CISO burnout: Rapidly increasing, posing a major threat to risk management

4 min read
(January 18, 2023)

Chief Information Security Officers (CISOs) face a lot of strain in the workplace. Not only must they provide work of the utmost quality, but they must also be aware of the latest technology, policies, and laws. On top of this, they must help the business while preventing data breaches, be ever-watchful while operating with limited resources, and manage different goals and objectives among the C-Suite. It's rare to find an organization that fully supports the CISO and understands the Positive Sum Paradigm, where everyone succeeds rather than one person succeeding at the expense of another. If the CISO is unable to make both parties happy, they are viewed as a failure.

Before 2019, burnout had been known as a stress syndrome. The World Health Organization (WHO) recently classified burnout as an official diagnosis (not a medical condition) in their International Statistical Classification of Diseases and Related Health Problems (ICD)-11 code set. This was documented in 2019 when they labeled Burnout an "occupational phenomenon" and allocated it the code QD85.

What Is Burnout?

To summarize, burnout is a condition that can affect CISOs and other people. It is characterized by emotional depletion, depersonalization, and a decrease in personal success. A major element of burnout is heightened feelings of fatigue. As their emotional reserves are diminished, CISOs may find that they are not able to contribute psychologically. Additionally, they may have a negative, cynical outlook on their job and connections. Furthermore, they may have a decreased sense of achievement, which is the tendency to evaluate oneself unfavorably regarding work. As a result, they may have an increased sense of dissatisfaction with themselves and their accomplishments. This has been detailed since 1996 in manuals such as the Maslach Burnout Inventory Manual, 1996.

The incidence of CISO burnout is rapidly increasing, posing a major threat to health and risk management. Results from my survey interviews with CISOs these past six months line up with the findings consistent with those in the study Life Inside the Perimeter: Understanding the Modern CISO, which was released at the beginning of 2020 and received participation from more than 400 CISOs from the US and UK. According to the survey, 100% of the CISOs reported their role as being stressful, 88% stated having moderate or extreme stress, 95% worked for at least a 50-hour work week, 71% had a work-life balance skewed towards work, 48% noted that the stress is impacting their mental health, 45% had to miss family events or activities, 40% said the stress was influencing their relationships with family and children, 35% reported their physical health was suffering, 32% said their marriage or romantic relationships were being strained, 32% mentioned the strain on their friendships, 31% said the stress was preventing them from doing their job effectively, and 23% said they were using medication or alcohol to cope with the job stress. The pressure of the CISO role has caused many professionals to step away from the job. Rapidly CISO tenure has moved from two to four years, to 26 months, to 18 months, to 15 months, and most recently six-nine months!

Addressing The Problem In the C-Suite

C-suite leaders who want to keep their cyber security talent need to start by making the conditions for the CISO to flourish. This includes placing the position at the right level, not buried far down the hierarchy, and reporting to the right person, who may not be the Chief Technology Officer (CTO) or Chief Information Officer (CIO). The title should be senior to demonstrate its importance to the company, and they should not be treated as a "C-Suite Lite" or “Chief No Officer”. Furthermore, the position should have a competitive compensation and suitable insurance (such as Directors & Officers insurance) to protect from liability. It is essential to "build it to win", with the necessary visibility, mandate, and investment from the CEO and board. If the CISO is considered a minor role, it would not be possible to hire and maintain the best talent. The CISO needs to know (more than mere words) that they have the support of the executives and Board, including monetary investments, and are empowered to make needed changes.

For any CISO, it is critical to spot the initial clues of burnout and respond before matters worsen. This is not an easy task to accomplish when you oversee a hectic cyber security group. But indications such as sleeping issues, extreme fatigue, lack of passion for work, or stress may mean that it is time to analyze the present situation and make some safety measures. Feeling in control of the load and time limits, and implementing the right tools to finish the job efficiently, can be very useful in dealing with the initial stages of burnout.

Seeking Assistance

Everyone encounters times when they feel anxious or unmotivated, and it is perfectly normal to acknowledge this and seek assistance. Having truthful conversations can be of great benefit to psychological health, and doing activities such as a stress risk assessment (evaluating potential obstructions to mental stability in a professional environment) or coming up with a well-being plan (examining current condition) can help to better comprehend how to dodge CISO burnout. These approaches are just like traditional risk analyses, aiding those to recognize hazards so that approaches to reduce or get rid of unfavorable aspects can be looked at.

If you become aware of any indicators of burnout and are incapable of tackling the problem, you can reach out to human resources (HR), the CEO, or a different C-level executive whom you trust to discuss your issue. Alternatively, taking breaks from work, decreasing the number of tasks to a reasonable amount, rectifying dietary inadequacies, being physically active, obtaining quality sleep, having a mentor, and leaving toxic and/or unsupportive environments are all good strategies.

It’s also suggested to connect with a counselor. There are online therapy services that offer assistance with leading a more gratifying life or accomplishing goals. They specialize in certain issues such as stress, anxiety, depression, eating disorders, sleep disorders, trauma, and grief. These companies offer a variety of services often including unrestricted membership with counselors, live phone discussions, chat, and video.

By Dr. Rebecca Wynn