Under Pressure - Can CISOs Avoid Burnout?

Ransomware attacks show no sign of slowing with one third of organisations currently experiencing a ransomware attack at least once a week, and one in 10 experiencing them more than once a day. This is according to research we recently commissioned among senior security professionals in the UK and the US.  
 
The mass shift to remote and hybrid forms of working over the past couple of years has expanded the attack surface of organisations, with employees and businesses still adapting to a model that means the growing use of SaaS apps and working most of the time in the web browser. This creates a host of new vulnerabilities, attack vectors and entry points for threat actors. 
 
There’s the risk that employees could simply work around security processes and procedures. In addition, many organisations are faced with what we call shadow IT. This is the use of information technology systems, devices, software, applications and services without IT department involvement or approval. This isn’t typically done maliciously, but rather as something employees use to get their jobs done. 
 
According to Menlo Security's research, nearly half (46%) of senior security professionals say they worry about employees ignoring corporate security advice and clicking on links or attachments containing malware more than anything else. In fact, they worry more about this than they do their own job security, with just a quarter of respondents worried about losing their job. 
 
CISOs’ fears today are multi-layered, with many of them concerned about ransomware attacks evolving beyond their own team’s knowledge and skillset, as well as the company’s security capabilities. 
 
There’s also a real sense of frustration over the challenges that the industry faces when it comes to protecting businesses and employees against ransomware. This ranges from increasing ransom demands to the growth of ransomware-as-a-service (RaaS) and even a feeling that government authorities are not treating ransomware seriously enough. 

Avoiding CISO Burnout 

At the forefront of many of the technology changes in recent years and responsible for driving the company’s security strategy, there’s the risk that security professionals are becoming overloaded and worrying about too many things, some of which are beyond their control. It’s no surprise we’re seeing more example of CISO burnout and a much higher churn rate in the security industry. 
 
Certainly, the shift to where and how we work has been a blessing and curse for CISOs. On the one hand, it’s provided a new level of flexibility that no one could have expected two years ago, but on the other hand, it’s expanded the attack surface and fuelled a rise in web-based attacks. Ranking their top three ransomware attack vectors, half of survey respondents identified the web browser – just below email as the number one attack vector. 
 
CISOs may be experts in handling breaches while remaining calm, but it’s important to remember that just like anybody else, they are susceptible to stress. Between mitigating a growing number of attacks and constantly worrying about the impact a breach could have on the organisation, the CISO role is a challenging one. 
 
According to Dr Christina Maslach, pioneer of research on the definition and predictors of burnout, and creator of the Maslach Burnout Inventory, the most widely used instrument for measuring burnout, the human mind wasn’t designed to push through chronic stress without recovering. Too much stress without time and space away to recover can lead even the most seasoned CISOs to get burned out. Burnout is serious and can put you at greater risk of heart disease and mental health disorders like depression and anxiety. 
 
To avoid this, there are some practical steps to follow: 
 
1.       A CISO’s time is important and attending every meeting you are invited to is not sustainable. Determine which meetings need your attention and which don’t and block out time in the calendar, so the team knows you are busy. It’s important to create boundaries around time and then respect them. 
 
2.       Regularly setting aside some time to ask yourself how you are feeling, physically and mentally. This goes a long way to mitigating the chronic stressors of the role. It’s not enough to assume that you are naturally aware of your mental state. 
 
3.       Be clear about who can help you get what you need in order to do your job. If you don’t know who to go to when you need resources, you won’t be able to gather all the tools you need so you can take ownership over security strategy. This also means garnering executive support so that the Board is on your side. 
 
4.       Have a plan and don’t rely on experience alone to get you through a breach. This seems obvious but given than less than half of our survey respondents say they implement a data backup or recovery plan as the first step in the event of a ransomware attack, so this needs to be stated.  
 
5.       Have a clear strategy when faced with a ransomware demand. Paying it depends on your level of preparedness – do you have the right processes and strong backup in place? If so, you won’t need to pay it. But if your organisation is unable to function as normal, access data or the damage is likely to bring down the business, you need to re-evaluate your options. 
 
But remember no one size fits all. Every organisation - and its security team - is different so pick your battles and take small, purposeful steps, to make sure your job doesn’t dictate your mental health. 
 
Download the full Menlo Security report HERE:
 
 Mark Guntrip is Senior Director of Cybersecurity Strategy at Menlo Security 

You Might Also Read: 

Security Trends For 2022 - The Need For Talent &  Cloud  Migration:

 

« Russia’s Cyber Strategy
How to Select the Right ZTNA Offering »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

GigaOm

GigaOm

GigaOm's mission is to provide enterprises with information and analysis to help them make better decisions about technology.

Canadian Security Intelligence Service (CSIS)

Canadian Security Intelligence Service (CSIS)

CSIS collects and analyzes threat-related information concerning the security of Canada in areas including terrorism, espionage, WMD, cybersecurity and critical infrastructure protection.

App-Ray

App-Ray

App-Ray provides fully automated security analysis of mobile applications to find security issues, privacy breaches and data leaking potentials.

CyberWrite

CyberWrite

Cyberwrite was founded to provide underwriters around the world a unique and innovative Cyber Underwriting platform.

Israel Aerospace Industries (IAI)

Israel Aerospace Industries (IAI)

IAI offers a holistic approach that provides defense forces, governments, critical infrastructures and large enterprises with end-to-end cyber security & monitoring tools.

Quorum Cyber

Quorum Cyber

Quorum Cyber offer end-to-end cyber security solutions, specialising in Managed Security Services, Consulting and Resourcing.

Altran

Altran

Altran supply and coordinate all the varied expertise required to develop the services, architecture and business models that drive digital transformation.

Romanian Accreditation Association (RENAR)

Romanian Accreditation Association (RENAR)

RENAR is the national accreditation body for Romania. The directory of members provides details of organisations offering certification services for ISO 27001.

The Legal 500

The Legal 500

The Legal 500 Hall of Fame highlights, to clients, the law firm partners who are at the pinnacle of the profession. Practice areas covered include Data Protection, Privacy and Cybersecurity.

CyberSwarm

CyberSwarm

CyberSwarm is developing a neuromorphic System-on-a-Chip dedicated to cybersecurity which helps organizations secure communication between connected devices and protect critical business assets.

Pinpoint Search Group

Pinpoint Search Group

Pinpoint Search Group's recruiters specialize in Information Management, Cyber Security, Cloud and Robotic Process Automation (RPA).

IT Jobs Watch

IT Jobs Watch

IT Jobs Watch provides a concise and accurate map of the prevailing IT job market conditions in the UK.

Echosec Systems

Echosec Systems

Echosec Systems is a data discovery company delivering social media and dark web threat intelligence. Our web based security software delivers critical information for situational awareness.

Brookcourt Solutions

Brookcourt Solutions

Brookcourt Solutions delivers cyber security, network monitoring technologies and managed security services to help secure and protect your organisation’s critical infrastructure.

Sikich

Sikich

Sikich LLP is a leading professional services firm specializing in accounting, advisory, technology and managed services.

BrainStorm

BrainStorm

BrainStorm Threat Defense takes a new human-focused approach to security awareness that traditional training lacks. It’s a cutting-edge platform to make your users more security savvy.