BlackFog on Tuesday reported that 32% of CISOs or IT cybersecurity leaders in the UK and the United States are considering leaving their current organization, a worrisome number given the dramatic need for security talent.
The researchers said of those considering leaving their jobs, one-third would do so within the next six months. Of those who had been a CISO at a previous organization, 41% either left or were let go following a cyberattack or data breach.
When asked about what they disliked most about being a CISO, 30% said the lack of work-life balance, and 27% said that they spent too much time on firefighting, as opposed to focusing on strategic security issues.
“Cybersecurity expertise has never been more in demand; however, these numbers highlight a serious issue with retention in the field,” said Darren Williams, founder and CEO at BlackFog. “Board members and the C-Suite must recognize that keeping a strong team of IT security leaders is essential for their company’s safety and security."
BlackFog’s data highlights what many already know: being a CISO is a really tough job, said Craig Burland, CISO at Inversion6. Burland said there are competing forces creating perpetual pressure on the CISO to enable speed and unleash innovation while simultaneously reducing risk and ensuring compliance.
“It’s like being sandwiched between two tectonic plates pushing against each other with the expectation of preventing an earthquake,” Burland said. “There’s a lot of talk these days about security being a team sport. In most organizations, it’s not. Security is the job of the CISO, requiring constant attention and vigilance. Eventually that takes a toll and triggers a desire for greener, or at least different, pastures.”
Chloé Messdaghi, chief impact officer at Cybrary, said that too often cybersecurity emerges as a concern just prior to or even after a company launches a new product, service or customer-facing asset, forcing security teams to firefight against threats rather than warding them off, and undermining the CISO’s role as protector.
Messdaghi said the failure to invest in people is another factor behind CISO burnout.
“Investing in up-skilling security teams makes them more effective at their role and helps reduce the firefighting required,” Messdaghi said. “It also opens up opportunities for advancement and is a greatly-appreciated benefit. The fact is that companies that don’t offer room for advancement will inevitably see skilled talent leave for better opportunities. It’s also worth noting that when a CISO doesn’t feel valued or feels an extreme lack of work-life balance, they’re less able to support their security teams, so the discontent that starts at the CISO level inevitably ripples across the security and IT ecosystem.”
CISOs take heart: Many say they have good budgets and relations with boards
This study highlights that CISOs are over-stressed, but not under-resourced or under-appreciated, said Bud Broomhead, chief executive officer at Viakoo. Broomhead said having significant budget available to achieve their plans (26% of overall IT budget) and good alignment with the board are two aspects of this study that CISOs should take heart from.
“CISOs have organizational issues that themselves create massive stress, especially with CISOs caring deeply about their organization’s overall security,” Broomhead said. “For example, the attack surface is usually not under the CISO’s control — assets like OT, IoT, and ICS systems are managed by the lines of business and typically out of the control of the CISO — leading to frustration. Better internal policies and coordination can help address the firefighting stress that comes today with the CISO role.”
Sounil Yu, CISO at JupiterOne, said workplace conditions are the main contributor to the causes of burnout. As such, Yu said it’s incumbent upon those with the power to change those conditions to be responsible for recognizing the signs of burnout and heading it off before it gets worse. Of course, Yu said CISOs can reduce job demands, but one counterintuitive solution to burnout is to give those employees at risk from burnout more work.
This new work should consist of specific assignments that give individuals more autonomy and help them see clear purpose and impact from their contributions, said Yu. It can include volunteering and mentoring opportunities to get immediate, positive feedback from their work. It’s also important to recognize and celebrate small wins, even if those wins are quickly swept away by the next raging fire or virus outbreak.
“Burnout is more common than most realize,” Yu said. “Acknowledging burnout risks is an important way to be supportive and to let team members know that they are not alone. CISOs cannot personally shoulder the burden of mitigating burnout. Instead, CISOs should educate their company’s board and fellow executive leaders on security burnout risks and collaborate with HR to improve resources such as employee resource programs, flexible working arrangements, and systems of reward and recognition.”