Mental health warning in cybersecurity: CISOs across the industry reporting high levels of stress

October 26, 2020

The British Interactive Media Association (BIMA) recently revealed that tech workers are five times more likely to suffer from a mental health problem than the wider population.

Nominet’s latest CISO Stress Report has also revealed that almost nine in ten (88%) chief information security officers (CISOs) consider themselves under moderate to high stress levels. The same report revealed that CISOs lose on average $35 000 a year in unpaid overtime, while increased stress levels have resulted in a 26-month tenure on average.

Cybersecurity under stress

The FBI has recently reported that the number of cyberattack-related complaints to their Cyber Division has risen to almost 4,000 a day. Microsoft reports that COVID-19-related attacks, where cybercriminals gain access to a system through phishing or social engineering, have jumped to almost 30,000 a day in the US alone. The increased effectiveness of the attacks means that workloads are increasing faster than people can be employed. It also means that CISOs are rarely afforded downtime between incidents. For many in the security department dealing with incident response, stress levels are sky-high.

‘’The entire [cybersecurity] industry is under stress. One reason could be the significant increase in successful cyber attacks. Another might be the need to work more hours than specified in the employment contract.’’ says Juta Gurinaviciute, NordVPN Teams Chief Security Officer.

In fact, a recent study by NordVPN Teams has found that U.S. and U.K. employees work at least one extra week each month during COVID-19. For CISOs, this number might be even higher.

COVID-19 aggravates the issue

According to IBM’s recent ‘’Cost of a Data Breach’’ report, 76% of respondents said remote work would prolong the time needed to identify and contain a security breach, while 70% said it would increase the cost of a breach. The skyrocketing demand for video conferencing, cloud applications, VPN access, and network resources also poses new challenges for IT departments.

Alongside their usual day-to-day work, CISOs now have to anticipate a deluge of opportunistic attacks, are pressured to potentially innovate remote working policies, learn to manage and motivate their teams in a whole different dynamic, while at the same time worrying more and more about their own job security and that of their team.

"It's no surprise that CISOs are facing burnout. The threats of attacks are real, and CISOs need to be given the resources and support to tackle them. This must be done if we want to attract and, more importantly, actually retain the right caliber of individual to lead a business through the threatscape. To really empower security leaders, cybersecurity needs to be viewed as a strategic, business-critical function and have a prominent seat at the table," the NordVPN Teams expert said.

In fact, as cyber incidents increase globally, three out of four CEOs will be personally liable for hacking events by 2024, as they will not be able to plead ignorance or retreat behind insurance policies, according to Gartner.

In today's digital world, outages and security breaches have larger financial ramifications than ever, reaching $3.92 million, according to IBM’s recent ‘’Cost of a Data Breach’’ report. And the more stressed CISOs are, the higher the chance of an unforeseen security breach, and the higher the mitigation costs afterwards. Hence, urgent steps towards CISOs mental health should be taken to help retain staff, catch attacks early on, and improve security in the long run.

Juta Gurinaviciute is an IT professional with over 20 years of experience in cybersecurity and systems engineering. Currently, she is a Chief Technology Officer at NordVPN Teams. Prior to NordVPN Teams, she held senior UNIX System Administration positions at Telia Company and Barclays. Juta is also a certified RedHat Systems Engineer.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.