Stress pushing CISOs out the door

Nearly half of CISOs will change jobs by 2025 due to stress caused by the risk of being breached while trying to retain staff, according to the Gartner report, Predicts 2023: Cybersecurity Industry Focuses on the Human Deal. The research firm found that the stressors of the cybersecurity world make the job of a cybersecurity professional unsustainable. This includes the knowledge that there are only two possible outcomes: get hacked or don’t. “The psychological impact of this is profound, directly affecting decision quality and performance of cybersecurity leaders and their teams,” found Gartner.

Although burnout is nothing new, it did become more visible and common during and after COVID-19. For CISOs it is worse as more than 50% are challenged with work demands that lead to a poor work-life balance at least once a month. A leader recovering from the stress of a data breach could last less than five years on the job — the average tenure of a cybersecurity leader according to a 2020 Gartner research report.

The stress of the job affects all cybersecurity professionals who are not afraid to look for different opportunities. But talent churn can damage the mission as replacing such professionals can cost up to 30% more than the investment needed to retain talent.

The vast market opportunity caused by the lack of professionals doesn’t make things any easier. There is less than 0% unemployment in cybersecurity. “To mitigate this, cybersecurity leaders need to focus on the health and well-being of their teams, starting with themselves,” stated the report.

Gartner also found that of those nearly 50% looking to change jobs, 25% are considering a complete change of role due to stress. Gartner analyst Deepti Gopal tells CSO that some will move workplaces while others will take on different roles such as become a cybersecurity evangelist, a CIO, or take up creative roles like becoming an artist.

More stress and interruptions mean more risk

There is no work-life balance in the life of cybersecurity professionals, according to Gartner. This was exacerbated by the switch to hybrid work, which means professionals are constantly checking what is going on but also distracted. This can cause increased susceptibility to social engineering or poor management of a cyberattack, data breach or ransomware attack.

Demand for professionals is driving wages up, but recent layoffs at big tech companies can mean more “elite cyber-pros” available, which can dampen the wage inflation and also create the opportunity for companies who would normally not be able to afford such professionals. “Market rates for talent may need to be reviewed multiple times. While proactively addressing salary and benefits may help retain employees, top talent often quits cultures,” according to Gartner.

Companies that do not view cybersecurity risk management as critical face higher attrition. With CISOs constantly trying to balance high expectations against an absence of the tools needed to meet those expectations, good organizational culture can make a difference in retaining professionals.

In a previous interview, cryptographer Jon Callas said: “Companies have to understand that it is in their benefit to back up the CISO. And CISOs have to earn trust as well.”

Gartner suggests a change in engagement from CISOs may help in the long run. These include engage in collaborative design with business stakeholders, delegate responsibility, and be very clear on what is possible and what is not, and why.

With the cost a data breach can cause any company this is an easy argument to change the mindset of the organization. Safety is seen alongside profitability rather than against it, CISOs should use that to change the company’s ideology and ensuring their department is seen as a crucial part of the business.

“A key stressor of our work is that often our teams are playing a game they can’t win because they are always playing defense. We must find opportunities for our teams to be recognized for putting ‘points on the board’ rather than just blocking opponents.”