How CSOs are battling high stress levels and burnout in cybersecurity

Indian CISOs explain how remote working following the COVID-19 outbreak has made an already challenging job even harder, and share their ideas on how to deal with the pressure

egg in vice grip stress strength cracked egg 100746104 orig
Getty Images

Over the last two years, independent research reports have consistently indicated an alarming rise in stress levels among cybersecurity professionals.

A study conducted by the Council for Registered Ethical Security Testers (CREST) reveals that 30 percent of security professionals experience tremendous stress. Furthermore, 27 percent of CISOs admit that mounting stress levels greatly impact their ability to do the job.

CSO Online India speaks to CISOs to get a read on how the job has gotten tougher, and what they do to beat the stress.

In addition to long working hours, the increasing complexity of organized cyber-attacks, and an ever-increasing skills shortage, the sudden shift towards remote working in the wake of the COVID-19 outbreak has ratcheted up the difficulty level by several notches.

Security teams are now faced with the challenge of protecting devices outside the safe environment of the office network. Patch management is proving to be a challenge, and previously-untested collaboration apps like Zoom have presented serious security threats.

CISOs are having to walk a tightrope to ensure they are able to protect organizational data without harming productivity or the availability of services.

A tough job that's gotten tougher

Throwing light on how the security landscape has changed, Gomeet Pant, senior manager for IT security and compliance at Vedanta Ltd. says, “Over the last five years, a CISO’s job has been increasingly stressful. There are many inevitable factors which are driven by the business. Although it’s beneficial to the overall business, it does bring in a lot of challenges for CISOs.”

Gomeet Pant, Sr. Manager-IT Security & Compliance, Vedanta Ltd Gomeet Pant/Vedanta Ltd/IDG India

“Over the last five years, a CISO’s job has been increasingly stressful. There are many inevitable factors which are driven by the business. Although it’s beneficial to the overall business, it does bring in a lot of challenges for CISOs.”

-- Gomeet Pant, Sr. Manager-IT Security & Compliance, Vedanta Ltd

With the increase in cloud adoption, the perimeter in need of protection is changing, and every host is now becoming a micro-perimeter.

“There’s a challenge in establishing security priorities in the face of stringent IT budgets, especially in a situation where compliance can eat up your resources instead of investing on active risk channels. There is simply too much to do with too fewer resources,” he says.

A Nominet report reveals that the average job tenure of a CISO is 18 to 24 months; in comparison, a CEO’s average tenure stands at 8.4 years.

Kiran Belsekar, CISO at Aegon Life Insurance, says that business continuity planning (BCP) and disaster recovery (DR) were never carried out at this scale in the past – and even at companies that did, they were never tested at 100 percent capacity.

With working from home (WFH) becoming the new norm, CISOs and their security teams are observing that the new environment has taken vigilance to the next level – traditional tools and technologies simply don't make the cut anymore.

Stress levels have also increased because employees are using their own assets in the WFH environment. Even if they use company assets, they're operating on the home network, and you never know what kind of vulnerabilities and threats are prevalent in that network,” says Belsekar.

Kiran Belsekar, CISO, Aegon Life Insurance  Kiran Belsekar

"Having to work '25/7' and being extra-vigilant at all times is proving to be a source of stress for the Security Operations Center (SOC) workforce."
-- Kiran Belsekar, CISO, Aegon Life Insurance 

Security operations teams are seeing a sharp rise in malicious activity. Having to work “25/7” (as Belsekar puts it) and being extra-vigilant at all times is proving to be a source of stress for the Security Operations Center (SOC) workforce.

Belsekar brings to light the criticality of the “shift left” development model – seeking to prevent problems rather than detect through the use of agile methodologies – and the subsequent need for security to be embedded at a very early stage of the product management lifecycle. 

Sanjeev Lamba, CISO at UNO Minda identifies similar root causes for stress: “Facilitating working from home and ensuring adequate security and compliance is effected has made it stressful for CISOs – there's no doubt about that.”

Lamba says that longer working hours, limited resources and little or no help from external vendors have made it more challenging for his security team as well.

CISOs cannot work in isolation: they have to work in conjunction with the infrastructure support and end-user support teams. Lamba points out that experienced CISOs understand the business and recognize that ease of use is as important as security controls. “If the CISO focuses solely on controls and works without collaborating with other business units, he will not be accepted anymore,” he says.

For JN Mallikarjun Rao, CISO at Syndicate Bank, lack of visibility of what to secure is a prime concern for stress. “However, you might try to get traction, darkness still exists; you can’t fathom your surface to guard,” he says.

mallikarjun rao ciso syndicate bank Syndicate Bank

"The working culture in organizations needs to change as CISOs are sandwiched between disparate business teams and regulatory compliance."
- JN Mallikarjun Rao, CISO, Syndicate Bank

Rao says that the working culture in organizations needs to change as CISOs are “sandwiched” between disparate business teams and regulatory compliance.

The difficulties involved in monitoring the VPN access that enables working from home takes a heavy toll on CISOs and their security teams.

“Permission with caution is the way to go,” he adds.

At Vedanta, Pant says that the challenges are two-fold, psychological and real, with a lot of the volatility, uncertainty, complexity and ambiguity that CISOs face being self-created. “They can be addressed if one accepts the reality and focusses on the fact that this situation is here to stay. Don’t expect a closure by end of next lockdown and tame your mind to concentrate on real priorities,” he says.

“As far as real challenges go, companies in almost all sectors are struggling with cash flow and have reduced IT budgets,” he adds.

How CISOs are motivating their security teams

To motivate his team, Belsekar engages with his team members to review the support they need to do their job. “I'm committed to removing any roadblocks my team might face. I also urge them to train themselves on newer technologies and concepts,” he says.

Sanjeev Lamba, CISO, UNO Minda Sanjeev Lamba/UNO Minda

“I drive my security team to take up at least three training courses to upgrade their skills. Although employees are free to choose courses of their choice, it's important to ensure that they are able to implement the learning in their job roles.”
-- Sanjeev Lamba, CISO, UNO Minda

It's a similar strategy for Lamba: “I drive my security team to take up at least three training courses to upgrade their skills. Although employees are free to choose courses of their choice, it's important to ensure that they are able to implement the learning in their job roles.”

Lamba is also a part of a CISO group that drives instructor-led training for cybersecurity professionals. The group has trained people on the Personal Data Protection bill and on the Payment Card Industry Data Security Standard (PCI DSS).

Combatting stress and burnout

Pant says that now he doesn't have to travel to work, it feels like there is a lot of extra time at hand. “I try to spend it meaningfully, at least the most part of it. I like to indulge myself in reading a variety of content, either in the form of books or on the web. It helps divert your brain from the routine. Secondly, I give myself a lot of gastronomic challenges. I try my hands at experimental recipes,” he says.

Although he admits he’s not very disciplined when it comes to fitness, he is able to give about five hours per week and finds it rewarding. 

Rao, on the other hand, says that he simply shuts down thinking for a while, if faced with stress. “I think of myself as an onlooker rather than the subject,” he says. In addition to this, he spends time on LinkedIn to meet some great thinkers online – he uses it as an escape from the “stress and drudgery,” as he puts it.

Belsekar says that focusing on fitness and meditation are tried-and-tested ways of beating stress. “Not having to spend time on commute has given me time to practice meditation and yoga in the morning.”

In addition, he finds that being active on social media – reading and posting on Twitter and LinkedIn – is a great stress-buster and a way to learn and stay updated.

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies