Under Pressure - Can CISOs Avoid Burnout?

Uploaded on 2022-10-21 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Ransomware attacks show no sign of slowing with one third of organisations currently experiencing a ransomware attack at least once a week, and one in 10 experiencing them more than once a day. This is according to research we recently commissioned among senior security professionals in the UK and the US.  
 
The mass shift to remote and hybrid forms of working over the past couple of years has expanded the attack surface of organisations, with employees and businesses still adapting to a model that means the growing use of SaaS apps and working most of the time in the web browser. This creates a host of new vulnerabilities, attack vectors and entry points for threat actors. 
 
There’s the risk that employees could simply work around security processes and procedures. In addition, many organisations are faced with what we call shadow IT. This is the use of information technology systems, devices, software, applications and services without IT department involvement or approval. This isn’t typically done maliciously, but rather as something employees use to get their jobs done. 
 
According to Menlo Security's research, nearly half (46%) of senior security professionals say they worry about employees ignoring corporate security advice and clicking on links or attachments containing malware more than anything else. In fact, they worry more about this than they do their own job security, with just a quarter of respondents worried about losing their job. 
 
CISOs’ fears today are multi-layered, with many of them concerned about ransomware attacks evolving beyond their own team’s knowledge and skillset, as well as the company’s security capabilities. 
 
There’s also a real sense of frustration over the challenges that the industry faces when it comes to protecting businesses and employees against ransomware. This ranges from increasing ransom demands to the growth of ransomware-as-a-service (RaaS) and even a feeling that government authorities are not treating ransomware seriously enough. 

Avoiding CISO Burnout 

At the forefront of many of the technology changes in recent years and responsible for driving the company’s security strategy, there’s the risk that security professionals are becoming overloaded and worrying about too many things, some of which are beyond their control. It’s no surprise we’re seeing more example of CISO burnout and a much higher churn rate in the security industry. 
 
Certainly, the shift to where and how we work has been a blessing and curse for CISOs. On the one hand, it’s provided a new level of flexibility that no one could have expected two years ago, but on the other hand, it’s expanded the attack surface and fuelled a rise in web-based attacks. Ranking their top three ransomware attack vectors, half of survey respondents identified the web browser – just below email as the number one attack vector. 
 
CISOs may be experts in handling breaches while remaining calm, but it’s important to remember that just like anybody else, they are susceptible to stress. Between mitigating a growing number of attacks and constantly worrying about the impact a breach could have on the organisation, the CISO role is a challenging one. 
 
According to Dr Christina Maslach, pioneer of research on the definition and predictors of burnout, and creator of the Maslach Burnout Inventory, the most widely used instrument for measuring burnout, the human mind wasn’t designed to push through chronic stress without recovering. Too much stress without time and space away to recover can lead even the most seasoned CISOs to get burned out. Burnout is serious and can put you at greater risk of heart disease and mental health disorders like depression and anxiety. 
 
To avoid this, there are some practical steps to follow: 
 
1.       A CISO’s time is important and attending every meeting you are invited to is not sustainable. Determine which meetings need your attention and which don’t and block out time in the calendar, so the team knows you are busy. It’s important to create boundaries around time and then respect them. 
 
2.       Regularly setting aside some time to ask yourself how you are feeling, physically and mentally. This goes a long way to mitigating the chronic stressors of the role. It’s not enough to assume that you are naturally aware of your mental state. 
 
3.       Be clear about who can help you get what you need in order to do your job. If you don’t know who to go to when you need resources, you won’t be able to gather all the tools you need so you can take ownership over security strategy. This also means garnering executive support so that the Board is on your side. 
 
4.       Have a plan and don’t rely on experience alone to get you through a breach. This seems obvious but given than less than half of our survey respondents say they implement a data backup or recovery plan as the first step in the event of a ransomware attack, so this needs to be stated.  
 
5.       Have a clear strategy when faced with a ransomware demand. Paying it depends on your level of preparedness – do you have the right processes and strong backup in place? If so, you won’t need to pay it. But if your organisation is unable to function as normal, access data or the damage is likely to bring down the business, you need to re-evaluate your options. 
 
But remember no one size fits all. Every organisation - and its security team - is different so pick your battles and take small, purposeful steps, to make sure your job doesn’t dictate your mental health. 
 
Download the full Menlo Security report HERE:
 
 Mark Guntrip is Senior Director of Cybersecurity Strategy at Menlo Security 

You Might Also Read: 

Security Trends For 2022 - The Need For Talent &  Cloud  Migration:

 

« Russia’s Cyber Strategy
How to Select the Right ZTNA Offering »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

National Defence Radio Establishment (FRA) - Sweden

National Defence Radio Establishment (FRA) - Sweden

The National Defence Radio Establishment (Försvarets Radioanstalt), is the Swedish national authority for Signals Intelligence, also providing Information assurance services to government authorities.

Swedish Civil Contingencies Agency (MSB)

Swedish Civil Contingencies Agency (MSB)

MSB's Information Assurance Department is responsible for supporting and coordinating work relating to Sweden's national societal information security.

Basis Technology

Basis Technology

Basis Technology provides software solutions for text analytics, information retrieval, digital forensics, and identity resolution.

Telecommunications Industry Association (TIA)

Telecommunications Industry Association (TIA)

TIA works to secure trust in networks by advocating public policy positions on the security of ICT equipment and services related to critical infrastructure, supply chain and information sharing.

WiJungle

WiJungle

WiJungle is an Indian Cyber Security Company that develops and markets a unified network security gateway solution.

Zuratrust

Zuratrust

Zuratrust provide protection for all kinds of email related cyber attacks.

Area 1 Security

Area 1 Security

Area 1 is the only Pay-per-Phish solution in cyber security. And the only technology that blocks phishing attacks before they damage your business.

Sovrin Foundation

Sovrin Foundation

The Sovrin Foundation is a private-sector, international non-profit that was established to govern the world's first self-sovereign identity (SSI) network.

ADVA Optical Networking

ADVA Optical Networking

ADVA is a company founded on innovation and focused on helping our customers succeed. Our technology forms the building blocks of a shared digital future and empowers networks across the globe.

MTI

MTI

MTI is a solutions and service provider, specialising in data & cyber security, datacentre modernisation, modern workplace, IT managed services and IT transformation services.

Aite-Novarica Group

Aite-Novarica Group

Aite-Novarica's Cybersecurity practice provides ongoing research and advisory services to chief information security officers focused on protecting their companies’ assets.

GreenPages Technology Solutions

GreenPages Technology Solutions

GreenPages provide expert strategic guidance and proven cloud-era solutions for our clients. Every day we help organizations leverage the cloud securely with less risk and cost.

Buguard

Buguard

Buguard is a multi-award-winning supplier of Application Security Assessments and GRC services.

CyberTest

CyberTest

CyberTest offers cybersecurity consulting and penetration testing services that helps organizations and businesses securing their assets.

Aliro Security

Aliro Security

AliroNet is the world’s first entanglement Advanced Secure Network solution.

FOSSA

FOSSA

FOSSA is a leading SBOM (software bill of materials) and software supply chain risk management platform.