According to a study conducted by CESIN, 61% of its members have a level of stress likely to have harmful consequences on their health. So the next big threat to business security may not lie in a new strain of malware or in the innovative tactics, techniques and processes adopted by cybercriminals. It could indeed come from the mental health of the information systems security managers (RSSI), because of the pressure they face on a daily basis.
The security team is not the only one under pressure within companies. Employees who carry out different functions must also meet very strict objectives and requirements, which are sometimes even impossible to achieve. But what makes the job of the CISO unique is its relative newness when most of the other functions of a modern organization have existed for decades and are therefore relatively well defined.
A role with unclear responsibilities
The IT security manager often finds himself responsible for any failure related to an organization’s digital presence, which is a very large responsibility. If consumer data is compromised, the CISO can thus be held responsible for any resulting compliance, customer service and brand implications. If fraudulent payments are made, it can also be held liable for the resulting financial consequences, or in the event that machines are damaged or processes are disrupted as a result of an attack. Also, if employees transfer data into a cloud-based system, the CISO still likely bears the responsibility, even if his teams are unaware. And if a new, previously unknown type of threat compromises systems in ways no one could have predicted, once again: it’s their fault.
In reality, anything related to corporate security is more nebulous in terms of liability. Regardless of the hierarchical level in the company, security roles are new and rarely benefit from a standard job description, compared to other functions in the company. For example, managing access controls may be the responsibility of the CISO in one organization, while in another it will be the responsibility of the network team.
External expectations
The pressure is all the greater since the management does not necessarily have realistic expectations as to the ability of the CISO, and his team, to protect the company’s data and applications. CEOs, CFOs, COOs and General Counsel often think of security as a mathematical equation. They believe that the security manager is able to identify all possible gaps and then close them. The proposition sounds simple, but in reality, securing a large and dynamic enterprise infrastructure is anything but an easy exercise.
In addition, the management team and the board of directors often expect the CISO to respond immediately to any questions they may have. If the person is unable to respond at the moment T, his professional performance is likely to be called into question, directly or indirectly. Yet, the organization can use several hundred applications and tools, which have accumulated over the years. It is therefore not so surprising that it takes time to consider an issue, and to investigate accordingly.
In addition, customer expectations in terms of shopping experience and service quality, but also respect for privacy and data confidentiality, add additional pressure on the security team. Indeed, dissatisfied consumers will not hesitate to abandon their purchases or complain on social networks; which directly impacts the organization’s turnover and reputation. Finally, the regulatory environment is not to be neglected in the daily mental burden on CISOs: many of them must demonstrate to numerous competent bodies that their company guarantees security in specific areas.
For some CISOs, these stressors are aggravated when a sense of responsibility to the community or the nation is added to the missions entrusted. From oil pipelines to government entities to healthcare facilities are all critical infrastructures that have recently been impacted by ransomware. National security is now on the agenda of security managers, an issue that cannot be ignored but for which they have not necessarily received training.
The consequences on mental health
All of these factors add up and create significant anxiety among many CISOs and security teams. At the same time, hackers continually put the skills of these professionals to the test, looking for the slightest mistake that they could exploit to their advantage. From a mental health perspective, the toll is heavy. However – unlike the military, for example, who are subject to similar pressures – security teams lack clarity on their mission as well as a support structure; obtained over the centuries by the armed forces.
Many CISOs have been affected by mental health problems in recent years. Yet many of them are reluctant to talk about it. Indeed, if it is easy to ask the management for additional resources or tools by arguing figures in support of better profitability, it is more difficult to justify psychological support. CISOs also believe that this would be perceived as a lack of skills and that a discussion on the subject indicates that they are unfit to do their job.
However, allowing mental health issues to fester can have disastrous consequences on top of security personnel shortages:
- The professional exhaustion (burn-out) of CISOs, a phenomenon that many already know to some extent;
- The choice of some recent graduates not to pursue a career in security, because they do not want to undergo the stress of it.
- High turnover. In fact, research from ThreatConnect shows that high stress levels are among the top three causes of employee departures, cited by 27% of respondents.
- Stress management through self-medication and alcohol; a very alarming effect of the taboo surrounding mental health. In early 2019, before the pandemic, Forbes published the results of a survey in which 1 in 6 CISOs admitted to turning to these options to deal with work-related stress. But they were probably much more likely to not admit to being in a similar situation at the time.
However, the stress level of CISOs has increased during the pandemic, due to the implementation of telework and the need to access digital resources at all times; which increased the risk of compromise and disruption. All of this disruption and the need to increase productivity has taken a toll on the mental health of cybersecurity leaders and is a boon for cybercriminals. A less vigilant CISO is indeed a major security risk.
What to do ?
Businesses need to tackle the mental health crisis, both to ensure a rational response when organizational security is at stake, and to train, attract and retain top talent to deal with cyber threats. To do this, management must be aware of the level of pressure to which CISOs and their teams are subjected on a daily basis. The aim is to promote a healthy work-life balance among these teams, and to ensure that the company provides a safe environment to seek mental health help. It is also necessary to put in place simple tools to manage stress, which are neither time-consuming nor penalizing for CISOs.
Within a company, everyone has a role to play in making managers aware of this crisis that could emerge at any time, so that they realize that this work is difficult and that many CISOs have legitimate concerns about the possibility of discussing mental health problems. Business leaders should be reminded to reach out to their IT security officer proactively and without judgment. Because while CISOs will always be under pressure because of their complex and important tasks, there are methods that can help alleviate this stress.