Today, it’s not just geopolitical tensions causing serious cybersecurity threats. Cyberattacks are happening in all directions, impacting enterprise organizations, SMBs, and individuals.
Among the 2,376 C-suite and other executives surveyed by the Deloitte Center for Controllership, more than one-third reported at least one cyber event targeting financial and accounting data during the last 12 months – and more than 10% of the survey respondents confirmed it had happened multiple times.
As cybersecurity incidents continue to grow at an alarming rate, many business leaders are questioning their organization’s security efforts. Is their CISO up to the challenge? Can the security team design preventative measures and implement an effective incident response strategy when attacks happen? Do they have the right cybersecurity tools in place to protect their networks and keep vulnerable data safe? These are all necessary questions, but the one question many business leaders fail to address: How stressed out are my security teams and does that stress impact their ability to do work effectively?
Ninety-four percent of CISOs suffer from work-related stress – and it’s impacting their jobs. Earlier this year, we conducted a survey of CISOs from small- to midsize companies with five security employees or less. The findings were staggering. Our survey showed just how much work-related stress affects cybersecurity initiatives, and it made clear the extent to which CISOs are suffering. Spoiler alert: it’s a lot.
Along with the high stress number, even more eye-opening was that 65% of those suffering from work-related stress admitted their stress levels were compromising their ability to do their job, putting the entire organization at risk. These mental health issues are not happening in a bubble: 79% of the CISOs surveyed reported they had received complaints from bosses, colleagues, and subordinates that their organization’s cybersecurity efforts were suffering.
Mental health issues have long been a focus for many leading organizations looking to improve employee productivity, absenteeism, and churn rates. But because their roles are focused on protecting the organization, many security leaders tend to downplay – or deny – work related stress issues, believing it’s simply part of their job. Unfortunately, this approach may negatively influence the CISO’s ability to lead security initiatives and, more importantly, cause undue strife in their personal life as well.
CISOs aren’t the only ones stressed out
The cybersecurity talent shortage has become a massive challenge. It’s now very difficult to find a security professional with the right skills and experience, and it’s even more difficult to keep them, as security team turnover rates continue to climb. According to our survey, 74% of CISOs confirmed security team members had quit due to work-related stress – in nearly half of the cases, CISOs had more than one employee quit because of stress over the past 12 months.
Security team churn rates only exacerbate an already stressful situation. CISOs are often short on time, lacking efficient resources, budgets, and talent. The short-term impact of one employee leaving can have long-lasting effects when it comes to cybersecurity efforts. Having to find new candidates, onboard them, and train them only increases already problematic stress levels for the CISO. What usually ends up happening is that the CISO spends more time on tactical tasks versus strategic initiatives.
In fact, 93% of the CISOs surveyed said they already spend more time on tactical tasks. Instead of building out proactive measures to keep their business safe, security leaders are putting out fires and being reactive to conditions that could have been avoided with the right people and tools in place.
The hidden cost of work-related stress
It’s not just the business that suffers when the security team endures unchecked stress levels. More than 80% of the CISOs surveyed said they had to postpone or cancel a vacation because of an urgent security issue during the previous year. Sixty-four percent had to forgo a private event because of work fatigue, and 77% said their job was affecting their physical health.
Without question, an employee suffering from extreme stress is more likely to miss work or quit their job. More than one-third of the CISOs surveyed were already considering looking for a new role or actively searching.
The problem isn’t isolated to high turnover rates for the CISO role and security team members. The high stress levels impact their performance, which translates to serious cybersecurity issues. A cybersecurity incident can result in lost revenue and lost customers. It can also have a long-term, negative impact on brand reputation and could potentially lead to massive lawsuits.
Corporate mental health programs and employee wellness initiatives are undeniably beneficial, but CISOs need more than goodwill gestures from business leaders. Surprisingly, when asked what could help reduce stress levels at work, only 24% of CISOs said “hiring additional staff.” Meanwhile, 45% said access to better or more automated tools would reduce stress. When asked about specific technology, 57% said the ability to consolidate multiple security tools on a single platform would help minimize their work-related stress levels.
CISOs need cybersecurity solutions that improve their overall working conditions. They need to arm their teams with tools that allow for automation so that security teams already spread-too-thin can do more with less. It’s important to build a company culture that recognizes and values the efforts of their security team. But it’s equally important to make sure the security team has the technical resources they need to protect the business without suffering work-related stress that impacts all parts of their professional and personal life.
Ultimately, the investment companies make in their cybersecurity efforts may do more than reduce stress and boost the CISO’s mental health. It could drastically improve the organization’s incident response strategy and, in the end, save the entire business.
Daniel Klein, chief business officer, Cynet