About 60% of CISOs rarely disconnect from work, and 17% either medicate or use alcohol to deal with the job stress…

Today’s chief information security officer (CISO) spends approximately 1.5 years in the role. This short tenure is in stark contrast to the average duration of a CEO, who spends nearly nine years in the role, and a CFO, who lasts six years.

To add to these statistics, 2020 has been a particularly stressful time for CISOs. The COVID-19 pandemic forced organizations across industries to conduct business remotely. In fact, between February 4, 2020 and April 7, 2020, we have seen an estimated 70% increase in remote work—but this is also shaping up to be the new norm. Deloitte, in a recent paper that up to 47.8 million people across ASEAN could permanently shift to working remotely over a multi-year horizon. Although this can help organizations drive productivity and lower costs, it also creates a greater attack surface for cybercriminals, leading to immense stress for CISOs and their notoriously under-staffed security teams. 

Undoubtedly, the global pandemic has driven the significance of cybersecurity, and in parallel, the roles that CISOs and their security teams play to keep an organization secure. Let us take a closer look at the running list of responsibilities facing today’s CISOs, and how we, as colleagues, can help to alleviate the pressures. 

Mounting security challenges

When CISOs went into their offices during any ‘normal’ day prior to the pandemic, there were usually long lists of issues to overcome. However, during the global pandemic, these lists became never ending as cybercriminals exploit the massive shift to remote-working, public fear and the worldwide disruptions that are affecting us all.

Recent attack data from the VMware Carbon Black Cloud revealed that in March 2020, ransomware attacks had increased 148% over baseline levels from the previous month, with spikes occurring during key moments in the COVID-19 news cycle. Unfortunately, these are not the only threats CISOs battle today. Cyberattacks have become increasingly sophisticated, often fueled by geopolitical tensions and carried out through clever techniques such as lateral movement, island hopping and counter incident response to stay invisible.

These tactics have caused more organizations to fall victim to a cyberattack. In a recent VMware Carbon Black Global Threat Report, 88% of the businesses surveyed had suffered one or more breaches in 2019. What was once a question of if organizations will get attacked, has now become a matter of when the attack will happen, causing increased stress and anxiety throughout all departments.

As digital transformation becomes a priority on national agendas, CISOs are managing an accelerated rate of evolving business technology, too. They are also tasked with understanding the constantly-evolving global and regional regulatory landscape, ensuring compliance to complex regulatory requirements like the General Data Protection Regulation (GDPR) and similar laws in our region.

Add to this the fact that everyone within an organization thinks they are experts in security, and you have a recipe for disaster—a burnt out, overly stressed CISO during a time when the role is needed the most. 

How we can help

With 60% of CISOs admitting they rarely disconnect from work, and 88% working more than 40 hours per week, mental health is all too often ignored. As a result, nearly 17% of CISOs are either medicating or using alcohol to deal with the job stress. It is time to stop overlooking this uncomfortable situation, and instead, ask—how can we help? 

Other business leaders and functions can help play a part in relieving the CISO’s stress. For example, when it is time to allocate the annual budget, understand that the CISO’s teams need significant financial support to ensure that they have the right tools, talent and resources to protect the organization.

Everyone in the organization—from the CEO to the seasonal intern—should understand that security is everyone’s responsibility. Oftentimes, we place it all on the CISO’s shoulders and blame this person when an employee accidentally clicks on a malicious link. Let us start taking responsibility for our actions and increase our vigilance now more than ever before. Regular cybersecurity training can help educate all employees. However, it is only when responsibility is taken, that security best practices can truly be enforced.

Additionally—and it is easier said than done—CISOs need a mindset shift. If traditional strategies are not working, then change them. Let us stop opting into annual legacy technology subscriptions if they have proven to be ineffective. Alternatively, if the organization is overspending on technology with all the bells and whistles, and it is still not doing the job, it is time to cancel. Take a step back and understand where the true issue lies and work from there to resolve it—even if it requires change. 

Lastly, it is time to remind ourselves that ‘perfect’ just does not exist in any aspect of life. Failure often leads to success; testing a new way to solve a problem is in fact a good thing; and we should not be afraid to explore other options. The battle against adversaries is never-ending, and we need our CISOs to be less stressed in order to win.