Under Pressure - Can CISOs Avoid Burnout?

Uploaded on 2022-10-21 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Ransomware attacks show no sign of slowing with one third of organisations currently experiencing a ransomware attack at least once a week, and one in 10 experiencing them more than once a day. This is according to research we recently commissioned among senior security professionals in the UK and the US.  
 
The mass shift to remote and hybrid forms of working over the past couple of years has expanded the attack surface of organisations, with employees and businesses still adapting to a model that means the growing use of SaaS apps and working most of the time in the web browser. This creates a host of new vulnerabilities, attack vectors and entry points for threat actors. 
 
There’s the risk that employees could simply work around security processes and procedures. In addition, many organisations are faced with what we call shadow IT. This is the use of information technology systems, devices, software, applications and services without IT department involvement or approval. This isn’t typically done maliciously, but rather as something employees use to get their jobs done. 
 
According to Menlo Security's research, nearly half (46%) of senior security professionals say they worry about employees ignoring corporate security advice and clicking on links or attachments containing malware more than anything else. In fact, they worry more about this than they do their own job security, with just a quarter of respondents worried about losing their job. 
 
CISOs’ fears today are multi-layered, with many of them concerned about ransomware attacks evolving beyond their own team’s knowledge and skillset, as well as the company’s security capabilities. 
 
There’s also a real sense of frustration over the challenges that the industry faces when it comes to protecting businesses and employees against ransomware. This ranges from increasing ransom demands to the growth of ransomware-as-a-service (RaaS) and even a feeling that government authorities are not treating ransomware seriously enough. 

Avoiding CISO Burnout 

At the forefront of many of the technology changes in recent years and responsible for driving the company’s security strategy, there’s the risk that security professionals are becoming overloaded and worrying about too many things, some of which are beyond their control. It’s no surprise we’re seeing more example of CISO burnout and a much higher churn rate in the security industry. 
 
Certainly, the shift to where and how we work has been a blessing and curse for CISOs. On the one hand, it’s provided a new level of flexibility that no one could have expected two years ago, but on the other hand, it’s expanded the attack surface and fuelled a rise in web-based attacks. Ranking their top three ransomware attack vectors, half of survey respondents identified the web browser – just below email as the number one attack vector. 
 
CISOs may be experts in handling breaches while remaining calm, but it’s important to remember that just like anybody else, they are susceptible to stress. Between mitigating a growing number of attacks and constantly worrying about the impact a breach could have on the organisation, the CISO role is a challenging one. 
 
According to Dr Christina Maslach, pioneer of research on the definition and predictors of burnout, and creator of the Maslach Burnout Inventory, the most widely used instrument for measuring burnout, the human mind wasn’t designed to push through chronic stress without recovering. Too much stress without time and space away to recover can lead even the most seasoned CISOs to get burned out. Burnout is serious and can put you at greater risk of heart disease and mental health disorders like depression and anxiety. 
 
To avoid this, there are some practical steps to follow: 
 
1.       A CISO’s time is important and attending every meeting you are invited to is not sustainable. Determine which meetings need your attention and which don’t and block out time in the calendar, so the team knows you are busy. It’s important to create boundaries around time and then respect them. 
 
2.       Regularly setting aside some time to ask yourself how you are feeling, physically and mentally. This goes a long way to mitigating the chronic stressors of the role. It’s not enough to assume that you are naturally aware of your mental state. 
 
3.       Be clear about who can help you get what you need in order to do your job. If you don’t know who to go to when you need resources, you won’t be able to gather all the tools you need so you can take ownership over security strategy. This also means garnering executive support so that the Board is on your side. 
 
4.       Have a plan and don’t rely on experience alone to get you through a breach. This seems obvious but given than less than half of our survey respondents say they implement a data backup or recovery plan as the first step in the event of a ransomware attack, so this needs to be stated.  
 
5.       Have a clear strategy when faced with a ransomware demand. Paying it depends on your level of preparedness – do you have the right processes and strong backup in place? If so, you won’t need to pay it. But if your organisation is unable to function as normal, access data or the damage is likely to bring down the business, you need to re-evaluate your options. 
 
But remember no one size fits all. Every organisation - and its security team - is different so pick your battles and take small, purposeful steps, to make sure your job doesn’t dictate your mental health. 
 
Download the full Menlo Security report HERE:
 
 Mark Guntrip is Senior Director of Cybersecurity Strategy at Menlo Security 

You Might Also Read: 

Security Trends For 2022 - The Need For Talent &  Cloud  Migration:

 

« Russia’s Cyber Strategy
How to Select the Right ZTNA Offering »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

PCI Pal

PCI Pal

PCI Pal’s secure cloud payment solutions are certified to the highest level of security by the leading card companies.

CyberDef

CyberDef

CyberDef is a consulting company specialising in cyber defence services for small and medium enterprises.

PETRAS IoT Hub

PETRAS IoT Hub

PETRAS is a consortium of 12 research institutions and the world’s largest socio-technical research centre focused on the future implementation of the IoT.

Statice

Statice

Statice develops state-of-the-art data privacy technology that helps companies double-down on data-driven innovation while safeguarding the privacy of individuals.

RUSCADASEC

RUSCADASEC

RUSCADASEC is an independent non-profit initiative on developing the open Russian-speaking international community of industrial cyber security/ICS/SCADA cyber security professionals.

Switchfast Technologies

Switchfast Technologies

Switchfast Technologies is an IT consulting and managed services provider, offering IT support and consulting to Chicagoland small businesses.

Everbridge

Everbridge

Everbridge provides enterprise software applications that automate and accelerate organizations’ operational response to critical events in order to keep people safe and businesses running.

World Cyber Security Summit

World Cyber Security Summit

World Cyber Security Summit, by Trescon, is a thought-leadership driven platform for CISOs who are looking to explore new-age threats and the technologies/strategies that can help mitigate them.

Proximity

Proximity

Proximity is a leading professional services organisation providing consulting, legal and commercial advisory solutions with a focus on government and regulated industries.

Amvia

Amvia

Amvia is a fast-growing telecoms, Internet and Microsoft service provider. We supply voice, data and cyber security services to 100s of small and large companies.

Zigrin Security

Zigrin Security

Zigrin Security offer comprehensive, hands-on security testing of internal networks, applications, cloud-based solutions, e-commerce applications and mobile devices.

ThrottleNet

ThrottleNet

ThrottleNet provides world-class managed IT services and cybersecurity to organizations in St. Louis and throughout Missouri.

DataStealth

DataStealth

DataStealth is a data protection platform that allows organizations to discover, classify, and protect their most sensitive data and documents.

Saidot

Saidot

Saidot is a Finnish AI governance and alignment company committed to helping businesses safely and transparently integrate AI into their operations.

Neeve

Neeve

Neeve is an edge cloud platform transforming smart buildings and spaces, making them more secure, smarter, and more sustainable.

Ciena

Ciena

Ciena is a global leader in optical and routing systems, services, and automation software. We build the world’s most adaptive networks to address ever-increasing digital demands.