Information, security, cybersecurity and privacy protection

Cyber stresses: why being a CISO is a tough role

Being a Chief Information Security Officer (CISO) is not an easy role. A shortage of experienced candidates for CISO roles means talented individuals are much in demand, but the stress of working in such a position can be overwhelming.

The challenge of information security

A recent survey from Nominetlooking at 400 CISOs and 400 C-suite executives in the UK and US showed that almost nine in ten (88%) senior information security personnel report feeling under moderate or high stress. The strain is beginning to take its toll on CISOs; almost half (48%) said the situation was impacting their mental health, and a third (31%) said it affected physical health as well.

Two in five CISOs said stress impacted their family life, 31% said it impacted the ability to do their job and almost one in four (23%) reported using alcohol or medication to cope. This appears to be a worsening situation. Research from the previous year found only 27% (as opposed to 48%) said their mental health was impacted, and 16% (as opposed to 23%) used medication or alcohol to cope.

Why is being a CISO so stressful?

Information security is an ever-shifting landscape with serious and sustained threats. A slip-up can be catastrophic, for customers, company health and the career prospects of the individual CISO. The role of CISO involves developing strategies to comply with regulation, implementing policies and building security architecture, and developing systems to reduce threat. Compliance and risk management are at the heart of the role.

Part of what makes the role stressful is that CISOs understand information security threats better than anyone else in the organization, but their perspective is not always shared or respected by the C-suite. An EY report found that CISOs view cultural change as vital for ensuring information security, but this is often resisted by other parts of a business.

More than half (57%) of CISOs say their relationship with finance is neutral, mistrustful or non-existent, while 74% say this is the relationship they have with marketing. Almost half (43%) of CISOs say they compete for funding with other business and IT initiatives, according to a study from 451 Research and Kaspersky

Why CISOs carry the can

Part of the strain on CISOs is the knowledge that if something goes wrong, the CISO is likely to be held accountable. The Nominet study found that 29% of CISOs believe they would be fired in the event of a security breach; 31% of the C-suite agreed. The average tenure of a CISO is 26 months.

This stressful, highly accountable role unsurprisingly finds it hard to attract professionals. A survey of CISOs by Vanson Bourne found that 66% believed recruitment of senior talent is a challenge. In some markets such as Asia Pacific, this figure rises to 91%, it stood at 61% in the UK and 54% in the US.

More than a third (34%) of CISOs said lack of technical knowledge was a problem in recruitment, 30% said there was a lack of experienced candidates and 10% said cultural fit made it harder to find the right people.

Good CISOs know they are much in demand. A substantial 85% of CISOs told a study by Marlin Hawk that they are actively looking for new roles or would consider taking one if approached. Concern over lack of progression was cited as a key motivation. 

How standards can help to reduce pressure

Information security standards are an invaluable tool for CISOs. They provide a platform for change across an organization, setting out strategies and guidelines to help promote change. They also offer a way of prioritizing initiatives and providing reassurance that risk management systems are adequate and proportionate.

A new standard, ISO/IEC 27007:2020(E) Information security, cybersecurity and privacy protection - Guidelines for information security management systems auditing sets out guidance on information security management system audits, including requirements under ISO/IEC 27001:2013, statutory and regulatory requirements, processes and controls and a management system plan.

The standard follows the structure of BS EN ISO 19011:2018 and is designed to be used in conjunction with this standard.

The standard is available from the online BSI shop.