For the last 20 years, I have worked as a CISO for companies from different sectors. In this role, I have taken on the responsibility of protecting every organization from a wide range of rapidly developing cybersecurity threats. I have also learned firsthand how much stress security leaders face on a day-to-day basis.
Recent conversations with my peers have shown that cybersecurity stress is an industry-wide issue. The CISO role is one of the most stressful in any organization. And the security function, in general across all types of businesses and industry sectors, is on the brink of a stress-induced crisis.
What sets the CISO role apart
The security team is not the only group under pressure. Other corporate functions and other executives must meet high and sometimes unrealistic expectations. But what makes the CISO position unique is its relative newness; Most jobs in a modern organization have been around for decades, so they’re pretty well defined. Companies have had many years to develop the responsibilities and responsibilities of the CEO, CFO and COO, for example, and to develop processes that ensure their roles run smoothly.
By comparison, corporate security is a bit like the Wild West. From the CISO down the hierarchy, security roles are new and immature relative to many corporate positions. Therefore, the CISO often ends up taking responsibility for everything that could go wrong with an organization’s digital presence. That gives the CISO a staggeringly broad mandate.
If consumer data is compromised, the CISO may be held responsible for all resulting brand, customer service, and compliance implications. If fraudulent payments are made, the financial consequences may belong to the CISO. If machinery is damaged or processes are interrupted through ransomware or another attack, that goes back to the CISO. If employees put corporate data on a cloud-based system, the CISO likely bears the responsibility, even if security teams don’t know the information is being transferred. And if some new and previously unknown type of threat compromises systems in a way no one could have anticipated, once again: It’s up to the CISO.
Single cybersecurity events have the potential to derail an organization’s strategic plans. But most CISOs don’t have a clear plan to prepare their organizations to defend against the myriad of threats that come their way. They don’t even have a standard job description. In one company, access control may be within the domain of the CISO, while in another organization it may belong to the network team.
With each company defining the role and responsibilities for itself, CISOs are left without the “everyone does it this way” safety net. Not all companies handle security in the same way. Every CISO is on their own to determine the best ways to protect a rapidly evolving infrastructure against the rapidly changing threat landscape.
external expectations
Adding to the pressure is the fact that the C-suite may not have realistic expectations about the degree to which the security team can ensure that corporate data and applications are secure. CEOs, CFOs, COOs and general counsel often see security as a mathematical equation. They think that the CISO should be able to identify all possible gaps and then close those gaps. It seems like a simple proposal. In reality, of course, securing a large and dynamic corporate infrastructure is anything but simple.
The executive team and the board often expect the CISO to have an immediate answer to any questions that may arise. The organization may use many hundreds of applications and tools, which have accumulated over decades, but the C-suite can expect the CISO to know all the steps the security team has taken to protect each one. If the CISO cannot respond immediately, their job performance could be called into question, directly or indirectly.
Customer expectations around not only the timely delivery of products and services, but also the privacy and confidentiality of data, can draw a direct line between the effectiveness of the security team and corporate revenue. And then there is the regulatory environment. Many CISOs are expected to demonstrate the organization’s security in specific areas to many relevant regulatory agencies.
For some CISOs, these stressors are compounded by a feeling of responsibility for the greater good of the community or nation. From pipelines to government offices to healthcare facilities, we’ve seen the ways successful ransomware can cripple critical infrastructure. Suddenly, national security is also on the CISO’s agenda. It’s a risk CISOs haven’t been trained to handle, but that doesn’t mean we can ignore it.
In Part 2, we’ll talk about the risks to the business when the CISO is under pressure and what we can all do to defuse the situation.
Editor’s Note: Dark Reading encourages security professionals to put their mental health first. That is why we want to inform readers that the author of this article, Shamla Naidoo, will be discussing big issues related to mental health within the cybersecurity industry with Dr. Marcia Goddard in a webinar on February 10.