Points of View

The CISO talent crisis: Enterprise leaders must nurture and protect their CISOs, or they might find themselves with inadequate security

Apr 1, 2020 Callum Moore

We’re all aware that cybersecurity threats are constantly developing, and the frontline for enterprise protection is commanded by the ever-faithful CISO. Cybersecurity talent is in high demand, and in this environment of increasing cyberthreat from cybercriminals and state-sponsored hacking groups, leadership must retain and develop talent to secure enterprises and prevent significant financial loss or reputational damage. However, recent reports suggest that CISOs are suffering from stress and the symptoms of burnout, ultimately leading to weaker enterprise security. The stress levels of CISOs are rising, with 90% advising they are moderately or tremendously affected. Enterprise leaders must act: improve working conditions, or suffer talent loss and weakened security from distraction.

 

Shortage and high turnover of cybersecurity personnel should be concerns for any enterprise looking to sufficiently secure their organization

 

Globally, there is a shortage of qualified and capable cybersecurity personnel, which should come as no surprise to anyone. The domain requires extreme technical ability and extensive training to be considered proficient.

 

High levels of stress, a lack of job stability, and executive boards that don’t fully understand their CISO are contributing to a personnel shortage. With the role requiring extensive training and experience, enterprises must work toward retaining and nurturing the talent they have, or they risk countless security blunders.

 

Reports have found that the average tenure of a CISO is between 18 and 24 months, and 65% of IT and security professionals consider quitting due to burnout, contributing to the estimated 3 million unfilled cybersecurity jobs worldwide. These should be harrowing figures for enterprises, which should be taking swift action to try and rectify a high turnover of crucial staff. It should be no surprise that security improves when staff are invested and know the ins and outs of their organization. Having to replace a CISO every 24 months is not only logistically difficult due to their shortage, but it also means that the replacement has to educate themselves on the ins and outs of the organization. This onboarding can take time, leaving an organization in a more vulnerable position than if monitored by a well-established CISO.

 

Retaining talent is key; an overworked CISO leads to a weakened security posture—mistakes cost money

 

Security leaders are further suffering from the associated side effects that come from sustained stress, such as mental and physical burnout. Reportedly, 27% of CISOs felt stress was influencing their mental or physical health, and 23% said the job had been damaging to their relationships. What’s even more worrying is that 17% explained they had turned to medication or alcohol as a coping mechanism for the intensity of their job.

 

The defining factor of these stats is the decline in health of CISO’s. Declining health, substance abuse, and damaged relationships are not what an enterprise leader wants his organization to be associated with contributing to. More importantly, an employee can bring these factors back into the office, leading to a weakened state of security for an organization. Your CISO must be focused and clear-minded in their aim of protecting your enterprise; without a clear mind, they will almost certainly make mistakes, costing money and time.

 

Enterprise need to take action to support their CISOs

 

One of the most important and effective methods to support CISOs is providing greater support from the board level. The higher echelons of enterprises often fail to understand or fully support CISOs, who need funds for what might not be a priority for most of the board. We have covered this in further detail in previous work. This support could mean one less battle for a CISO to fight; after all, every military tactician knows that fighting a battle on two fronts is never advantageous.

 

37% of CISOs and 31% of the C-suite proclaim the CISO is accountable for a data breach. Thirty percent  (30%) of CISOs believe the executive team would sack them if one occurred; 31% of the C-suite polled responded confirming this. It’s understandably demoralizing for CISOs to fight for budget from the very people who will fire them if they can’t defend their organization—the catch-22 is that they often need more money to better secure their organization. The board often thinks the CISO has enough money to keep an enterprise secure. The board thinks that one pay-out of money at the beginning of the fiscal year should be enough to protect the enterprise from all eventualities throughout that year. They need to realize that this is a dynamic, moving object that needs constant review and, frankly, budget allocation.

 

The Bottom Line: Enterprises need to support their CISO better to relieve stress and foster a better security stance

 

Thirty-one percent (31%) of CISOs admitted stress was impacting their work. Stress is a clear problem for CISOs and it’s impacting the enterprises they work for, creating a weakened state of security. Therefore, an organization needs to foster an improved cybersecurity culture, and the board needs to give more support to the CISO. Improving internal support should help contribute to relieving stress, increasing security, and, importantly, reducing the need for money and time. If you fail to give the staff the support they need, you will see your security staff fly the nest for an organization that will nurture them. With three million unfilled jobs out there, don’t think they will find it hard to find a new home!