CISOs are Burning Out, Missing Holidays Due to Work Demands
The demands on chief information security officers (CISOs) are mounting, leading many to skip vacation time and even miss holidays like Thanksgiving, according to a Tessian survey of 317 security strategy decision-makers at organizations in the U.S. and the UK.
The study revealed 42% of CISOs have missed holidays like Thanksgiving due to work demands, and a quarter of CISOs have not taken time off work in the past 12 months.
On average, CISOs said they work 11 more hours than they’re contracted to each week, while one in 10 works 20 to 24 hours extra a week. More than half of CISOs surveyed (59%) said they struggle to always switch off from work once the work day is over.
Meanwhile, human error continues to drain security resources, with a quarter of CISOs surveyed saying they spend nine to 12 hours per month investigating and remediating each threat caused by human error, and more than one-third (37%) said they spend excessive time on triage and investigation.
Focus on Outcomes, Staffing Levels
Josh Yavor, CISO at Tessian, explained security programs need to be set up appropriately for operational outcomes and ensuring the right staffing, tools and automation are in place.
“Our data shows 37% of CISOs are spending all that extra time on triaging and investigation,” he said. “This is likely indicative of unsustainable situations where there is insufficient staffing or planning for enabling effective incident response efforts without the need for CISOs to be directly involved.”
He said that, as CISOs, he and his contemporaries need to better understand their own capacity and accept that they’ll never get 100% of the work done in any given day.
“Knowing what to prioritize, what to delay and demonstrating effective communication with stakeholders provides security teams with leadership examples that are critical to setting effective expectations and preventing burnout,” he said.
In addition, nearly four in 10 CISOs (38%) said they believed they’re spending too much time in departmental meetings and reporting to the board on cybersecurity and not enough time on their own career development, while one-third also feel drained by administrative tasks.
Yavor noted there is also a great risk of losing talented security leaders due to overwork.
“Without security leadership in place, the organization—no matter the size or stage—runs the risk of falling victim to a cyberattack,” he said. “CISOs also play such an instrumental role in the cybersecurity education of the organization’s employees, so without a security leader, employees are at risk of making cybersecurity mistakes like opening a malicious email or accidentally sending sensitive information to the wrong person.”
Yavor said CISOs should focus on developing a community of peers who are able to better understand the realities that come with this type of role.
“These communities and individual relationships enable better feedback loops and sharing of experiences and strategies that can help CISOs in what can otherwise be a very lonely working experience,” he said.
When asked to elaborate on the areas they feel aren’t getting enough attention, CISOs listed hiring talent for their team (36%), attending non-departmental meetings (38%), communicating to customers (35%), researching new industry updates and trends (36%) and working on their own career development (38%).
From Yavor’s perspective, CISOs have the opportunity to pave the way for a solid security culture and set expectations within their organization to deliver survivable and sustainable work experiences.
That means they should ensure security programs and teams are set up appropriately for the best outcomes by focusing on two key areas: Ensuring that operational security work such as incident response is supported by sustainable on-call models, staffing and tooling and by being proactive in preventing work commitments that are well beyond the capacity of their teams.
On the tooling side, automation can play a major role by alleviating the time and resources needed for investigation and remediation.
No Need for Heroics
Yavor also noted the shift to a remote workforce has blurred the lines between work and home for everyone, including CISOs.
“When we’re home, it’s often harder to disconnect and escape the feeling of still being ‘on’,” he said. “This is just not sustainable and, like any job function, CISOs have their limits and need to advocate for themselves and time constraints to avoid burnout.”
Yavor warned this would be especially true as organizations continue with hybrid workforce models, and said as leaders, it’s critical for CISOs to lead by example and set their teams up for sustainable operational work.
“There is this unfortunate trend of heroism in the security industry and as security leaders, some of our most exciting stories include pulling all-nighters to defend the organization or investigate a threat,” he said. “While heroics are sometimes unavoidable, we should be accountable for ensuring they are not the norm.
