The stakes are high for CISOs


Business Security

Heavy workloads and the specter of personal liability in the event of an incident weigh heavily on security managers, so much so that many are looking for an exit. What does this mean for business cyber defense?

The buck stops here: why the stakes are high for CISOs

Cybersecurity is finally become an issue at board level. This is to be expected, given the increasingly important role that cyber risk management plays in strategic decision-making. Cyber ​​risk is fundamentally a major business risk that has the potential to generate or break up an organization. That’s definitely the thinking behind new regulatory rules in the USA.

But by recognizing its importance, boards and regulators are also putting more pressure on CISOs, without necessarily giving them appropriate recognition and reward. The result: increased stress, burnout and dissatisfaction. Three-quarters (75%) of CISOs they are said to be open to change, up eight percentage points from a year ago. And 64% are satisfied with their role, down 10%.

These challenges have serious implications for cybersecurity within organizations. Resolving them should be an urgent priority.

An increasingly stressful role

CISOs have always had a stressful job. Recent pilots include:

  • Surge cyber threat levelswhich leaves many organizations in continuous firefighting mode
  • Industry skills shortage that leave key teams understaffed
  • Excessive workload due to increasing meeting room demands
  • A lack of adequate resources and funding
  • A workload that forces CISOs to work long hours and cancel leave
  • Digital transformation, which continues to expand the business cyberattack surface
  • Compliance requirements that continue to grow year after year

It’s no surprise that a quarter (24%) of global IT and security leaders having admitted self-medication to alleviate stress. Increasing stress levels not only increase the risk of burnout and/or early retirement: they could also lead to poor decision-making (as pointed out this study, for example), as well as impacting cognitive skills and the ability to think rationally. Indeed, it has been suggested that even the anticipation of a stressful day ahead can impact cognition. About two thirds (65%) of CISOs admit that work-related stress has compromised their ability to perform at work.

Scrutiny puts additional pressure on CISOs

Adding to this stressful situation has been increased scrutiny of regulations, laws and boards of directors in recent months. Three recent events are instructive:

  • May 2023: Former Uber CSO, Joe Sullivan was convicted to three years of probation after being convicted of two felonies related to his role in an attempted cover-up of a 2016 mega-breach. Supporters say he was scapegoated by then-CEO Travis Kalanick, and Uber’s in-house lawyer, Craig Clark, with Sullivan explaining that Kalanick had approved his controversial $100,000 payment to the hackers.
  • October 2023: In a first, the SEC charged SolarWinds CISO Timothy Brown for downplaying or failing to disclose cyber risks while overstating the company’s security practices. The complaint references several internal comments made by Brown and alleges that he failed to resolve or elevate these serious concerns within the company.
  • December 2023: New SEC reporting rules takes effect, requiring publicly traded companies to report “significant” cyber incidents within four business days of materiality determination. Companies will also have to describe each year their processes for assessing, identifying and managing risks and the impact of any incident. And they will need to detail the board’s oversight of cyber risks and its expertise in assessing and managing those risks.

It’s not just the United States where regulatory oversight is growing. The new NIS2 directive, which is expected to be transposed into the law of EU member states by October 2024, gives the board of directors direct responsibility for approving cyber risk management measures and overseeing their implementation. implemented. Members of the C-suite can also be held personally liable if they are found negligent in serious incidents.

According to Jon Oltsik, analyst at Enterprise Strategy Group (EST), the increasing pressure these measures put on CISOs makes their primary job of responding to threats and managing cyber risks more difficult. A recent ESG study reveals that tasks such as collaborating with the board of directors, overseeing regulatory compliance, and managing a budget shift the role of the CISO from a technical role to a business-oriented role. At the same time, the growing reliance on IT to power digital transformation and business success has become overwhelming. The survey claims that 65% of CISOs have considered leaving their role due to stress.


Takeaways for CISOs and Boards

Ultimately, if CISOs struggle to keep up with the workload and fear regulatory retaliation or even criminal liability for their actions, they will likely make worse decisions on a daily basis. Many might even leave the industry. This would have an extremely harmful impact on a sector already facing a skills shortage.

But it doesn’t have to be that way. There are things boards and their CISOs can do to alleviate the situation. It is in both of their interests to find a solution to this situation. Consider the following:

  • Boards should assess CISO mental health, workload, resources, and reporting structures to optimize their effectiveness. High attrition rates can lead to long absences without a full-time CISO, demotivating teams and impacting security strategy.
  • Boards should compensate their CISOs based on the high risk their role now entails.
  • Regular engagement from the board and CISO is essential, with direct links to the CEO where possible. This will help improve communication between the two and elevate the position of the CISO in line with their responsibilities.
  • Boards should provide their CISOs directors and officers (D&O) insurance to protect them from serious risks.
  • CISOs should stick with the industry they love and take on greater responsibilities rather than running away. But they must also remember that their role is to advise and provide context to the board. Let others make the big decisions.
  • CISOs should always prioritize transparency and openness, especially towards regulators.
  • CISOs must be careful about what they communicate internally and ensure that contentious decisions or requests from the C-suite are always recorded in writing.

When looking for a new role, CISOs should hire a personal attorney to review their potential contract in detail.

To optimize cybersecurity strategy, boards should start by reassessing what they want the CISO role to be. The next step is to ensure that the cybersecurity professional in this role has enough support and sufficient rewards to want to stay there.

Leave a comment