Nominet’s CISO Stress report looks at the impact of continued stress on the mental health and personal lives of CISOs, and drills down into the causes of stress including poor work life balance and a lack of support from the board.
The results are based on interviews with 400 CISOs and 400 c-suite executives across the UK and US, with questions focusing on the challenges of the CISOs role and how work stress is impacting CISO health and damaging relationships.
CISOs under pressure: a culture of communication is a necessity, not an optional extra
Is your CISO stressed?
Yes, is the answer.
The research found that the vast majority of CISOs (88%) remain moderately or tremendously stressed, a small decrease from 91% in 2019. However, this stress is now taking a greater toll on CISOs’ mental and physical health, and their personal relationships.
The key findings:
• 48% of CISOs said work stress has had a detrimental impact on their mental health, almost twice as high as last year (27%). 31% also reported that their stress had impacted their physical health.
• 40% of CISOs said that their stress levels had affected their relationships with their partners or children.
• 32% said that their stress levels had repercussions on their marriage or romantic relationships and 32% said that their stress levels had affected their personal friendships.
• The number of CISOs turning to medication or alcohol has increased by a quarter year on year, from 17% in 2019 to 23% in 2020.
This personal impact is also having negative effects for organisations, with (31%) of CISOs saying that stress had affected their ability to do their job, 2% more than in 2019. This results in a high rate of burnout, with the survey reporting that the average tenure of a CISO is just over two years (26 months).
Commenting on these findings, Russell Haworth — CEO of Nominet — said: “We are potentially heading towards a burnout crisis if the very people who we are relying on to keep businesses secure are operating under mounting pressure. CISO stress is on the rise — with almost 90% moderately or tremendously affected — and it’s taking a greater toll on their personal lives and well-being. Not only is this harming the lives of CISOs but will ultimately make it harder to retain staff, catch attacks early and improve security. It is worrying that at board level, understanding of these pressures appears not to have translated into action.”
Dr Dimitrios Tsivrikos, Lecturer in Consumer and Business Psychology, University College London added that “while there have been positive steps in mental health and stress-related issues, the essence of tackling these issues has not received as much attention as needed.
“While measuring, understanding and incorporating key findings within the work is incredibly important, we also need to consider that there is a lack of research that looks into the work-life balance.
“We do anticipate that stress levels will continue to rise until we address the issue of stress, mental health and well-being at work. These are issues that are recognised but we have to match awareness with passion for actually tackling stress and allowing employees to live a happier and healthier life.”
CISO: Why the role is no longer about working in ‘black’ and ‘white’
CISOs would sacrifice salary
Overworked CISOs would sacrifice their salary for a better work-life balance, according to the research.
Investigating the causes of CISO stress, the research found that almost all CISOs are working beyond their contracted hours, on average by 10 hours per week. And, the report suggests that even when they are not at work many CISOs feel unable to switch off.
As a result, CISOs reported missing family birthdays, holiday, weddings and even funerals. They’re also not taking their annual leave, sick days or time for doctor appointments — contributing to physical and mental health problems.
The key findings:
• 71% of CISOs said their work-life balance is too heavily weighted towards work.
• 95% work more than their contracted hours — on average, 10 hours longer a week — which means CISOs are giving organisations $30,319 (£23,503) worth of extra time per year.
• Only 2% of CISOs said they were always able to switch off from work outside of the office, with the vast majority (83%) reporting that they spend half their evenings and weekends or more thinking about work.
• 87% of CISOs say that working additional hours was expected by their organisation.
Revealingly, almost all surveyed CISOs (90%) said they’d take a pay cut if it improved their work-life balance. On average, CISOs said they’d be willing to give up 7.76% of their wage, which equates to $9,642 (£7,475) per year.
Gary Foote, CIO, Haas F1 Team said: “I’m not surprised to see that stress levels are consistently high from 2019 to 2020, with the threat landscape continuously shifting. But it is always disappointing to read that it continues to have a big impact on the personal lives of my peers. Mental and physical health at work is a hugely important subject, and though some organisations are recognising this and reacting positively, there is still a lot of progress to be made. Burnout will neither help the CISOs, the board or the business, and consequently accelerated change is required to ensure security teams are supported; technically, financially and personally.”
Is there too much pressure on CISOs?
More support needed from the board
Where does the c-suite sit in all this? The research found that the board does take security seriously, with 47% saying that cyber security is a “great” concern to them.
They are aware of the high-pressure nature of the CISO’s job, with 74% saying they believe their security team to be moderately or tremendously stressed. However, many still hold the CISO responsible for a breach and expect them to deliver more value to the business.
The key findings:
• 66% of the organisations surveyed had experienced at least one security breach in the past year, 30% had experienced multiple 24% of CISOs said that their board doesn’t accept breaches are inevitable.
• The majority of both CISOs (37%) and C-Suite (31%) believe the CISO is ultimately responsible for the response to a security breach.
• 29% of CISOs believe that the executive team would fire the responsible party, which is confirmed by the c-suite (31%). A fifth (20%) of CISOs believe they would be fired whether they were responsible or not.
• 97% of the c-suite said that the security team could improve on delivering value for the amount of budget they receive.
Stuart Reed, VP of Cyber at Nominet, commented: “Our research into the attitudes of the board shows that they understand the risk of cyber crime to their organisation and they even appreciate that the CISO is placed under considerable stress to combat this risk. However, this awareness has clearly not translated into support for the CISO. Until this stress is relieved, the CISO’s ability to deliver value to the business will be diminished as their ability to do their job is hampered and they quickly become burnt out.
“The role of the CISO can only be improved by a better working relationship with the board, and so it’s important that the c-suite recognise that improving the CISO’s working life can only have positive outcomes for the business. With a strong and empowered CISO at the head of their security team, organisations will face less risk, be better protected, be more able to deal with a security breach when it hits, and ultimately become safer from cybercrime.”