CISOs talk cyber stress, communicating risks to the board and securing skills

A circuit key at the center of a system of integrated security: endpoints/devices/networks/apps/etc.
Jackie Niam / Getty Images

The past 18 months have been very tough for chief information security officers and their teams. Criminals have used fear and uncertainty created by the worst health pandemic in 100 years to spread coronavirus-related phishing emails and scams.

Malicious software thrived throughout 2020 and the trend is continuing this year. Remote and hybrid work environments have also become the norm, which has increased attack vectors.

According to research conducted by Malwarebytes, it takes 66 days for enterprises to remediate a malware-related security breach. This means that CISOs and their security teams are losing sleep at night. They’re highly stressed and burnt out; some are leaving their jobs due to mental health concerns or at the very least, they know of someone who has.

The main stress drivers, according to Malwarebytes, include: a lack of resources; discrimination at work; skills shortages, pre-existing mental health conditions; digital transformation; work/life balance; internal cultural battles; excessive workloads; rising threat levels; and a new era of rigorous regulation.

CSO Australia and Malwarebytes hosted roundtable events with chief information security officers (CISOs) recently to discuss how stress is affecting their cyber security teams since the onset of the COVID-19 pandemic in early 2020. They also discussed the need to convince their boards that more money and time need to be spent on cyber security activities, and their strategies for dealing with the cyber skills crisis.

Chris Cooper, worldwide information security director at Cubic Transportation Systems, says that across the company’s global security team, there’s always been a culture of regular formal engagements with team members, including ‘one-on-ones’, weekly team meetings, and monthly meetings with staff around the region.

“These meetings were enhanced to include a direct question about the welfare of team members. Additionally, and very early on, we introduced additional informal events including virtual coffees and water cooler chats, and Friday evening virtual ‘Happy Hours’,” he says.

Brian Williams, principal consultant, cyber security at technology services provider, Ampion, says he catches up with his direct reports three times a week via video call so he can hear how they are coping with the many work and personal issues from the ongoing lockdown.

“I also keep an eye on the time that they are working, especially if there is excessive or unnecessary email traffic out of hours and on weekends,” he says.

Devendra Nambiar, acting head of ICT strategy, enterprise architecture, security, and risk at Bendigo Kangan Institute, adds that it’s a challenging time for cyber teams.

He says the best they can do is consistently monitor threat intelligence, and reduce known vulnerabilities with appropriate patches, work arounds, or stopping non-critical services until a fix is available.

“Yes, this puts a lot of pressure on our staff, and consistent communications and discussions about their wellbeing is very important,” he says.

Communicating to the board

Cyber security specialists also discussed how they go about convincing other executives and their boards that more money and time needs to be spent on cyber security activities. Clearly, building a culture where cyber security risks are taken more seriously and the right education is in place is vital.

Ampion’s Williams commented that it’s interesting to hear questions along the line of, ‘how do we convince board to see the value of cyber security?’

“More often than not, this is linked to the view that boards should be more familiar with cyber security. While I agree that boards should be more familiar with cyber security… cyber professionals should also become more familiar with operations and the pressure boards – and executives for that matter – are under to generate shareholder value and grow the value of brand assets.

“Rather than trying to scare boards and the c-suite into investing in cyber, why not demonstrate the value cyber security can bring? I have used a number of sources to demonstrate to boards that trust brings tangible benefits to companies through customer retention/growth and increased shareholder value,” he says.

Guenter Zimmerman, ASEAN-Pacific CISO at Siemens Australia, says he is using a corporate risk management approach to educating the board.

“The risks are made transparent using ‘impact and probability’, which so far has convinced the senior executives,” he says.

Meanwhile, Cubic’s Cooper says his organisation has a CEO who is very focused on security and acknowledges that cyber risk is the number one corporate risk. Regular and detailed cyber posture reporting to the CEO and board provides the platform for resource discussions, he says.

“That said, we continue to battle with other areas of the business for limited budget. So, while it is fair to say there is an understanding of the consequences of an adverse event and visibility of our current posture and threat profile, there is room for us to improve in this space. Interestingly, the lower levels of the organisation are alert to risks and our executive too, but all too often somewhere in between, this is lost,” he says.

Dealing with the skills crisis

The ongoing global cyber skills shortage has been worsened by border closures due to the COVID-19 pandemic. It’s certainly a frustrating situation for CISOs who are having trouble filling many cyber-related roles.

Cubic’s Cooper says that his organisation has cyber teams located across Asia-Pacific, Europe, the Middle East, Africa, and North America, which were recently restructured into global functions versus regional-only cross-functional teams.

This has meant that the organisation has been able to hire resources in any of these locations to service any other regions. There are some small exceptions to that where a role must be customer-facing or where jurisdictional restrictions are in place. One thing COVID-19 has taught us is that a lot more can be done remotely. Despite this, we still struggle to fill all open roles,” he says.

Ampion’s Williams says his company relies a lot on professional networks and the usual direct and recruiter channels to get the right cyber staff.

“The closed border has meant a reduction in the number of junior and middle ranking cyber professionals, which has led to some interesting discussions regarding salaries,” he says.

Download the ‘Where stress meets security’ report by Malwarebytes to learn more. 


Copyright © 2021 IDG Communications, Inc.