Under Pressure - Can CISOs Avoid Burnout?

Uploaded on 2022-10-21 in TECHNOLOGY--Resilience, NEWS-News Analysis, FREE TO VIEW

Ransomware attacks show no sign of slowing with one third of organisations currently experiencing a ransomware attack at least once a week, and one in 10 experiencing them more than once a day. This is according to research we recently commissioned among senior security professionals in the UK and the US.  
 
The mass shift to remote and hybrid forms of working over the past couple of years has expanded the attack surface of organisations, with employees and businesses still adapting to a model that means the growing use of SaaS apps and working most of the time in the web browser. This creates a host of new vulnerabilities, attack vectors and entry points for threat actors. 
 
There’s the risk that employees could simply work around security processes and procedures. In addition, many organisations are faced with what we call shadow IT. This is the use of information technology systems, devices, software, applications and services without IT department involvement or approval. This isn’t typically done maliciously, but rather as something employees use to get their jobs done. 
 
According to Menlo Security's research, nearly half (46%) of senior security professionals say they worry about employees ignoring corporate security advice and clicking on links or attachments containing malware more than anything else. In fact, they worry more about this than they do their own job security, with just a quarter of respondents worried about losing their job. 
 
CISOs’ fears today are multi-layered, with many of them concerned about ransomware attacks evolving beyond their own team’s knowledge and skillset, as well as the company’s security capabilities. 
 
There’s also a real sense of frustration over the challenges that the industry faces when it comes to protecting businesses and employees against ransomware. This ranges from increasing ransom demands to the growth of ransomware-as-a-service (RaaS) and even a feeling that government authorities are not treating ransomware seriously enough. 

Avoiding CISO Burnout 

At the forefront of many of the technology changes in recent years and responsible for driving the company’s security strategy, there’s the risk that security professionals are becoming overloaded and worrying about too many things, some of which are beyond their control. It’s no surprise we’re seeing more example of CISO burnout and a much higher churn rate in the security industry. 
 
Certainly, the shift to where and how we work has been a blessing and curse for CISOs. On the one hand, it’s provided a new level of flexibility that no one could have expected two years ago, but on the other hand, it’s expanded the attack surface and fuelled a rise in web-based attacks. Ranking their top three ransomware attack vectors, half of survey respondents identified the web browser – just below email as the number one attack vector. 
 
CISOs may be experts in handling breaches while remaining calm, but it’s important to remember that just like anybody else, they are susceptible to stress. Between mitigating a growing number of attacks and constantly worrying about the impact a breach could have on the organisation, the CISO role is a challenging one. 
 
According to Dr Christina Maslach, pioneer of research on the definition and predictors of burnout, and creator of the Maslach Burnout Inventory, the most widely used instrument for measuring burnout, the human mind wasn’t designed to push through chronic stress without recovering. Too much stress without time and space away to recover can lead even the most seasoned CISOs to get burned out. Burnout is serious and can put you at greater risk of heart disease and mental health disorders like depression and anxiety. 
 
To avoid this, there are some practical steps to follow: 
 
1.       A CISO’s time is important and attending every meeting you are invited to is not sustainable. Determine which meetings need your attention and which don’t and block out time in the calendar, so the team knows you are busy. It’s important to create boundaries around time and then respect them. 
 
2.       Regularly setting aside some time to ask yourself how you are feeling, physically and mentally. This goes a long way to mitigating the chronic stressors of the role. It’s not enough to assume that you are naturally aware of your mental state. 
 
3.       Be clear about who can help you get what you need in order to do your job. If you don’t know who to go to when you need resources, you won’t be able to gather all the tools you need so you can take ownership over security strategy. This also means garnering executive support so that the Board is on your side. 
 
4.       Have a plan and don’t rely on experience alone to get you through a breach. This seems obvious but given than less than half of our survey respondents say they implement a data backup or recovery plan as the first step in the event of a ransomware attack, so this needs to be stated.  
 
5.       Have a clear strategy when faced with a ransomware demand. Paying it depends on your level of preparedness – do you have the right processes and strong backup in place? If so, you won’t need to pay it. But if your organisation is unable to function as normal, access data or the damage is likely to bring down the business, you need to re-evaluate your options. 
 
But remember no one size fits all. Every organisation - and its security team - is different so pick your battles and take small, purposeful steps, to make sure your job doesn’t dictate your mental health. 
 
Download the full Menlo Security report HERE:
 
 Mark Guntrip is Senior Director of Cybersecurity Strategy at Menlo Security 

You Might Also Read: 

Security Trends For 2022 - The Need For Talent &  Cloud  Migration:

 

« Russia’s Cyber Strategy
How to Select the Right ZTNA Offering »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Cyber 360

Cyber 360

Cyber 360 is a Cybersecurity contract and fulltime placement firm dedicated to identifying and hiring Cybersecurity professionals.

CybelAngel

CybelAngel

CybelAngel is a leading digital risk protection platform that detects and resolves external threats before these wreak havoc.

Openminded (OPMD)

Openminded (OPMD)

Openminded is a French security and network services company.

IT Security House

IT Security House

IT Security House is a leading European supplier of Cyber Security Intelligence and eCrime services.

Nexusguard

Nexusguard

Nexusguard is at the forefront of the fight against malicious Internet attacks, protecting organizations worldwide from threats to their websites, services, and reputations.

VMRay

VMRay

VMRay delivers advanced threat analysis and detection that combines a unique agentless hypervisor-based network sandbox with a real-time reputation engine.

ANSI National Accreditation Board (ANAB)

ANSI National Accreditation Board (ANAB)

ANAB is the largest accreditation body in North America. The directory of members provides details of organisations offering certification services for cybersecurity related standards.

Cyber Security Jobs

Cyber Security Jobs

Cyber Security Jobs was formed to help job seekers find jobs and recruiters fill cyber security job vacancies.

FraudScope

FraudScope

FraudScope is an AI-assisted platform that accelerates the identification of fraud, waste, and abuse.

Armenia Startup Academy

Armenia Startup Academy

Armenia Startup Academy is a pre-acceleration program for selected Armenian tech companies and startups in areas including cybersecurity.

QuoIntelligence

QuoIntelligence

QuoIntelligence experts can help your team understand the evolving cyber threats and provide simple yet comprehensive recommendations so you can focus on what matters.

Aura

Aura

Aura is a mission driven technology company dedicated to creating a safer internet for everyone. We’re making comprehensive digital security that's simple to understand and easy to use.

Eureka Security

Eureka Security

Eureka help organizations securely use any cloud data storage technology they need without having to compromise on security.

Securious

Securious

If you need to improve your cyber security or achieve cyber security accreditations, Securious provide an independent service that will identify and address your issues quickly and efficiently.

Anonos

Anonos

Anonos is a global software company that provides the only technology capable of protecting data in use with 100% accuracy, even in untrusted environments.

Castlepoint Systems

Castlepoint Systems

Castlepoint Systems is a pioneer in information governance, risk and compliance as a service. An all-in-one solution offering powerful risk management, built in compliance, cybersecurity and audit.