A CEO will last 8.4 years in the position, while a CFO clocks in at 6.2 years in average length of tenure. But a look around the boardroom will tell you that longevity isn’t in the cards for overworked, overwhelmed CISOs, with most only spending an average of two years in the role before calling it quits.
This trend is no coincidence - CISOs are at the top of the list for burnt out, especially this year, as organizations accelerated digital transformation nearly overnight and employees continue to work remotely. In fact, a recent Nominet study found that 88% of CISOs remain moderately or tremendously stressed.
Even if National Cybersecurity Awareness Month is done, we should still tip our hats to CISOs and together as an industry, adopt a few best practices that will help alleviate the burden of our valuable security leaders.
Understand the shared responsibility
More CISOs ranked the responsibility of securing the business/network as the most stressful part of the job, slightly ahead of long, grueling hours. That’s because traditionally, organizations carry an assumption that security is the sole responsibility of the CISO. In reality, security needs to be a team sport - everyone, from the CEO to the seasonal intern, should prioritize cybersecurity hygiene to keep the business protected. It’s no longer a CISO request; it’s now a business imperative.
To instill this notion of shared responsibility, organizations should prioritize regular cybersecurity training, which should be mandatory for all employees. Simple measures, such as not clicking on a malicious phishing link from an unknown alias, can have big, positive effects on the business at large, and most importantly, take pressure off of the CISO.
Close the skills gap
Infosec has endless job opportunities, but not enough talent to help fill the skills gap. As a result, CISOs and their security teams are working in overdrive to meet the demand for increased security while short staffed. This has daunting repercussions, with 23% of CISOs turning to medication or alcohol to manage their stress, and 40% admitting their stress levels had affected their relationships with their family or children.
The reality is, we will never outhire the talent shortage, but we can all pitch in to help lessen it. Don’t just look for overqualified external candidates to fill security openings. Instead, look internally to see what type of talent translates well into a security career. Is there a QA analyst that has great communication skills and attention to detail? Consider piquing their interest in a career in cybersecurity. Additionally, tap your professional network to help bring in top talent, regardless of technical backgrounds. Lastly, organizations at large should offer continual education from internal and external resources, and retain by advancement -- reward a job well done and be a regular advocate for promotions and/or raises in the industry.
Offer a helping hand
Sometimes, CISOs just need to know someone is in their corner, supporting them within an organization. If serving in another function, don’t overlook the power of lending a helping hand - ask a CISO how they’re doing, or how your department can help. CISOs are known to support every department, but the reality is, this support is not always reciprocated. Look to leaders in finance, marketing, customer service or HR, who often take priority when allocating budgets, for support, not only financially but for sound business advice based on what they’re seeing across the organization.
If we all played a small role in helping alleviate the burden of today’s CISO, it would amount to a vast difference. CISOs would feel less stressed, have a better quality of life and enjoy a longer tenure protecting their organizations. It’s a win/win situation - now, let’s get the industry on board.