The stakes are high for CISOs

8 Min Read

Business security

The heavy workload and the specter of personal liability for incidents are taking their toll on safety leaders, so much so that many of them are looking for the exit. What does this mean for companies’ cyber defenses?

cybersecurity cisos pressure scrutiny

Cybersecurity is finally becoming a board-level issue. That’s as it should be, given the increasingly important role that cyber risk management plays in strategic decision-making. Cyber ​​risk is essentially a core business risk that can make or break an organization. That’s certainly the idea behind it new regulatory rules in the U.S.

But in recognizing its importance, boards and regulators are also putting more pressure on CISOs, without necessarily giving them adequate recognition and reward. The result: increasing stress, burnout and dissatisfaction. Three quarters (75%) of CISOs so it is said open to change, an increase of eight percentage points compared to a year ago. And 64% are satisfied with their role, down from 10%.

These challenges have serious consequences for cybersecurity within organizations. Addressing it must be an urgent priority.

An increasingly stressful role

CISOs have always had a stressful job. Recent drivers include:

  • Rising levels of cyber threats, leaving many organizations in constant firefighting mode
  • Skills shortages in the sector leaving key teams understaffed
  • Excessive workload due to increasing demands on the boardroom
  • A lack of adequate resources and financing
  • Workloads that force CISOs to work long hours and cancel vacations
  • Digital transformation, which continues to expand companies’ cyber attack surface
  • Compliance requirements that continue to grow every year

It’s no surprise that a quarter (24%) of global IT and security leaders do this have admitted to self-medicate to relieve stress. Rising stress levels not only increase the likelihood of burnout and/or early retirement – ​​they can also lead to poor decision-making (as noted by this study, for example), but also affect cognitive skills and the ability to think rationally. In fact, it has been suggested that even the anticipation of the stressful day ahead can influence cognition. About two-thirds (65%) of CISOs to give in that work-related stress has compromised their ability to perform at work.

See also  Market expectations are high that the major central banks will cut interest rates around the middle of the year. Reuters reports this

Control puts even more pressure on the CISO

On top of this stressful situation, additional regulatory, legal and administrative scrutiny has emerged in recent months. Three recent events are instructive:

  • May 2023: Former Uber CSO, Joe Sullivan was convicted to three years’ probation after being found guilty of two felonies related to his role in an attempted cover-up of a 2016 mega-breach. Advocates claim he was imprisoned by then-CEO Travis Kalanick and in-house Uber counsel Craig Clark was made a scapegoat. Sullivan explains that Kalanick had signed his controversial $100,000 payment to the hackers.
  • October 2023: In a first, the SEC has sued SolarWinds’ CISO Timothy Brown for downplaying or failing to disclose cyber risks while exaggerating the company’s security practices. The complaint cites several internal comments made by Brown and alleges that he failed to resolve or raise these serious concerns within the company.
  • December 2023: New SEC reporting rules will come into force, requiring listed companies to report “material” cyber incidents within four working days of determining materiality. Companies will also need to annually describe their processes for assessing, identifying and managing risks and the impact of any incidents. And they will need to detail the board’s oversight of cyber risks and its expertise in assessing and managing such risks.

It is not only in the US that regulatory scrutiny is increasing. The new NIS2 directive, which must be transposed into EU Member State law by October 2024, places direct responsibility on the board to adopt cyber risk management measures and oversee their implementation. Members of the C-suite can also be held personally liable if found negligent in serious incidents.

See also  Using YouTube Picture-in-Picture in the UK

According to Enterprise Strategy Group (EST) analyst Jon OltsikThe increasing pressure such measures place on CISOs makes their core mission of responding to threats and managing cyber risks more challenging. A recent ESG study shows that tasks such as collaborating with the board, overseeing regulatory compliance and managing a budget are shifting the role of the CISO from a technical to a business-oriented role. At the same time, the growing reliance on IT to drive digital transformation and business success has become overwhelming. The research shows that 65% of CISOs have considered leaving their role due to stress.

cisos-burnout-stress-liability

Takeaways for CISOs and boards

The bottom line is that if CISOs have difficulty handling the workload and fear retaliation from regulators and even criminal liability for their actions, they are likely to make worse day-to-day decisions. Many may even leave the sector. This would have a hugely detrimental effect on a sector already struggling with skills shortages.

But it doesn’t have to be this way. There are things both boards and their CISOs can do to alleviate the situation. It is in both their interests to find a way through this. Imagine the following situation:

  • Directors should assess CISOs’ mental health, workload, resources and reporting structures to optimize their effectiveness. High employee turnover can lead to large gaps without a full-time CISO, demotivating teams and impacting security strategy.
  • Executives must reward their CISOs commensurate with the increased risk their role now entails.
  • Regular involvement of the board and the CISO is essential, with direct reporting lines to the CEO where possible. This will help improve communication between the two and elevate the CISO’s position in line with their responsibilities.
  • Boards must provide their CISOs with this directors and officers insurance (D&O). to help protect them from serious risks.
  • CISOs need to stick with the industry they love and embrace greater responsibility instead of running away from it. But they should also remember that their role is to advise the board and provide context. Let others make the big decisions.
  • CISOs should always prioritize transparency and openness, especially with regulators.
  • CISOs must be aware of what they circulate internally and ensure that controversial decisions or requests from the C-suite are always recorded in writing.
See also  Walmart Bubble Due to High Income Spending on Groceries, Bill Simon Warns

When finding a new role, CISOs should hire a personal attorney to review their prospective contract in detail.

To optimize cybersecurity strategy, boards must begin to reassess what they want the CISO role to become. The next step is to ensure that the cybersecurity professional in that role receives enough support and sufficient compensation to want to stay there.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *