Under Pressure - Can CISOs Avoid Burnout?

Uploaded on 2022-10-21 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Ransomware attacks show no sign of slowing with one third of organisations currently experiencing a ransomware attack at least once a week, and one in 10 experiencing them more than once a day. This is according to research we recently commissioned among senior security professionals in the UK and the US.  
 
The mass shift to remote and hybrid forms of working over the past couple of years has expanded the attack surface of organisations, with employees and businesses still adapting to a model that means the growing use of SaaS apps and working most of the time in the web browser. This creates a host of new vulnerabilities, attack vectors and entry points for threat actors. 
 
There’s the risk that employees could simply work around security processes and procedures. In addition, many organisations are faced with what we call shadow IT. This is the use of information technology systems, devices, software, applications and services without IT department involvement or approval. This isn’t typically done maliciously, but rather as something employees use to get their jobs done. 
 
According to Menlo Security's research, nearly half (46%) of senior security professionals say they worry about employees ignoring corporate security advice and clicking on links or attachments containing malware more than anything else. In fact, they worry more about this than they do their own job security, with just a quarter of respondents worried about losing their job. 
 
CISOs’ fears today are multi-layered, with many of them concerned about ransomware attacks evolving beyond their own team’s knowledge and skillset, as well as the company’s security capabilities. 
 
There’s also a real sense of frustration over the challenges that the industry faces when it comes to protecting businesses and employees against ransomware. This ranges from increasing ransom demands to the growth of ransomware-as-a-service (RaaS) and even a feeling that government authorities are not treating ransomware seriously enough. 

Avoiding CISO Burnout 

At the forefront of many of the technology changes in recent years and responsible for driving the company’s security strategy, there’s the risk that security professionals are becoming overloaded and worrying about too many things, some of which are beyond their control. It’s no surprise we’re seeing more example of CISO burnout and a much higher churn rate in the security industry. 
 
Certainly, the shift to where and how we work has been a blessing and curse for CISOs. On the one hand, it’s provided a new level of flexibility that no one could have expected two years ago, but on the other hand, it’s expanded the attack surface and fuelled a rise in web-based attacks. Ranking their top three ransomware attack vectors, half of survey respondents identified the web browser – just below email as the number one attack vector. 
 
CISOs may be experts in handling breaches while remaining calm, but it’s important to remember that just like anybody else, they are susceptible to stress. Between mitigating a growing number of attacks and constantly worrying about the impact a breach could have on the organisation, the CISO role is a challenging one. 
 
According to Dr Christina Maslach, pioneer of research on the definition and predictors of burnout, and creator of the Maslach Burnout Inventory, the most widely used instrument for measuring burnout, the human mind wasn’t designed to push through chronic stress without recovering. Too much stress without time and space away to recover can lead even the most seasoned CISOs to get burned out. Burnout is serious and can put you at greater risk of heart disease and mental health disorders like depression and anxiety. 
 
To avoid this, there are some practical steps to follow: 
 
1.       A CISO’s time is important and attending every meeting you are invited to is not sustainable. Determine which meetings need your attention and which don’t and block out time in the calendar, so the team knows you are busy. It’s important to create boundaries around time and then respect them. 
 
2.       Regularly setting aside some time to ask yourself how you are feeling, physically and mentally. This goes a long way to mitigating the chronic stressors of the role. It’s not enough to assume that you are naturally aware of your mental state. 
 
3.       Be clear about who can help you get what you need in order to do your job. If you don’t know who to go to when you need resources, you won’t be able to gather all the tools you need so you can take ownership over security strategy. This also means garnering executive support so that the Board is on your side. 
 
4.       Have a plan and don’t rely on experience alone to get you through a breach. This seems obvious but given than less than half of our survey respondents say they implement a data backup or recovery plan as the first step in the event of a ransomware attack, so this needs to be stated.  
 
5.       Have a clear strategy when faced with a ransomware demand. Paying it depends on your level of preparedness – do you have the right processes and strong backup in place? If so, you won’t need to pay it. But if your organisation is unable to function as normal, access data or the damage is likely to bring down the business, you need to re-evaluate your options. 
 
But remember no one size fits all. Every organisation - and its security team - is different so pick your battles and take small, purposeful steps, to make sure your job doesn’t dictate your mental health. 
 
Download the full Menlo Security report HERE:
 
 Mark Guntrip is Senior Director of Cybersecurity Strategy at Menlo Security 

You Might Also Read: 

Security Trends For 2022 - The Need For Talent &  Cloud  Migration:

 

« Russia’s Cyber Strategy
How to Select the Right ZTNA Offering »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

D-RisQ

D-RisQ

D-RisQ is focussed on delivering techniques to reduce the development costs of complex systems and software whilst maximising compliance

Imperva

Imperva

Imperva is a leading provider of data and application security solutions including DDoS protection, Web application security, Data security and Cloud security.

APrivacy

APrivacy

APrivacy provides information and communication security products for the financial services industry.

MER Group

MER Group

MER Group is a world-leading solutions provider specializing in Homeland Security (HLS), Cyber and Intelligence, Communication Infrastructure and Tactical Communication Systems.

Compnet

Compnet

Compnet is a service company that assists customers in integrating complete ICT systems including network infrastructure and security solutions.

CipherTrace

CipherTrace

CipherTrace develops cryptocurrency Anti-Money Laundering, cryptocurrency forensics, and blockchain threat intelligence solutions.

CryptoSec.info

CryptoSec.info

CryptoSec.info is a web resource focused on educating the beginners in the cryptocurrency space on how to properly secure their online assets from hackers and scammers.

Intrinium

Intrinium

Intrinium is an Information Technology and Security Solutions company, providing comprehensive consulting and managed services to businesses of all sizes.

ISARR

ISARR

The ISARR software platform - your bespoke Risk, Resilience & Security Management solution. Simple, cost effective and adaptable, now and into the future.

Gray Analytics

Gray Analytics

Gray Analytics is a Cybersecurity Risk Management company providing best-practice services across a broad spectrum of cyber scenarios for both government and commercial customers.

Rayzone Group

Rayzone Group

Rayzone Group offers a wide range of Cyber Security solutions and services, providing hollistic protection suitable for both enterprises and National cyber security centers.

BigBear.ai

BigBear.ai

BigBear.ai delivers high-end analytics capabilities across the data and digital spectrum to deliver information superiority and decision support.

MLSecOps Community

MLSecOps Community

The MLSecOps Community is a collaborative space for machine learning security experts and industry leaders to connect and shape the future of AI/ML security.

DataStealth

DataStealth

DataStealth is a data protection platform that allows organizations to discover, classify, and protect their most sensitive data and documents.

Incode

Incode

Incode is the leading provider of world-class identity solutions that is reinventing the way humans authenticate and verify their identities online.

Dev Information Technology (Dev IT)

Dev Information Technology (Dev IT)

Dev IT delivers digital transformation and end-to-end information technology services.