Are CISOs getting burned out?
Is the weight of securing the organization taking a personal toll on information security leaders?
A new report is beginning to paint this picture.
I still remember sitting in one of the regional SecureWorld conferences where a CISO from a well-known company talked about a cyber incident and how it impacted her personal health.
The CISO showed these charts (below) from her Fitbit, which revealed a resting heart rate about 30% higher during a six-week span. This time covered the incident start to where it began to settle out:
The long hours and emotional pressure of a cyber incident clearly had an impact on this security leader's physical health.
And so, it turns out, is the daily pressure of trying to minimize the chances of a cyber incident.
Now a survey of several hundred named CISOs and equivalent, who are in charge of securing their organization, reveals the increasing impact of stress that security leaders are feeling.
The survey was done by Nominet, which runs the .UK domain name registry:
"Every single CISO questioned found their role stressful, with 91% saying they suffer moderate or high stress and 60% adding they rarely disconnect."
And the survey found CISOs have bumped up the number of hours they work as the pressure grows:
"88% of CISOs surveyed are also doing more than the average 40 working hour weeks. Worryingly, a quarter think the job has had an impact on their mental or physical health, with the same stating that it has had an impact on their personal and family relationships."
We hope this trend can be minimized by something Dr. Larry Ponemon told us about during an interview. In our report on the Changing Role of the CISO, he told us that security leaders are increasingly moving into coaching type roles, where they no longer hold all of the risk; instead, lines of business share it.
Perhaps that can help bring stress levels down. We'll see how that goes.