The second Nominet CISO Stress report is out and it seeks to address the question “Why are CISOs stressed?” One reason could be the significant increase in successful cyber attacks? Another might be the need to work more hours than contracted? The only problem with the second one is who takes on a CISO role and expects it to be 9-5? Looking around the Internet, the pay for being a CISO isn’t peanuts. That said, apparently a lot of CISO’s spoken to would give up pay in order to have less stress.
Vanson Bourne did the research and talked to 400 C-Suite executives and 400 who identified as CISO or equivalent. The latter group all said that they were responsible for cyber security at the companies where they worked. The research took place in both the US and the UK, with equal numbers from each country. While not a huge pool of people, it is not an unreasonable sample size.
In the introduction to the report, Russell Haworth, CEO, Nominet commented: “We are potentially heading towards a burnout crisis if the very people who we are relying on to keep businesses secure are operating under mounting pressure. CISO stress is on the rise – with almost 90% moderately or tremendously affected – and it’s taking a greater toll on their personal lives and well-being. Not only is this harming the lives of CISOs but will ultimately make it harder to retain staff, catch attacks early and improve security. It is worrying that at board level, understanding of these pressures appears not to have translated into action.”
For many in cybersecurity, not just the CISO, Haworth is preaching to the choir. There is a lot of lip service to better mental health/mental wellness inside cybersecurity. Ask around security teams, not just the CISO, and that lip service is rarely translaed into anything concrete. After going through an early copy of the report, Enterprise Times talked to Stuart Reed, VP of Cyber at Nominet.
Why target the impact of stress?
Reed commented that one of the goals of the report was to shine a light on the issue of wellbeing in the workplace. This includes the need for employers to understand the impact of the workplace and the workload on employees. After all, they recruit the employee so they have the responsibility to care for that employee. However, it can be difficult to find organisations with specific programmes in place, especially when it comes to stress and wellbeing.
Reed also said that when we look at the CISO, one significant factor is that the CISO is doing a blended role. It is a role that changes as the threat landscape changes. With no clear definition inside organisations, it is easy to understand why the CISO is struggling.
Reed defined that blended role by saying: “The CISO is responsible for technical decisions as to security. They are also expected to be an advisor or confidant to the C-Suite.” This is not always an easy thing to do, especially when in many organisations the CISO has no direct seat on the Board. Instead, they are represented by others.
How is stress affecting the CISO?
It is clear from the report that stress is having a significant impact on their lives. 48% of CISOs said that stress has impacted their mental health. Reed commented that last year that number was just 28%. It is a shocking increase and one that should be raising red flags everywhere.
- Some of the numbers from the report show:
- 40% admitted to damaged relationships with family or children.
- 35% reported that stress had impacted their physical health.
- 32% said it is impacting personal friendships.
- 32% said it is affecting their ability to do their day to day job.
The C-Suite is aware of the problem. 74% accept that there is stress on the security teams and the CISO in particular. Of concern, however, is that the report also implies that the C-Suite is only really concerned about the impact on the CISO when it came to doing their job. It is a short sighted view. Reed said: “The communication channels between the Board and the CISO should alleviate the stress.”
However, it is clear that isn’t happening here. To solve that Reed said: “There is still work to do on shared responsibility for cybersecurity.” It’s a nice thought but it does raise other questions that need to be answered.
Should the CISO be a Board member? That would raise the importance of the CISO and make it easier to get the Board involved.
How do you better engage the Board? When the Board does listen to vendors and suppliers they continue to use FUD (Fear, Uncertainty, Doubt) to sell products. It doesn’t understand the jargon. What it wants is to understand the risk.
That raises the question of should the CISO role be split? Should there be a practical CISO and a reporting CISO? Most companies would say having IT and security fall under an existing Board member already does that. If it was that easy, the Board would already be taking responsibility.
Should the CISO be personally better prepared?
Reed said: “There is no established path to becoming a CISO.” This goes back to his comments about it being an evolving role. It suggests that we need a better or, at the very least, a more consistent definition. That would enable people to work towards the role in the same way they work towards being a Finance Director.
One solution here might be to look at how governments have begun to view the role of directors in other industries. In banking, for example, there is a need for directors to be fit and proper people and that goes far beyond the old issue of good character and the right university. Relevant qualifications and experience are now critical.
Look across cybersecurity and there are lots of different bodies all vying to deliver “the” certification or certification path. Perhaps we need to think about that for the CISO. If it is to remain a blended role, is there a need for a cybersecurity MBA that would give the CISO the necessary management grounding? Should they also have some experience of audit and digital forensics?
What about the CISOs own responsibility for a support network. There are a growing number of cybersecurity communities around. Many of them have mental health channels that are active especially those based around military veterans. Perhaps many CISOs are worried that seeking help in these channels would compromise them in the workplace?
Nominet has asked Dr Dimitrios Tsivrikos, Lecturer in Consumer and Business Psychology, University College, London to look at the results. He is due to post a blog later on that. Enterprise Times will add a link when it is available.
CISOs willing to take a pay cut for less stress
One of the interesting results was that CISOs were willing to take a pay cut for less stress. But that raises more questions than it answers. Most admit at the moment to doing at least 10 hours per week of unpaid work. A pay cut would have to come, therefore, out of their basic salary. Would this make the job less attractive?
The survey says the average salary for a CISO is:
- US: $128,908
- UK: £88,324
Reed suggested one way was: “to split the role to reduce the time taken.” It sounds good but would a CISO really lose that much responsibility? This comes back to Reed’s earlier comment about the CISO role being an evolving one. If you can nail down key core aspects for the role and move other stuff elsewhere, perhaps you can achieve this.
Unfortunately, the survey didn’t ask the CISOs how they thought this would work. It also failed to ask the C-Suite contributors what they thought of the idea. The answers from both groups would have been illuminating.
Are CISOs giving the support they want?
One of the issues with stress in cybersecurity, if not the whole workplace, is a wider and more open conversation about mental wellness. This report focused on the CISO and the stress and impacts on that role. It didn’t, for example, ask how stressed the C-Suite respondents felt.
The whole of cybersecurity is under stress. The increased effectiveness of attacks means the workload is increasing far faster than people can be employed. For many in the Security Operation Centre (SOC) who are dealing with incident response, stress levels are off the scale. The level of attacks also means that they rarely get any downtime between incidents.
One question that should have been asked of the CISO is: “Are you providing the level of support to your first responders that you want for yourself?” I suspect the question would have been no. Good organisations lead from the top. Private health and support for the Board might seem like a good idea to keep them running the business profitably. But, if they don’t provide that support to those below them, companies fail.
The C-Suite admits in this report that it is worried that stress is impacting the ability of the CISO to do their job. What it didn’t say is if it has put in place a programme to help the CISO. If it does that, it also needs to look at the wider business and not just cybersecurity.
Enterprise Times: What does this mean?
In the quarterly avalanche of security reports from vendors, it is refreshing to get one that approached the people issue not the technology one. This is what Reed said Nominet set out to do. Although the scope was narrow there is plenty of scope for qualitative follow-up should Nominet want to do so. The results, especially with more probing questions, would really shine a light into those dark corners and help define what wellness really means.
The report also shows how we need to rethink the role of the CISO. Is cutting salaries and taking a few things away sustainable? Not in the short or even the medium term. As Reed pointed out: “the CISO role is still evolving.” We need to nail down what CISO really means and create a viable job description that doesn’t keep changing.
There is a lot in this report that could be expanded up. It’s worth a read.