The stakes are high for CISOs

Business Security

Heavy workloads and the specter of personal liability for incidents have taken a toll on security leaders, so many of them are looking for ways out. What does this mean for corporate cyber-defenses?

The buck stops here: Why the stakes are high for CISOs

Cybersecurity is finally becoming a board-level issue. That is as it should be, given the increasingly important role of cyber risk management in strategic decision-making. Cyber ​​risk is basically a major business risk that has the potential to make or break an organization. That must have been the thinking behind it new regulatory rules in the US.

But by recognizing its importance, boards and regulators are also putting more pressure on CISOs, without necessarily giving them due recognition and reward. Result: spiraling stress, burnout and dissatisfaction. Three quarters (75%) of CISOs it is said that open to a change, at eight percentage points a year ago. And 64% are satisfied with their role, less than 10%.

These challenges have serious implications for cybersecurity within organizations. Addressing them should be an urgent priority.

A more stressful role

CISOs often have a stressful job. Among the recent drivers are:

  • The level of cyberthreats has increased, leaving many organizations in constant firefighting mode
  • Lack of skills in the industry leaving key groups understaffed
  • Excessive workload due to increased demands in the boardroom
  • Lack of adequate resources and funding
  • Workload forcing CISOs to work long hours and cancel holidays
  • Digital transformation, which continues to expand the face of corporate cyberattacks
  • Compliance requirements continue to grow with each passing year

It’s no wonder that a quarter (24%) of global IT and security leaders admitted self-medicate to relieve stress. Increased stress levels not only increase the likelihood of burnout and/or early retirement – ​​they can lead to poor decision-making (as stated in in this study, for example), as well as the effect on cognitive skills and the ability to think rationally. In fact, it has been suggested that even the anticipation of a stressful day ahead can affect cognition. About two-thirds (65%) of CISOs acknowledge that work-related stress compromises their ability to do work.

The scrutiny puts more pressure on the CISO

On top of this stress baseline there has been increased regulatory, legal and board scrutiny in recent months. Three recent events are instructive:

  • May 2023: Former Uber CSO, Joe Sullivan was sentenced to three years of probation after being found guilty of two felonies related to his role in trying to cover up a 2016 mega-breach. Supporters claim he was fired by former CEO Travis Kalanick and Uber’s in-house lawyer Craig Clark, along with Sullivan explained that Kalanick signed off on his controversial $100,000 payment to hackers.
  • October 2023: At first, the SEC charges SolarWinds CISO Timothy Brown for underestimating or failing to disclose cyber-risk while exaggerating the company’s security practices. The complaint refers to several internal comments made by Brown and says he failed to address or raise these serious concerns within the company.
  • December 2023: New SEC reporting rules will be implemented, obliging publicly listed companies to report “material” cyber incidents within four business days of determining materiality. Companies must also describe annually their processes for assessing, identifying and managing risk and the impact of any incidents. And they should detail the board’s management of cyber risk and its expertise in assessing and managing such risk.

It’s not just the US where regulatory oversight is building. The new NIS2 directive set to be transposed into EU member states law in October 2024 places direct responsibility on the board to approve cyber risk management measures and monitor their implementation. C-suite members can also be held personally liable if found negligent in cases of serious incidents.

According to Enterprise Strategy Group (EST) analyst Jon Oltsik, the increasing pressure that such moves place on CISOs makes their core job of responding to threats and managing cyber risk more challenging. A recent ESG study revealed that tasks such as working with the board, managing regulatory compliance, and managing a budget are shifting the role of the CISO from a technical one to a business one. At the same time, IT’s growing reliance on the power of digital transformation and business success has become overwhelming. The survey says that 65% of CISOs have considered leaving their role due to stress.


Takeaways for CISOs and boards

The reason is that when CISOs are struggling to cope with the workload, and in fear of regulatory reprisals and even criminal liability for their actions, they tend to make worse decisions during the day. -day. Many may leave the industry. This will have a major detrimental effect on a sector already struggling with skills shortages.

But it doesn’t have to be this way. There are things that boards and their CISOs can do to alleviate the situation. It’s in their best interest to find a way around it. Consider the following:

  • Boards should assess the mental health, work, resources and reporting structures of CISOs to optimize their effectiveness. High attrition rates can lead to long gaps without a full-time CISO, which can weaken teams and impact security strategy.
  • Boards need to pay their CISOs according to the high risk they are currently responsible for.
  • Regular board-CISO engagement is essential, with direct reporting lines to the CEO where possible. This will help improve communication between the two and elevate the position of the CISO in line with their responsibilities.
  • Boards must provide their CISOs directors and officers (D&O) insurance. to help insulate them from serious risk.
  • CISOs should stay in the industry they love, and accept greater responsibility rather than run away from it. But they should also remember that their role is to advise and provide context for the board. Let others make the big calls.
  • CISOs must always prioritize transparency and openness, especially with regulators.
  • CISOs should be thoughtful about what they circulate internally and ensure that controversial decisions or requests from the C-suite are always recorded in writing.

When looking for a new role, CISOs should hire a personal attorney to run their future contract in detail.

To optimize the cybersecurity strategy, boards should start by evaluating what they want the CISO role to be. The next step is to ensure that the cybersecurity professional in that role has enough support and enough reward to want to stay there.

Leave a comment