News & Analysis

Health Hazards of being a CISO

No, we aren’t being facetious here at all. Recent studies and research suggests that those working on cybersecurity are facing higher instances of mental health issues

Protecting property isn’t child’s play, whether it involves patrolling a country’s borders, a security installation, or the massive amounts of data that the internet has spewed ever since it became a purveyor of our lives. So, it isn’t unfathomable that cyber security officers tend to live a life of constant duress, leading to health challenges. 

A recent report from Hack The Box, a cybersecurity performance centre, says that medium and large enterprises are facing significant financial losses due to stress, fatigue and out among cybersecurity workers. These losses could be averaging more than $625 million in the United States alone, the report says. 

More than 90% of CISOs surveyed by the company were concerned about the impact of these mental health issues on their team’s well-being and productivity with close to 74% leaders reporting that their cybersecurity staff had taken time off to fix stress-related issues. However, almost two-thirds of these leaders admit to not investing in new tools to enhance team efficiencies in this space – this in spite of the potential losses. 

What’s causing these challenges for CISOs?

The research conducted by Hack The Box further notes that many employees felt that the lack of support actually aggravated the problems with more than two-thirds of the cybersecurity professionals actually reporting stress, fatigue or burnout. And the reasons are obvious – persistent skill gaps and excessive performance pressures. 

Meanwhile, a report published by SDxCentral quotes Forrester principal analyst Jess Burn to suggest a social disconnect due to the high levels of stress in this segment of the industry with mental health issues also causing higher instances of substance abuse. She articulated these views at a virtual roundtable hosted by Hack The Box. 

Moderating the roundtable, security blogger Graham Cluley notes that cybersecurity is among the industry’s most vulnerable to burnout, given that human errors were largely the starting point of data breaches and cyber incidents. Participants also pointed to a Gartner study that predicts half of the existing CISOs may change jobs by 2025 with 25% opting for a change in career or industry. 

Pressure to perform when you know success is never 100%

The pressure to perform in the cybersecurity domain is increasing further due to the rising cyberthreat frequencies and sophistication and the shortfall of qualified personnel to track and prevent it, the research notes. Digital transformation initiatives and the trend of remote work has further grown the attack surfaces. 

Add to this, the rapid technology adoption in the cloud space and interconnected devices has spiked the challenges faced by security experts. And if this was not enough, many CISOs feel underwhelmed with their compensation packages. This data came out from yet another research conducted by IANS Research and Artico Search. 

The report claimed that a quarter of the 150 CISOs surveyed expressed dissatisfaction with their compensation packages though they were overall happy with it at the time of joining. There is also a fear that falling cybersecurity budgets in medium and large enterprises could further negate salary hikes, thus adding to the overall stress. 

According to the latest data, security budgets dropped 4% in 2022 and saw a significant 26% decline in 2023 and in the early period of 2024. On an average, security spend accounts for 14.4% of the IT budgets and a mere 1.27% of its annual revenue in the United States. The current slowdown further reduced hiring in the tech sector, which also halted CISO movement. While 34% of CISOs switched jobs in 2022, this number dropped to 19% in 2023. 

The stress is high, but its cost remains unchanged

Hack the Box CEO Haris Pylarinos feels stress and cybersecurity go hand-in-hand as a crisis is just another day at work and the life of a CISO. In fact, Forrester published a Cybersecurity Firefighters Guide that Jess Burns describes as a series of “heartbreaking” interviews in the absence of enterprise-level assistance to those in the mid-to-senior level of workers. 

“They’re burning out, they’re leaving, going into areas that don’t have such high pressure and stress,” she says while noting that there’s an impact on individuals and there’s an impact on organizations when burnout is kind of running rampant in an organization. Often CISOs are helping others with the pressure and end up neglecting their own needs.

Furthermore, they end up in the midst of a group of top executives who wouldn’t take kindly to the CISO not being able to manage the stress. What’s more, if the head of cybersecurity goes into panic mode, that’s a signal for everyone else in the company to go into panic. This, despite knowing that there’s never going to be a 100% security enterprise. 

How AI is both a friend and a foe for the CISO

One major reason why CISOs are spending more sleepless nights is artificial intelligence (AI). Yes, you read that right. When the rest of the world is going hysterical speaking about how it can make the workplace a smarter and cooler one, CISOs are worrying about how the same technology can weaponize attackers. 

Pylarinos even gave an example of this. Imagine threat actors sending out customized phishing emails based on social profiles? Like say a dog lover gets an email about the topic while someone who loves traveling gets a totally different message. How effective this would be in lieu of the current practice of sending out phishing mails to thousands of recipients at one go. 

However, experts also agree that AI could potentially bring massive benefits to the defenders too, though for this to kick-in a strong foundational knowledge and a deep understanding of the networks would be essential. Which is why a solution to the current stress could be retraining and upskilling of cybersecurity professionals along with new career specialization. 

Nick Kakolowski, research director at IANS sums things up when he says that CISOs are pushed into risk leadership roles that put them in situations of high pressure to take decisions that fall out of their areas of direct responsibility. And the only solution that the business offers is to adopt “largely unproven and inherently unpredictable technology” 

If these do not give CISOs a cause for concern and unmitigated stress, what would?