The strategic consulting firm Accenture predicts that cybercrime will remain a large-scale concern for years to come. From 2019 to 2023, over $5 trillion in cumulative global value is expected to be at risk from cyber attacks, creating an ongoing challenge for businesses and the security professionals charged with protecting them.
This situation is putting the health of security professionals in serious jeopardy as they try to cope with the ever expanding threat landscape.
According to a recent study by Nominet, an Internet and DNS security firm, the average tenure of a corporate security executive is just 26 months due to high stress and burnout.
The vast majority of the 800 Chief Information Security Officers (CISOs) interviewed reported high levels of stress: one-third reporting stress caused physical health issues; half reporting mental health issues.
The study found that CISOs labor under the constant pressure of not having done enough to secure their company’s infrastructure against cyber attacks, the continuous stress of newly arising threats, and little appreciation for the work they perform.
The study paints a bleak picture about one of today’s most in-demand jobs, which pays an average annual salary of over $120,000. Here are some of the takeaways from the report:
- 88% of CISOs reported being “moderately to tremendously stressed”
- 48% of CISOs said work stress has had a detrimental impact on their mental health
- 40% of CISOs said their stress levels had affected their relationships with their partners or children
- 32% said their job stress levels had negative impacts on their marriage or romantic relationships
- 32% said their stress levels had affected their personal friendships
- 23% of CISOs said they turned to medication or alcohol
Nominet noted that even when they are not at work, many CISOs feel unable to switch off. They reported missing family birthdays, holidays, weddings and even funerals. They also are not taking their annual leave, sick days, or time for doctor appointments, which contributes to physical and mental health problems.
Nominet also found that almost all CISOs were working beyond their contracted hours by an average of 10 hours of extra time per week for which they are not compensated.
Furthermore, many were under pressure from their boards. Almost a quarter of interviewed CISOs said boards didn’t accept or understand that “breaches are inevitable” and said they would be held personally accountable for any security incidents. Nominet said that 29% of interviewed CISOs believed they would be fired in the event of a breach, even if they were not at fault.
According to Nominet, awareness of the value of CISOs is increasing, but this awareness has not yet translated into support for the CISO. C-Suite executives still expect the CISO to work long hours, deliver more value, and ultimately take full responsibility for any security breaches that may occur. Not surprisingly, a third of CISOs said dealing with the board is one of the most stress inducing parts of the job.
All this is bad news for companies confronted by the rising tide of cyber crime. Making headway against cyber criminals requires that the corporate culture of blame be replaced with a culture of cooperation at the highest level. This means fully supporting and funding the efforts of front-line CISOs who must deal daily with the relentless onslaught of cyber criminals and state actors bent on doing serious harm. It also means removing the implied threat of job loss if a network intrusion does occur.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.