CISOs Are Burning Out: Here’s How to Fix It

Brian Thomas | August 1, 2019 | tag: Cybersecurity

Everyone experiences stress in their jobs, but security leaders may have it worse than most. According to Dark Reading, 60% of CISOs admit they rarely disconnect from work, while 88% work more than 40 hours per week. It’s no surprise that 51% of tech executives experience stress-related illnesses as a result of cyberattacks, tech outages, and breaches – a number that increases to 56% among CTOs and CIOs.

That’s because when today’s CISO goes to work, they face huge pressure to keep their organizations secure. Should they fail, the consequences are significant. Aside from the privacy concerns of users, cyberattacks have huge financial ramifications. The average cost of a cyberattack soared to $4.6 million per incident in the first half of 2019. Each minute data is inaccessible, or a system is locked down by malware, organizations stand to lose money. Plus, no one wants to be the one to preside over the next massive data breach.

To complicate matters, despite the plethora of available security monitoring and protection tools, CISOs often feel they have little control over the probability of a cyberattack happening and are overwhelmed and even chastised when it does. CIO Dive reports that 45% of executives say they’ve experienced online or verbal abuse in connection with cyber incidents, while Dark Reading suggests a link between the stress and constant urgency of the job and the average tenure of a CISO (18 to 24 months). Compare that to the average tenure of a CEO (8.4 years), CFO (6.2 years), and COO (5.5 years).

Managing the burnout 

Common principles of stress management recommend boiling the source of stress down to its simplest elements, writing down everything you need to do, and prioritizing deadlines. Once you know what you’re dealing with, you have a newfound sense of order and direction. If you are still struggling to get motivated, check off the easiest stuff first.

In the land of cybersecurity, things are a little different. Being in a constant reactive mode of responding to and prioritizing continually evolving and increasingly sophisticated threats takes its toll. There’s no easy button to press; no deep breathing exercise that can help. To further compound stress levels, CISOs lack visibility into their organization’s security exposure, particularly across their increasingly interconnected supply chains. How do you check off and fix the security risks that matter most to your organization if you don’t know what they are?

Instead of playing a game of whack a mole with cyber threats, CISOs can take proactive steps to measuring cybersecurity performance and risk using tools like security ratings.  

Security ratings can change the way CISOs approach risk management by allowing them to simplify their understanding of threats and take a more proactive stance toward cybersecurity. Security ratings automatically monitor the security status of your organization, third-party vendors and suppliers, and even M&A targets for vulnerabilities and risk vectors on a continuous and global basis. These easy-to-understand ratings provide real-time insights that allow CISOs to see exactly what they’re up against and prioritize their responses accordingly.

By checking off the small stuff — closing open ports, fixing web application headers, etc. — CISOs can easily score quick wins. Then, they can safely move onto the bigger stuff, like protecting their organizations from more complex risks like the BlueKeep vulnerability or the next WannaCry.   

Gain control and decompress

By understanding where the true security problem lies, CISOs can better understand their risk exposure, and assert control from there. They can also put an end to breach accountability and, with the right KPIs, show executive leadership exactly how they approach security problems. They can feel safe in the knowledge that they have done everything they can to make their organizations more secure. 

Perhaps most importantly, they can begin to decompress — at least a little — and rest easier at night.

Read this white paper to learn how today's CISOs are adapting to new challenges.The Evolution of the CISO White Paper

Suggested Posts

The BitSight and Moody's Partnership: A New Era For Cybersecurity

Cybersecurity is one of the biggest threats to global commerce in the 21st century.

By providing data-driven insights into cybersecurity, we can empower the marketplace to make better, risk-informed decisions and create a more secure...


4 Critical Success Factors for Effective Security Risk Management

With the average cost of a data breach in the U.S. reaching nearly $8.6 million, your organization can’t afford to ignore cybersecurity risk. Indeed, the need for security risk management is greater than ever. When cyber risk is managed...


What are Cyber Security False Positives and How Can You Prevent Them?

Imagine you've alerted your IT team to a critical infrastructure error plaguing your network. You ask them to drop their current work and focus on immediate remediation of this detected vulnerability. After further investigation,...


Get the Weekly Cybersecurity Newsletter.