high stress of the job and consequent burnout [Cybercrime Mag].
According to Life Inside The Perimeter: Understanding The Modern CISO, 88% of CISOs are doing more than the average 40-hour workweek, with 60% saying they rarely disconnect. 25% think their job has had an impact on their mental or physical health (or both), and their family life and personal relationships.
Thankfully we live in a world where attitudes to mental health and work/life balance have also changed, and help is available within many companies and through mental health charities such as ReThink and MANUP?. People are more understanding and sympathetic, and counseling and conversations around mental health are a far more open and rightly accepted occurrence.
Those of us who are continually exposed to high levels of stress are susceptible to the rigors of emotional, mental, or physical exhaustion. In the 11th revision of the International Classification of Diseases (ICD-11), May 2019, the World Health Organization (WHO) classified burnout as an occupational phenomenon. Unlike stress or anxiety, where an individual might be hyperactive and over-reactive, those of us who suffer from burnout may begin to disengage from our job and suffer reduced professional efficacy – even experiencing specifically negative feelings toward our profession. These symptoms are cumulative and can further harm a person’s mental and physical health, further affecting the ability to work and worsening the situation.
Common signs of burnout [Mental Health UK] include:
- Feeling tired or drained most of the time
- Feeling helpless, trapped and/or defeated
- Feeling detached/alone in the world
- Having a cynical/negative outlook
- Procrastinating and taking longer to get things done
- Feeling overwhelmed
Where can we start?
Be aware of your stress level
It’s essential to recognize the early warning signs of burnout and act accordingly before things get out of hand. This is easier said than done when leading a busy cybersecurity team, but early indicators like sleep problems, extreme tiredness, loss of professional enthusiasm, or anxiety can signify it’s time to take a closer look at your current situation and put some safeguards in place. Many people don’t immediately look for help or discuss how they are feeling with management/HR, which can mean they are forced to take time off work later or even leave cybersecurity altogether. Prolonged exposure to stress can wear a person down. It’s important not to wait until it’s too late. Having a sense of control over your workload and deadlines, and optimizing how you get your work done with the right tools in place to do so, can be instrumental in remediating the early stages of burnout.
Identification and communication
All of us feel stressed and demotivated at times, and it’s ok to recognize this and ask for support. Open and honest conversations can really improve our mental health, and practical tools and exercises such as stress risk assessments (a review of roadblocks to mental health in our working environment) or creating well-being plans (our own personal review of our current situation) can offer a better understanding on our road to avoiding CISO burnout. These work the same way as traditional risk assessments, helping us to identify risk so that we can explore ways to reduce or eliminate negative factors.
If you notice any of the signs of burnout and feel unable to act on them to resolve them, talk to human resources (HR), your chief executive officer (CEO), or any other C-suite executive with whom you feel confident in sharing your situation. Sometimes, especially early on, small changes in how you work can make all the difference.
Eat, move, and sleep
It makes good sense, regardless of any warning signs, to practice healthy habits and look after yourself. Diet, exercise, and sleep are important, and often overlooked when we immerse ourselves in our work.
Studies have shown that a nutritious diet, combined with enough exercise, can help improve both mental and physical health, so you’re better equipped to take on your critical responsibilities [Harvard]. A correlation exists between impaired brain function and diets rich in refined sugars and processed foods, including notable symptoms of mood disorders (all types of depression and bipolar disorders). Pay attention to what you eat and how it makes you feel. Enjoying a “clean” diet for a couple of weeks, making a note of what effect foods have on your mood and cognitive function (the same day and the following day), then introducing foods back into your diet one by one, will give you a clearer idea of how what you are eating could be influencing your mood and overall health.
Walking, swimming, tennis, running, golf, cycling, visiting the gym, joining a 5-a-side soccer team – exercise can significantly boost our mood, reduce stress and anxiety, affect mental alertness, and improve our self-esteem [Mayo Clinic]. Finding exercises that work with your routine, like cycling to work or walking the dog, can be a great start to any workout plan. It’s also good to be able to focus on something that isn’t a monitor for a while.
Evidence suggests that sleep enhances most types of cognitive function, including problem-solving, memory, creativity, judgment, and emotional processing – essential CISO daily requirements. Without adequate sleep, our brains don’t function properly. The National Sleep Foundation recommends that healthy adults should aim for 7 to 9 hours of sleep per night, while people over 65 need between 7 and 8. It further states that healthy sleep patterns aid our bodies in fighting off disease and that sleep is an essential function that lets our minds and bodies recharge – leaving us alert and refreshed when we wake.
We need to have sensible and realistic boundaries in place to be sure that we, and our team, aren’t pushed beyond our limits. Burnout can start with responsibility creep, and a CISOs job is busy enough without additional working hours and responsibilities. It’s an extreme example, but if it’s not your job to provide IT services to the wider company then you and your team shouldn’t be doing it.
Designated individuals should provide out-of-hours cover on a rotational basis, and defense tactics should be preemptive rather than reactive. This shouldn’t all fall to one individual. As a start, consider the following and encourage your team to do the same:
- Keep regular hours
- Take your holidays and disconnect
- Have lunch, and (if you can) get away from your computer to do so
- When appropriate, close the office door to think
- Minimize interruptions – turn off social media notifications, work from home sometimes, and close unnecessary programs
- While departmental communication is important, can that meeting be an email instead?
- Practice good time management – shift focus from activities to results
- If it’s not your job, say no
- Use stand up meetings for department communications and efficiency
It’s important to recognise when, and when not, to volunteer for additional duties and responsibilities. A CISOs plate is usually full enough.
Alternatives to recruitment
There’s an obvious skill-shortage right now and it’s tricky to get fully trained, well-qualified recruits interested in joining our cybersecurity teams – especially at a price our budgets can afford. Recruiting, however, isn’t the only way to build a strong team and there are other ways to find those capable of taking some of the CISOs least business-critical responsibilities while still reporting back to them regularly.
Training keen employees eager to learn can be invaluable, especially if they are self-starters who can learn under their own steam. There are plenty of business courses out there for cybersecurity, and giving staff the responsibility for (the likes of) other employee security training or orchestrating red team exercises can be an excellent (and time-saving) introduction into a more responsible role. Penetration testing exercises afford realistic security scenarios that can be tailored to your requirements and gives you the opportunity to track learning outcomes.
It is possible in the short-term, if budgets allow, to fill any skill and capacity gaps with third-party experts. While price often precludes this being a long-term solution, it can be invaluable during peak times, during staff shortages, over the holiday period, or for a specific task or high capacity situation. This could be an individual contractor, a managed service provider, or both. Even Chief Information Security Officer-as-a-Service (CISOaaS) exists as a virtual offering – when time travel or cloning turns out to be impractical – providing information security leadership from a stable of external expertise and technical resources to offer temporary guidance and cover.
Foster a security-first culture
A CISOs job is important, and so is that of the cybersecurity team – the wider business should be aware of that. Cybersecurity can be overlooked until something goes wrong, and fostering a clear understanding of what your team does and the ROI you bring to the company can go a long way by making sure you are appreciated and have the support you need.Teams are busy with outsider threats, such as DDoS attacks, account takeover attempts, or supply chain code violations. They also face insider risks, such as employee ignorance of phishing practices, violation of secure practices or inappropriate permissions, and lack of visibility into your data architecture. As such, cybersecurity isn’t only a job for the CISO and their team. Security is everyone’s responsibility and everyone in the company should bear some responsibility for their digital actions and alleviate CISO pressure. Security awareness training, and installing the concept that security belongs to everyone, is key – especially now that businesses have moved more towards remote working.
Remember, it’s easier to catch flies with honey than it is with vinegar. Celebrate success. If you reward and recognize those people across the organization who do the right thing, not discipline the ignorant or shame people for their mistakes, you’ll help foster a more positive and inclusive security-first culture and avoid any “us versus them” thinking.
Invest in the right tools
Cybersecurity professionals should think “broad-spectrum vaccine,” not “triage and cure.” Having the right tools in place is important to maintaining the best standards of security, and there are certain features that can make the CISOs job much easier. These tools have a clear return on security investment (ROSI), above and beyond avoiding CISO burnout, which can easily be seen by those who might hold the budget.Automation saves valuable time, increases the quality of reporting and alert management, improves employee satisfaction, and reduces costs. By using a single platform to gain insight into your data you save man-hours and hassle vs using multiple programs that might offer less insight into your data stores and repositories.
Investigate tools that can give you breathing room to do your job effectively and more efficiently Runtime protection (RASP), for example, gives space to address zero-day exploits but means development teams can push to production earlier without immediately remediating supply chain and 3rd part code issues after deployment – offering peace of mind and sympathetic to Scrum operations.
Find firewall tools and attack analytics that offer clear insight into alerts with less spam and ambiguity. Look for fewer false positives and for actionable insights, with clear remediation directions so that your team can prioritize incidents that need immediate investigation and remediation.Look for a platform that stays at the front of development, and can provide compliance and security knowledge that will save you time and on which you can rely. Investing wisely in the right tools can make your job genuinely easier, and you can easily justify acquiring the tools with clear ROI when you can see the cost of a data breach vs the cost of protection.
Set reasonable expectations
Unclear, undefined, or unrealistic expectations are a sure path to CISO burnout. The CISO role is undoubtedly challenging, but it’s important we set reasonable goals and quantify what the responsibilities and targets are for the wider organization. It’s critical for our own well-being that we clarify our priorities and overall strategy for the rest of the leadership team to avoid any ambiguity and responsibility creep. Getting your vision, role, and methods documented and presented to those who need to be your champion is going to be a big part of fostering that security-first culture and setting expectations.
It’s possible, with a little foresight, to manage our stress levels, to put intelligent systems and processes in place, and avoid CISO burnout. Burnout is not inevitable, and it’s about employing and training the right people to support us, shoring up processes and tools, ensuring correct staffing levels, setting expectations, and making sure we have the right technology to avoid professional fatigue. Mental health is important, and if you need help – please – get it. We’re not experts, but there are a lot of great online resources out there, and please speak to your HR team about what they have in place and how they can support you and your team.
Try Imperva for Free
Protect your business for 30 days on Imperva.