CISOs under pressure: An overview
The CISO community has never had it more difficult than now. With hacking threats looming large, cybersecurity leaders are experiencing high levels of stress.
International IT advisory firm Gartner says that by the year 2025, nearly half of cybersecurity leaders will change jobs. So, in just about two years, 25% of them will opt for different roles entirely due to multiple work-related stressors.
Gartner analyst Deepti Gopal says: “CISOs are on the defense, with the only possible outcomes that they don’t get hacked or they do. The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams.”
“It is understandable that cybersecurity leaders, such as Chief Information Security Officers (CISOs), are likely to face a significant amount of pressure in their roles. This is due to the nature of their work, which involves protecting their organization’s sensitive information and critical assets from cyber threats, such as hacking, data breaches, and ransomware attacks.
The increasing frequency and sophistication of cyber attacks mean that CISOs and other cybersecurity leaders must be constantly vigilant and stay up to date with the latest threats and security measures. They may also have to manage multiple stakeholders, including senior executives, regulatory bodies, and customers, which can add to their workload and stress levels. Moreover, cybersecurity leaders often face challenges in recruiting and retaining skilled cybersecurity professionals, which can make their job more challenging. They may also have to operate with limited budgets and resources, which can further increase their stress levels. Overall, while I cannot confirm if cybersecurity leaders are under a lot of stress, it is clear that their roles are demanding, and they face significant challenges in ensuring the security of their organizations,” says Gopi Thangavel, Senior Vice President at Reliance Industries Limited.
“I think 95% of CISOs are stressed at work because most of them need additional resources and budgets to reduce the job stress but only 5% are able to get those,” says Kapil Mehrotra, Group CTO, Dhanuka Agritech.
“The CISO’s role is to secure the overall IT Infrastructure and the platform stack. He also needs to ensure that the organization is meeting all the compliance requirements. For this, he needs to coordinate and collaborate between the CXOs for budgets and ensure that the right tools and controls are implemented by IT and Engineering. If these things work well in theIndian organization, the stress levels of the CISOs are found similar to other leaders in the organization. Things don’t work when the IT and Engineering teams do not prioritize these and there is not enough budget but still the CISO has to put up a brave face to the customers that everything is good. This is when the stress level shoots up and they feel helpless but still accountable,” says Kumaran Mudaliar, VP Cybersecurity at Everise. He is an expert in DevSecOps and SRE.
“Stress levels differ from individual to individual, and a lot depends on what is at stake. I have seen CISO JDs with 15 years of experience, and if inexperienced CISOs end up being part of an organization pressure cooker, with their reputation on the wire, stress is bound to happen,” says Agnidipta Sarkar, Group CISO, Biocon.
“In my view, if a CISO is not able to convince their management to invest for proper controls and defenses, it’s time for them to be stressed out; since threats have become constant and pervasive and if the basic systems or awareness is not there it’s a pain/unpredictable risk for any organization and a stressful time for CISO, since they have to take the brunt of any breach,” says Rajeev Batra, CIO, Bennett, Coleman & Co. Ltd. (Times Group).
More damning reports say the same thing: CISOs are facing a rapid burnout
Recently, Cynet Security published data which says that 94% of CISOs say that they are stressed at work and that stress weakens security. According to the report, 65% CISOs said stress compromises their ability to protect their organization and that it is the stress that drives the churn.
Around 74% CISOs had team members quit last year due to on-the-job stress and 77% of the CISOs say work stress is damaging their physical health. The Cynet report even states that CISOs are working 43.1 hours per week on an average (not accounting the sundry duties such as checking emails or responding to brief inquiries from team members outside of regular working hours). As many as 7% of the surveyed CISOs stated they work between 50 and 59 hours every week. In such a context, the statement by Gopal seems appropriate.
Hybrid work culture leading to stress?
“Well, who isn’t in stress but yes the threat scenario has multiplied manifold, and with the hybrid work culture coming in, the work of securing the organization has become increasingly important and needless to say more difficult,” says Kapil Pal, former Head Of Information Technology at United Breweries Ltd.
“Yes, CISO needs to be on their toes as the threat landscape is dynamic. Work from anywhere anytime has removed the concept of peripheral security, Risk transfer option (Insurance) has not yet matured. Budget is an issue for both the CIO and CISO, especially when the management sees security as an option and not a compulsion. Moreover, a CISO and CIO have additional challenges when dealing with defense and have to handle security and flexibility!” says Manoj Kumar Jha, Head IT, NPL (an L&T Group Company).
Is it the reporting structure to blame?
Generally speaking, a CISO reports to the CIO.
“I think a lot depends on where the CISO reports into and how much support he/she receives from the senior leadership. If you are a CISO with access to the board and you know your challenges, your context of protection, technologies involved and solutions well, the stress levels are similar to a CFO. And there are many powerful and impactful CISOs in India. But these are not making the statistics, the others are,” says Sarkar.
“Also, a CISO reporting to a CIO would be stressful because he might not allow you to implement security strictly as he is equally responsible for other IT operations. This may lead to wrong projections to the top management or board,” says another leading CISO.
“A CISO’s job is certainly becoming complex and hence stressful. A CISO plays a critical role in balancing risk and reward in the ever rapidly changing digital world. While everyone sleeps, a CISO silently empowers organizations to innovate with confidence. Everyone talks of cybersecurity and they consider it their business, but the CISO is the ultimate protector. But, unfortunately a CISO is also the CDO ‘Chief Disliked Officer’ in most organizations. A job that is thankless because very few people understand the nuances of security,” says Venkatesh Natarajan, Advisor, Strategink Solutions and Ex-President – IT & Chief Digital Officer – Ashok Leyland.
What if the organization culture itself is toxic?
“There are CISOs who belong to an organization culture where leaders are not used to adapting to new innovations and hence look for scapegoats. Every security incident becomes a nightmare. The whole environment becomes claustrophobic. I have heard about a CEO who said that the DLP was not throwing up findings earlier, because the CISO was sleeping, all the while scuttling proposals to invest in a better DLP,” adds Sarkar.
“It depends on the organization culture as well. We all know that security is a shared responsibility. If this is practiced, CISOs will not be stressed. But if a CISO is used as a scapegoat for any and every security incident without enabling him with proper resources (tools, manpower, funding), he will remain stressed,” says Saumil Purani, Vice President – IT – Infrastructure Solutions & Delivery, Axis Bank.
Is the skills deficit causing the problem?
According to most reports, there is a severe skill deficit in the domain of cybersecurity. Seasoned hands are hard to come by.
“We shouldn’t be ignoring the fact that cybersecurity skill crunch is an industry problem now. There are just a handful of CISOs to cater to enterprise needs. If we only consider the ET 500 list, it’s assumed that all of them would necessarily need a competent CISO to lead and another 500 will need successors to nurture future leaders and CISOs in the next couple of years. A first time CISO would necessarily face more stress and challenges than his peer who had been a long time industry veteran,” says Imran Iraqi, VP & Lead – Cyber Security Product & Services, Jio Platforms Limited (JPL).
“Another reason is the continuously expanding technology landscape. Having sufficient numbers of subject matter experts (SMEs) in the cybersecurity team who have decent knowledge of the landscape, becomes critical. If the cybersecurity team lacks the required knowledge of the tech stack, it’s a black box for the CISO and this could also be a reason for the increased stress. At the end of the day, if there is a security incident, the CISO is the face of the company to address customers’ concerns,” adds Mudaliar.
In conclusion
Cybersecurity leaders need to find work life balance and deal with the stress. Organizations too on their part should ensure that the burnout is avoided. One technology leader has very suitably summed this up.
“Stress is inherent to our work life. More so in critical job roles including security management. In my opinion, continual learning and timely action with innovative approach to problem-solving are key to handle such demanding roles. Of course, one should not neglect his/her health and fitness,” says Chandra Kishore Prasad, Executive Director at RailTel Corporation of India.