CISOs face mounting pressure: Here’s how to help

Three ways to alleviate CISO stress

A CEO will last 8.4 years in the position, while a CFO clocks in at 6.2 years in average length of tenure. But a look around the boardroom will tell you that longevity isn’t in the cards for overworked, overwhelmed CISOs, with most only spending an average of two years in the role before calling it quits.

This trend is no coincidence - CISOs are at the top of the list for burnt out, especially this year, as organizations accelerated digital transformation nearly overnight and employees continue to work remotely. In fact, a recent Nominet study found that 88% of CISOs remain moderately or tremendously stressed.

Even if National Cybersecurity Awareness Month is done, we should still tip our hats to CISOs and together as an industry, adopt a few best practices that will help alleviate the burden of our valuable security leaders.

Understand the shared responsibility

More CISOs ranked the responsibility of securing the business/network as the most stressful part of the job, slightly ahead of long, grueling hours. That’s because traditionally, organizations carry an assumption that security is the sole responsibility of the CISO. In reality, security needs to be a team sport - everyone, from the CEO to the seasonal intern, should prioritize cybersecurity hygiene to keep the business protected. It’s no longer a CISO request; it’s now a business imperative.

To instill this notion of shared responsibility, organizations should prioritize regular cybersecurity training, which should be mandatory for all employees. Simple measures, such as not clicking on a malicious phishing link from an unknown alias, can have big, positive effects on the business at large, and most importantly, take pressure off of the CISO.

Close the skills gap

Infosec has endless job opportunities, but not enough talent to help fill the skills gap. As a result, CISOs and their security teams are working in overdrive to meet the demand for increased security while short staffed. This has daunting repercussions, with 23% of CISOs turning to medication or alcohol to manage their stress, and 40% admitting their stress levels had affected their relationships with their family or children.

The reality is, we will never outhire the talent shortage, but we can all pitch in to help lessen it. Don’t just look for overqualified external candidates to fill security openings. Instead, look internally to see what type of talent translates well into a security career. Is there a QA analyst that has great communication skills and attention to detail? Consider piquing their interest in a career in cybersecurity. Additionally, tap your professional network to help bring in top talent, regardless of technical backgrounds. Lastly, organizations at large should offer continual education from internal and external resources, and retain by advancement -- reward a job well done and be a regular advocate for promotions and/or raises in the industry.

Offer a helping hand

Sometimes, CISOs just need to know someone is in their corner, supporting them within an organization. If serving in another function, don’t overlook the power of lending a helping hand - ask a CISO how they’re doing, or how your department can help. CISOs are known to support every department, but the reality is, this support is not always reciprocated. Look to leaders in finance, marketing, customer service or HR, who often take priority when allocating budgets, for support, not only financially but for sound business advice based on what they’re seeing across the organization.

If we all played a small role in helping alleviate the burden of today’s CISO, it would amount to a vast difference. CISOs would feel less stressed, have a better quality of life and enjoy a longer tenure protecting their organizations. It’s a win/win situation - now, let’s get the industry on board.

Rick McElroy, Principal Cybersecurity Strategist for VMware, has 24 years of information security experience educating and advising organizations on reducing their risk posture and tackling tough security challenges. He has held security positions with the U.S. Department of Defense, and in several industries including retail, insurance, entertainment, cloud computing and higher education. McElroy’s experience ranges from performing penetration testing to building and leading security programs. McElroy is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CSIM), Certified in Risk and Information Systems Control (CRISC) and Certified in Cloud Security Knowledge (CCSK). As a United States Marine, McElroy’s work included physical security and counterterrorism services. His current role takes him all over the world working with organizations to improve their security strategies and speaking on security and privacy.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.