By Ewen O’Brien – VP of Enterprise, EMEA at BitSight,
Everyone experiences stress in their jobs, but security leaders may have it worse than most. According to recent research, 60% of CISOs admit they rarely disconnect from work, while 88% work more than 40 hours per week. It’s no surprise that 51% of tech executives experience stress-related illnesses as a result of cyberattacks, tech outages, and breaches – a number that increases to 56% among CTOs and CIOs.
That’s because when today’s CISO goes to work, they face huge pressure to keep their organisations secure. Should they fail, the consequences are significant. Aside from the privacy concerns of users, cyberattacks have huge financial ramifications. The average cost of a cyberattack soared to $4.6 million per incident in the first half of 2019. Each minute data is inaccessible, or a system is locked down by malware, organisations stand to lose money. Plus, no one wants to be the one to preside over the next massive data breach.
To complicate matters, despite the plethora of available security monitoring and protection tools, CISOs often feel they have little control over the probability of a cyberattack happening and are overwhelmed and even chastised when it does. CIO Dive reports that 45% of executives say they’ve experienced online or verbal abuse in connection with cyber incidents, while Dark Reading suggests a link between the stress and constant urgency of the job and the average tenure of a CISO (18 to 24 months). Compare that to the average tenure of a CEO (8.4 years), CFO(6.2 years), and COO (5.5 years).
Managing the burnout
Common principles of stress management recommend boiling the source of stress down to its simplest elements, writing down everything you need to do, and prioritising deadlines. Once you know what you’re dealing with, you have a newfound sense of order and direction. If you are still struggling to get motivated, check off the easiest stuff first.
In the land of cybersecurity, things are a little different. Being in a constant reactive mode of responding to and prioritising continually evolving and increasingly sophisticated threats takes its toll. There’s no easy button to press; no deep breathing exercise that can help. To further compound stress levels, CISOs lack visibility into their organisation’s security exposure, particularly across their increasingly interconnected supply chains. How do you check off and fix the security risks that matter most to your organisation if you don’t know what they are?
Instead of playing a game of whack a mole with cyber threats, CISOs can take proactive steps to measuring cybersecurity performance and risk using tools like security ratings.
Security ratings can change the way CISOs approach risk management by allowing them to simplify their understanding of threats and take a more proactive stance toward cybersecurity. Security ratings automatically monitor the security status of your organisation, third-party vendors and suppliers, and even M&A targets for vulnerabilities and risk vectors on a continuous and global basis. These easy-to-understand ratings provide real-time insights that allow CISOs to see exactly what they’re up against and prioritise their responses accordingly.
By checking off the small stuff — closing open ports, fixing web application headers, etc. — CISOs can easily score quick wins. Then, they can safely move onto the bigger stuff, like protecting their organisations from more complex risks like the BlueKeep vulnerability or the next WannaCry.
Gain control and decompress
By understanding where the true security problem lies, CISOs can better understand their risk exposure, and assert control from there. They can also put an end to breach accountability and, with the right KPIs, show executive leadership exactly how they approach security problems. They can feel safe in the knowledge that they have done everything they can to make their organisations more secure.
Perhaps most importantly, they can begin to decompress — at least a little — and rest easier at night.