Chief Information Security Officer’s (CISO) are highly specialist executives, who, given the nature of their role and the evolving techscape are experiencing unprecedented levels of pressure and stress. Nominet undertook a research project in 2019 seeking to understand better the CISO as an individual, as opposed to the normal focus on technology in cybersecurity. This research highlighted that the average CISO is under high levels of stress impacting their physical and psychological welfare. Balancing the responsibility for fighting increasingly sophisticated attacks and communicating their business case to the board is a major contributing factor. The dichotomous nature of the CISO (technical vs social/business oriented) is a unique and highly stressful situation that is further compounded by the follow-on research report, entitled “Trouble at the Top”. This report confirmed that the board in many organisations did not have a firm grip on the value and indeed issues surrounding cybersecurity and thus had not empowered CISOs to help them.
This blog post is focussed on a report on the CISO one year on and using the previous year’s results as a benchmark to gauge if/how the role has improved. Further, the board of organisations were simultaneously surveyed to gain their perspective on the role of CISO. Areas where CISO and C-suite opinions diverge are important, as they expose pressure-points that suggest there is a lack of consistency in direction. Uncovering these misunderstandings should serve to increase the productivity of the CISO-Board relationship, fostering mutual support and understanding arguably is the most impactful way of improving the working life of the CISO.
In Autumn 2019, Nominet commissioned Vanson Bourne to conduct 800 online surveys with C-suite executives and CISOs in the US and UK. A range of public and private sectors were surveyed with organisations housing a minimum of 3,000 employees. A total of 400 surveys were achieved for each job role split (CISO/C-Suite), with six extra CISO respondents. Highlights from the survey findings are as follows:
CISO Stress levels are still too high – the vast majority of CISOs are “moderately” or “tremendously” stressed, worse, findings show that this stress is having a much more detrimental effect on individuals mental and physical health, personal relationships.
Poor work-life balance is a key contributor – Nigh on all CISOs are working beyond contracted hours, on average by 10 hours per week, and even when CISOs are not working they are unable to let go of work, leading to issues in their personal lives. Missed birthdays, weddings, even funerals are among CISOs reported disruptions.
C-suite understanding is improving but actions are not following – The board’s understanding of cybersecurity is indeed improving. They grasp the importance and the impact that an ineffective cyber security team can bring, however, what is consistently underestimated is the individual effect that the stress and long-hours have on the individual CISO. The high burden of responsibility and a lack of support from the board combine to form a key contributor to CISO stress.
Some alarming statistics were found from this research report:
• 32% of CISOs state their stress is affecting their personal friendships
• 32% of CISOs state that their stress had affected their marriage or romantic relationships
• 23% of CISOs in 2020 are turning to medication or increasing their alcohol intake – an increase from 17% in 2019
• 40% of CISOs state that their stress had affected their relationships with their children or partners
• 45% of CISOs have missed a family milestone or activity due to work commitments
• 95% of CISOs are working beyond contracted hours
• 61% of CISOs have missed a child’s sports match, musical event or similar occasion and 35% have missed their child’s first day at school
In an attempt to understand the root causes of the increase in CISO stress, work-life balance of the CISO was first examined. As well as the above statistics, 87% of CISOs state that working additional hours was an expectancy of their organisation and they were right, with 78% of C-Suite members admitting they expect their security team to work beyond contracted hours. Given this, it’s no surprise that 83% of CISOs report ruminating on work during their evenings and weekends. Potentially even more worrying is that 90% of CISOs said they would take a pay cut if it improved their work-life balance.
When asked to identify the most stressful parts of their job, 44% of CISOs ranked the responsibility of securing the business as the highest, suggesting that CISOs are overburdened by C-Suite expectations and an understanding of the importance of their role, 37% of CISOs and 31% of C-Suite believe the CISO is ultimately responsible for the response to a breach. This is hugely disparate to the NCSC guidance on board responsibility, stating that due to cyber being so critical to ensuring organisations can exploit the opportunities that technology brings, it “places it firmly within the responsibility of the board”. Until the National Cyber Security Centre Guidance aligns with organisational perceptions and structures, it seems the incoming stress and burnout crisis will continue until it reaches terminal velocity.
The result of the report as you can read, is unfortunately, not a happy one, using the past year’s results it is clear that the CISO’s job has not improved and a potential burnout crisis is highly likely in the near future. The individuals that are most relied upon to maintain business security are under increasingly intense stress, 90% reporting they are moderately or tremendously affected. CISO stress is a domino effect that begins with individual CISO pressure, but eventually leads to low staff retention, attack identification tardiness and reduced overall organisational security. What is more concerning, is that these very clear and present issues are known but not actioned into any meaningful changes/improvements.
Employee stress in the workplace – what you should expect
It should be no surprise that given the last year we have experienced millions of individuals around the world are experiencing intense stress, some may be very aware of why whereas others may not. Using information from the Health & Safety Executive (HSE) website this blog serves to introduce and discuss the six main identified areas that can lead to work-related stress if they are ill-managed. Namely, these areas are, demands, control, support, relationships, role and change. It may be helpful to take this and somewhat evaluate your workplace and get an idea of the overall management standards. Do remember that under UK law employers have a ‘duty of care’ to protect the health, safety and welfare of all employees.
Demands, as the name suggest, relate to the workplace demands that are conferred with your particular role. This can include issues such as workload, work patterns and the overall work environment you find yourself in. Generally, the standard to aim for is that employees indicate that they are able to cope with the demands of their job, inevitably, this cannot be the case for all organisations, and some will fall foul either intentionally or unintentionally. As an employee you have a right to expect certain standards with regards to your working, these again are naturally malleable depending on the nature of your role and the type of contract you are on, however as an employee there are several things you can do or look out for to ensure that your work demands are managed well:
- Taking regular breaks, especially if the work is complex or emotionally demanding
- Ensure deadlines are realistic, and if not, speak to your line manager regarding your concerns
- Enquire about extra support if you find yourself struggling
- Attend to your physical environment – the outside world distracts some of us more than we conceive – noise levels, dust, vibrations can all impact one’s ability and performance
Control relates to the degree of personal autonomy one has within a job role, or how much say the people have over the way they work. Prescribed? Flexible? Again, given the nature of your job role it may be impossible to have autonomy over tasks and strict guidelines must be followed, however, control doesn’t solely relate to how you work and can also refer to the pace at which you work, when you schedule breaks. Control can also relate to the type of work, in that, is your workplace encouraging personal development by offering training or undertaking new and challenging pieces of work. Essentially, your workplace should allow some degree of control over the pace of their work, it should allow and encourage collaborative decision-making, especially when it affects you.
Support includes encouragement, sponsorship, praise and tangible and emotional resources provided by the organisation, line management and colleagues. The gold standard is obviously employees feeling and reporting that they are supported, receive adequate information regarding your role and progression. Feeling unsupported in your role can be problematic, if you’re feeling unsupported by your line manager it is unlikely you will tell your line manager that you feel this way. Instead, potentially investigate whether therapeutic services are offered by your employer, speak to Human Resources, request 1-to-1 meetings to discuss your concerns, even your GP – Doctors can help you analyse your current situation and be the first referral point of additional help is required. It is good to keep in mind that support is always a two-way street, enquire about your colleague’s wellbeing and offer an ear if you spot signs of stress and hopefully your colleagues will do the same. Be the support you want to see in the world.
Relationships relate to the inclusion of positive working environments, avoiding conflict and dealing with unacceptable behaviour immediately and appropriately. Your organisation should strive for a working environment bursting with positivity, with good and honest communication at all levels in work teams. A culture of trust and encouragement should be present, and if not it may be worth investigating your organisational policies relating to staff-conflict. Ultimately the qualities of your relationships are mostly within your control, there should be organisational systems in place to deal with unacceptable behaviour, managers should be trained in conflict-management and there should be a system for you to report unacceptable behaviour. If not, your employer may very well be breaching their duty of care.
Ideally, you should have a crystal-clear understanding of what it is your role entails, your responsibilities and requirements for progression. Your organisation should take steps to minimise overlap of roles and responsibilities between team members. Ensure that your organisation has a clear job description for your role, familiarise yourself with it. The hierarchy of your organisation is contextual of course, but you should have clear ideas on structure and who is responsible for what. Your job scope should not change without your knowledge, understanding and acceptance – this applies for promotion too – you should be told about any alterations in expectations before you accept.
Change refers to how organisational change is managed and communicated, large changes or small changes alike. Your organisation should deliver information regarding changes in a timely and thoroughly explained way, where possible your organisation should consult with individual employees if a proposed change directly affects them. Awareness of the opportunities and impacts conferred by change should be present across the team. Support should be offered during periods of change. It is essential that you as an employee understand why any specific change has been made and implications due to this change, hopefully you have been consulted and your opinion taken on board. Change within an organisation is not supposed to be surprising to employees and can be a major area of work-related stress. Your organisation has a legal duty to provide you with a safe working environment, this applies to mentally and emotionally healthy workplaces as well, not just the physical environment. There is guidance and information freely available to assist you in relation to your work-related stresses, you can obtain these from HSE here: https://www.hse.gov.uk/stress/ and rest assured CyberMIND won’t stop working to assist you either.