UK domain name seller Nominet has released its second annual study on chief information security officers and their burnout levels. It is based on a survey of 800 CISOs and executives from large companies in American and Britain. According to the results, 88% of CISOs reported feeling “moderately or tremendously” stressed, down just slightly from 91% a year ago. The share of CISOs who said work stress has had a negative effect on their mental health doubled from 2019, to 48%.
This year, the survey also asked CISOs about their personal lives. Among respondents, 40% said their stress levels had affected their relationships with their family or children.
As Nominet notes in its report, such data requires context. “Anyone working at a high level in a big company must carry a weighty responsibility, which can cause stress,” Nominet CEO Russell Haworth writes. “That said, some of this could be mitigated if there was more harmony between the C-suite executives’ expectations and understanding of the role, and the reality for their CISO on the ground.”
Among C-suite respondents, 78% of them recognized that their CISOs are working extra hours. Still, 97% said they thought the security team could do a better job of providing value for the money. All of this relates to the survey finding that the average CISO tenure is 26 months, up slightly from 18 to 24 months in last year’s report.
How can CISOs lessen their anxiety in the year ahead? David McLeod, CISO for Atlanta conglomerate Cox Enterprises, tells Forbes.com that training employees about security risks and preparing to recover from an all-but-inevitable breach should be the top priorities for 2020. McLeod also recommends making an effort to streamline existing security systems and finding a cost-effective way to adapt to increasing regulation.
Vivek Khindria, CISO for Canadian food retailer Loblaw Companies Limited, agreed about the importance of training. “We need to teach everyone about the business’s risk appetite, and then train them on security principles,” Khindria told Forbes.com.
Along with training, Greg Jensen, who is senior principal director of cloud security at tech giant Oracle, recommends automating tasks such as patching software. “Automation is the only way that we’re able to get ourselves out of this conundrum," Jensen told Forbes.com.
A separate report (PDF), by network security consultancy Critical Start, acknowledges that the stress isn’t limited to the top cybersecurity job at a company. Based on a survey of 50 security operations centers in the second quarter of last year, Critical Start finds that “SOC analysts continue to face an overwhelming number of alerts each day.”