New Survey Reveals CISO Stress and the Toll it Takes

A new report on the working life of the CISO examines the impact of continued stress on the mental health and personal lives of CISOs, and drills down into the causes of stress including poor work life balance and a lack of support from the board.

The CISO Stress Report: Life Inside the Perimeter, One Year On from Nominet found that the vast majority of CISOs (88 percent) remain moderately or tremendously stressed, a small decrease from 91 percent in 2019. However, this stress is now taking a greater toll on CISOs’ mental and physical health, and their personal relationships.

Key findings:

● 48 percent of CISOs said work stress has had a detrimental impact on their mental health, almost twice as high as last year (27 percent). 31 percent also reported that their stress had impacted their physical health.

● 40 percent of CISOs said that their stress levels had affected their relationships with their partners or children

● 32 percent said that their stress levels had repercussions on their marriage or romantic relationships and 32 percent said that their stress levels had affected their personal friendships

● The number of CISOs turning to medication or alcohol has increased by a quarter year on year, from 17 percent in 2019 to 23 percent in 2020

This personal impact is also having negative effects for organizations, with (31 percent) of CISOs saying that stress had affected their ability to do their job, according to the survey, which is two percent more than in 2019. This results in a high rate of burnout, with the survey reporting that the average tenure of a CISO is just 26 months.

Dr. Dimitrios Tsivrikos, Lecturer in Consumer and Business Psychology, University College London, said: “While there have been positive steps in mental health and stress-related issues, the essence of tackling these issues has not received as much attention as needed. While measuring, understanding and incorporating key findings within the work is incredibly important, we also need to consider that there is a lack of research that looks into the work-life balance. “We do anticipate that stress levels will continue to rise until we address the issue of stress, mental health and well-being at work. These are issues that are recognized but we have to match awareness with passion for actually tackling stress and allowing employees to live a happier and healthier life.”

Investigating the causes of CISO stress, the research found that almost all CISOs are working beyond their contracted hours, on average by 10 hours per week. Even when they are not at work many CISOs feel unable to switch off. As a result, CISOs reported missing family birthdays, holiday, weddings and even funerals. They’re also not taking their annual leave, sick days, or time for doctor appointments, the survey said, contributing to physical and mental health problems.

Key findings:

● 71 percent of CISOs said their work-life balance is too heavily weighted towards work

● 95 percent work more than their contracted hours - on average, 10 hours longer a week, which means CISOs are giving organizations $30,319 worth of extra time per year

● Only two percent of CISOs said they were always able to switch off from work outside of the office, with the vast majority (83 percent) reporting that they spend half their evenings and weekends or more thinking about work

● 87 percent of CISOs say that working additional hours was expected by their organization

Almost all surveyed CISOs (90 percent) said they’d take a pay cut if it improved their work-life balance. On average, CISOs said they’d be willing to give up 7.76 percent of their wage, which equates to $9,642 per year.

The research also found that the board does take security seriously, with 47 percent saying that cybersecurity is a “great” concern to them. They are actually more likely than CISOs to think that cyber threats are a “high” or “very high” risk to their business (90% vs 66%). They are also aware of the high-pressure nature of the CISO’s job, with 74 percent saying they believe their security team to be moderately or tremendously stressed. However, many still hold the CISO responsible for a breach and expect them to deliver more value to the business.

Key findings:

● 66 percent of the organizations surveyed had experienced at least one security breach in the past year, 30% had experienced multiple

● 24 percent of CISOs said that their board doesn’t accept breaches are inevitable

● The majority of both CISOs (37 percent) and C-Suite (31 percent) believe the CISO is ultimately responsible for the response to a security breach

● 29 percent of CISOs believe that the executive team would fire the responsible party, which is confirmed by the C-Suite (31 percent). A fifth (20 percent) of CISOs believe they would be fired whether they were responsible or not.

● 97 percent of the C-Suite said that the security team could improve on delivering value for the amount of budget they receive

The full report is available here.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.