CISOs are burned out and falling behind

The CISO’s text was brief but telling: “I never want an operational role again,” it read, arriving on Jeff Pollard’s phone in December as security teams scrambled to deal with the latest headline-making threat, Log4j.

“He’s an effective CISO with a long tenure, but his mentality was ‘Here we go again.’ He was speaking to the herculean effort he knew he and his team would have to make. No one needed more of that. And it was sort of like, ‘I’m done,’” says Pollard, vice president and principal analyst with Forrester Research.

Most workers—most people, for that matter—have had that I’m done feeling at one time or another; studies today are finding, in fact, that many individuals are feeling overwhelmed and worn down by the pandemic and all the disruptions it has brought.

CISOs, too, are feeling those strains.

Look at the figures from the Lost Hours report from security software company Tessian. It surveyed 300 U.S.- and U.K-based CISOs and found that CISOs are, on average, working 11 more hours than they’re contracted to work each week, with 10% working 20 to 24 hours extra a week. It further found that 42% have missed holidays like Thanksgiving or Christmas, 40% have missed a family vacation due to work, and 59% of CISOs say they struggle to always switch off from work once the workday is done due to stress.

Deft

“CISO burnout is definitely an issue. It’s an issue even more now than in the past, since we are in some unprecedented times with staffing shortages, people working from home, and the increase in threats not only domestically but internationally. All of this is coupled with the fact that the security landscape is expanding at a geometric pace,” says Thomas Johnson, CISO at Deft, an IT advisory and service provider.

“It’s hard for CISOs to keep up on all of the technologies and products, understand all of the threats, report metrics to executive management and the board of directors, all the while trying to maintain a sense of sanity and an understanding that your program will never be perfect, and there will always be some doors that are never completely closed.”

No doubt, there should be concern on a personal level for workers (including CISOs) who have hit the point of burnout; it’s appropriate and right to care about another’s well-being.

Tessian

There are organizational reasons—personnel reasons, if you will—for concern, too, as any burned out employee may not be bringing his or her A game to work. As Josh Yavor, Tessian’s own CISO, asks: “If CISOs are experiencing this level of burnout, what is the impact to their organizations and what’s the impact to the other humans they work with?”

He adds: “This isn’t a call to feel sorry for people in CISO roles, but it’s a call to take a deeper look at how we’re executing security programs and whether we’re aware of the circumstances that we let occur in situations where burnout is pervasive.”

What’s at stake

CISO burnout can impact organizations in multiple ways, says Ed Bellis, co-founder and CTO of Kenna Security, a Cisco company; he’s also a former CISO and author of a 2020 article titled .

Kenna Security

“CISOs are not special snowflakes; there are a lot of people suffering burnout including people who report into the position, and that’s part of the problem, but what’s different for CISOs is the impact of the burnout,” Bellis says.

He and others say burnout can—and does—lead to early departure from the role, less engagement with other executives, and a diminished capacity to lead one’s own team. That’s on top of any personal toll a CISO might suffer as a result of burnout.

The Tessian report listed other consequences that come when CISOs are overburdened. IT found that CISOs, when asked to list what they’re not spending enough time on, said

• hiring talent (36%),
• attending non-departmental meetings (38%),
• communicating to customers (35%),
• researching new industry updates and trends (36%),
• and working on their own career development (38%).

The 2021 State of Access Report, titled The Burnout Breach, from software maker 1Password, titled, also identified a problem with burnout in the security profession. It found that

• 84% of surveyed security professionals said they’re feeling burned out,
• 10% of security professionals said they’re “completely checked out” and “doing the bare minimum at work” due to burnout,
• while 44% of significantly burned-out security professionals and 19% of those who are only somewhat burned out said security rules and policies “aren’t worth the hassle.”

Bellis and others stress the context here: Many, many CISOs and security professionals maintain a high level of performance for themselves and their teams throughout times of crisis and high stress as well as everyday challenges—just like their peers in other executive roles and in other department positions.

More bluntly: Clearly not all CISOs are at the point of burnout nor are heading there, despite their challenging jobs.

CxO InSyte

And, they note, many of those who do find themselves in such situations often recognize the need to move onto other positions.

“The amount of stress associated with the CISO position has caused an unprecedented high turnover rate with many CISOs leaving their corporate positions and moving into a less stressful virtual CISO and consulting role,” notes Maurice Stebila, chairman and founder of CxO InSyte, a web-based cybersecurity information hub, and former Harman by Samsung CISO.

Indeed, Matt Aiello, a partner with executive search firm Heidrick & Struggles and leader of its global cybersecurity practice, says he finds that CISOs are drawn to challenges and thrive on solving problems. He describes CISOs as very mission-oriented who knowingly take on this high-pressure, big-stakes role.

“I’d say burnout is a good topic to talk about, but also that CISOs don’t burn out easily,” he adds.

Setting the stage for burnout

However, Aiello also acknowledges that he does see burnout creep up on CISOs in certain circumstances, such as after leading organizations through a prolonged post-breach recovery or leading transformative programs in several consecutive roles.

Heidrick & Struggles

“Then they’re saying, ‘I want to do something different,’ but even then I’m not sure I’d call that burnout. It could be that some executives are looking for roles that play better to their strengths than the one that they’re in. Or we might see CISOs want to take time off, which isn’t uncommon for executives in other areas as well,” Aiello says.

Bellis and others don’t disagree with those observations, but they still see some security leaders finding themselves in situations that have made it impossible for them to move forward—where they’re facing unrealistic expectations, insufficient resources, and constant fires with and no break in sight.

Veteran CISO Rebecca Wynn says she has seen organizations have requirements for their security leaders that are “beyond humanly possible, where no one can meet the expectations. They want no level of risk.”

ISACA

“It’s those [CISOs] who feel like they’re swimming uphill, they’re not gaining traction, and they have no support from the organization,” says Jonathan Brandt, director of professional practices and innovation with the IT governance professional association ISACA and author of the January 2022 post Finding Calm Amid Chaos: Improving Work-Life Balance.

At the same time those organizations don’t credit the security function for the successes it does achieve nor do they give their CISO the full executive authority that should accompany the level of accountability assigned to the role.

Wynn says she herself felt a sense of burnout in a prior role, prompting her to make both professional and personal changes; she moved to a new company, became more attentive to healthy eating, and sought out more moments to recharge.

Stop it before it starts

A CISO heading toward burnout may indeed find that a new position elsewhere is the best solution to the situation, Wynn says. She’s now with Click Solutions Group where she serves as a cybersecurity strategist, virtual CISO, and privacy advisor for clients.

Click Solutions Group

Wynn and others say that they believe CISOs, their teams, and ultimately their organizations would be well-served by addressing the scenarios that most often cause burnout in the security ranks and then creating more sustainable structures. That means identifying what in the security program, leadership, and/or culture aren’t working and then finding ways to fix them.

“It’s the CISO’s job to make sure the team can sustainability conduct all its work,” Yavor says.

He and others say that requires CISOs to help their executive colleagues and their boards understand what capabilities they’re realistically able to deliver based on the resources they’re allocated and how those elements correlate to organization’s risk profile and posture.

Forrester Research

“It’s setting the right security expectations with the rest of the organization and being able to say, ‘I am not able to do these things with these resources and the constraints we operate under and also be successful and sustainable,’” Yavor says.

If the organization can’t accept that resource-risk ratio, then CISOs should feel empowered to push back, discuss the limits of what they and their team can deliver, and the resources required to bring risk down to an organizationally acceptable level without pushing anyone in the security ranks over the edge.

Pollard says CISOs are better positioned to have those conversations now than ever before.

“The past few years has elevated the importance of security and the acknowledgement of that importance,” he says, “and as a result security leaders really do have a lot of credibility now and they’re getting more of what they want.”