In a recent survey of 400 U.S.- and UK-based chief information security officers, an overwhelming number, 88 percent, said they find themselves under a moderate or high amount of job-related stress.
Moreover, 48 percent admitted that the stress has affected their mental health, while 31 percent said their job performance has suffered, according to .uk domain name registry Nominet, which commissioned the study last autumn and issued a report on its findings earlier today.
A similar Nominet study conducted 12 months earlier found that only 27 percent of surveyed CISO said their mental health was affected – meaning the number jumped significantly over the course of just one year.
At the time of the survey, all participants worked at larger organizations or enterprises with at least 3,000 employees.
Additionally, 35 percent of CISO respondents said that their stress is impacting their physical health, while 23 percent said they are relying on medication or alcohol as a coping mechanism or a means to manage their stress.
A large contingent of respondents also acknowledged that job-related stress is affecting their relationships with family or children (40 percent), their marriage or romantic relationships (32 percent) and their friendships (32 percent).
The study also examined some of the chief causes of CISO stress, and work-life balance seems to be a major contributor. Seventy-one percent of surveyed CISOs said their work-life balance is heavily weighted toward work long hours, and 39 percent that this is a major contributor to stress.
Nominet’s study determined that CISOs work an average of 10 extra hours per week without compensation, essentially putting in an average $30,319 in yearly bonus work.
Nine out of 10 surveyed CISOs said they’d agree to a 7.76 percent pay cut in exchange for better work-life balance. Unfortunately, more time off may not be realistic, as 87 percent of CISOs said that working long hours was expected from their organization.
As part of its research, Nominet also surveyed 400 C-Suite executes, all of whom at the time were board members of their companies. Seventy-eight percent of these executives concurred that working extra hours is expected. Moreover, an overwhelming 97 percent said that the security team could improve on delivering value for amount of budget they receive.
“This suggests that, despite how much effort the CISO puts in, business leaders still think they should be getting more,” the Nominet report states.
Another major cause of stress is the heavy responsibility of protecting the network from breaches and other threats. Twenty percent of CIOs said they’d be fired if a breach occurred, even if they were not responsible for the incident. And 24 percent said their boards refuse to accept that breaches are inevitable.
Responses from the C-Suite executives appear to back up these concerns: 24 percent confirmed that they think breaches aren’t inevitable, while another 10 percent said they don’t know for sure.
Surveyed CISOs also cited a lack of support from their higher-ups. A total of 39 percent said cybersecurity is an official board meeting agenda item less than half the time, while 10 percent said it only happens if an incident occurs. But polled C-Suite executives disagreed: 64 percent said cybersecurity is on the board’s agenda at least half the time and 26 percent insisted cyber is brought up at every meeting.
Another major disparity: 21 percent of CISOs said there were no support structures to help employees manage their stress, but only six percent of C-Suite executives said their organizations lacked such support structures.
“We are potentially heading towards a burnout crisis if the very people who we are relying on to keep businesses secure are operating under mounting pressure,” said Russell Haworth, CEO of Nominet, in a press release. “Not only is this harming the lives of CISOs but it will ultimately make it harder to retain staff, catch attacks early and improve security. It is worrying that at board level, understanding of these pressures appears not to have translated into action.”
“While there have been positive steps in mental health and stress-related issues, the essence of tackling these issues has not received as much attention as needed,” added Dr. Dimitrios Tsivrikos, lecturer in consumer and business psychology at University College London. “While measuring, understanding and incorporating key findings within the work is incredibly important, we also need to consider that there is a lack of research that looks into the work-life balance.”