Leadership

Burnout has reached crisis levels — but CISOs have the power to do something about it

Comedians Tom Dreesen, Frazer Smith and Thom Tran serve food at the 41st free Thanksgiving dinner at The Laugh Factory on November 25, 2021 in West Hollywood, Calif. Today's columnist, Josh Yavor of Tessian, says too many security team members are pressured into missing important family holidays, a situation that CISOs need to get proactive about so the staff can have a better work-life balance. (Photo by Michael Tullberg/Getty Images)

The stakes for cybersecurity teams have never been higher, nor has the pressure. The cost of a data breach rose to a record $4.24 million in 2021 while hiring and retaining employees continues to be a hurdle amid the Great Resignation. The current situation has weighed on CISOs and their teams.

Unfortunately, burnout continues at crisis levels among CISOs. One of our surveys found that two in five CISOs have missed holidays like Thanksgiving because of work demands, and that 25% have not taken time off work in the past 12 months. If CISOs are this over-worked, it’s safe to say that their teams are feeling at least as bad— if not worse. Something must change. 

While CISOs can't control when security incidents happen, they can control how prepared organizations are for those incidents and address burnout drivers ahead of time to create a more sustainable environment.

End the culture of security heroism

Many cybersecurity teams are hooked on this notion of heroism. We swap exciting stories about pulling all-nighters to defend our organization or investigate a threat. This unfortunate trend has lead to an unhealthy work-life balance. The survey data showed that, on average, CISOs work 11 hours more than they’re contracted to each week, and 10% of CISOs say they work 20 to 24 extra hours in a week. 

This culture of heroism does not benefit anyone. It fails to acknowledge that the long hours and overworked employees represent an unsuccessful and unsustainable workplace environment. If a team always needs to loop in a CISO or a CISO has to  constantly jump in for frontline incident response work, that means the team has been optimized for heroics rather than for effective and sustainable work. This can set the team up for serious burnout. 

It’s important to proactively set expectations and have a solid response plan in place, particularly around the holidays when teams are less available. Security teams should know exactly how to react when an incident happens over the holidays, for example, including knowing when to pull in a CISO and when to stop working on an after-hours incident and follow-up during normal business hours. It’s okay to stop the bleeding and then solve the mystery later. Many security teams escalate incidents up to CISOs when it isn’t necessary and create extra work. By setting clear expectations, CISOs can help solve this problem and create a better experience for themselves and the team.

CISOs have the power to lead by example and set their teams up for sustainable operational work. If team members see a CISO regularly sending emails late at night or pulling all-nighters, it reinforces that behavior as the standard. While heroics are sometimes unavoidable, CISOs should ensure that they are not the norm.  

Automate where possible

According to a separate survey conducted by Forrester and commissioned by us, employee-related security incidents take up a significant amount of CISOs' time. In fact, the survey found that security teams spend up to 600 hours per month investigating and remediating threats caused by human error – the equivalent of the full-time workloads of nearly four employees.  

A quarter of security leaders say they spend between nine and 12 hours per month investigating and remediating each threat caused by human error. So it’s no surprise that 37% of CISOs reported spending excessive time on triaging and investigation.

Having the right automated tools and processes in place can create efficiencies that cut down on needless work and create more time for the most critical tasks. Without clear expectations around what constitutes an emergency and how to handle an emergency, everything becomes an emergency and burnout becomes much more likely.

For example, security teams should have a single, defined point of contact like an email address or a phone number that any employee can use to get help or flag a security incident. This offers a 24x7 method for receiving information that doesn’t automatically involve calling a CISO or someone on the security team in the middle of the night. Pair this with a ticketing system and other incident response tools to manage on-call rotation and pages. A well-defined plan that uses automated tooling will engage the right team members in the right ways and avoid the unpredictability that creates burnout.

Reassess burnout for the hybrid and remote workplace

Cybersecurity burnout has been widely discussed over the years, but it’s important that the conversation evolves to reflect the new realities of work. Remote and hybrid workplaces are becoming the norm, meaning that many employees are spending some or all of their time working from home. Dealing with high stress, high stakes cybersecurity situations from home brings a very different mental health impact and 59% of CISOs say they struggle to switch off from work once the working day ends. 

Of course, many CISOs and their team members must make themselves readily available to regularly get pinged in the middle of the night to investigate a threat. Not every employee has a quiet space where they work in their homes. This issue becomes even worse during the holidays when many people are traveling — something I’ve experienced firsthand. No one wants to respond to a security event in grandma’s living room while their confused and disappointed family eats dinner in the next room. It’s important to recognize situations like this and create humane, sustainable experiences to deliver operationally sound security outcomes. 

Proper resourcing can help solve this problem. CISOs and their organizations need to invest in the right tooling and the correct level of staffing to prevent and manage burnout. If the company can’t survive a week where more than one employee takes sick time, then the organization doesn’t have a big enough team. Other functions like engineering and customer service have needed to find ways to achieve 24x7 support amid holiday travel and vacation time — an issue that’s not unique to security. Our industry should learn from other organizations. It’s almost always more cost-effective to hire one additional person than to burn out a team and incur additional risks and costs.

Most drivers of burnout are avoidable. CISOs have the power to address many of these factors and should absolutely take responsibility for doing so. It’s about having the right people in place, shoring up processes and tools before an incident happens, and leading by example. It falls to leaders to ensure they are proactive in addressing the operational needs of their teams and ensuring the staffing levels, processes, and technology are in place to avoid burnout. 

Josh Yavor, chief information security officer, Tessian

prestitial ad