Is the CISO Crazy?

There has been a lot said in the IT press lately about people burn-out in cyber security. To that point, it appears that the tenure of an average CISO continues its downward spiral, now trending towards 20 months or less. Twenty months is a crazy short time for anyone to be in such a critical business role. Most organizations need 20 months to accept the scope of the problem and fund a basic plan to move forward. There’s no way 20 months is enough time to understand business impact or enact lasting change.

The question that most boards are asking is why, why does’t that CISO stick around? Well Nominet, the UK DNS folks put out an interesting cyber report last week that may help point to an answer. They interviewed over 800 CISO’s from the USA and UK and concluded that extreme levels of stress are a prime factor. Sadly 48% of those questioned said that work stress was having a detrimental impact on their mental health. OMG, 48% and metal health in the same sentence! Even allowing for lies-damned-lies-and-statistics, that’s a crazy number that casts a troubling shadow over the future of security programs everywhere. The Nominet report seems to conclude that far too many security leaders feel the stress of being out-gunned in a unwinnable war – or as Gary Hayslip calls it a “Cyber Cold War”. And worse, most reported feeling underfunded and miss understood by their fellow executives and by their governing boards – ouch! And although Nominet only surveyed high-ranking exec’s, this problem likely crosses the security hierarchy and affects practitioners at every level. Just imagine being a threat analyst or a security tester when you are constantly under attack by a sophisticated adversary – it’s a psychological nightmare. Or take a tour of duty on a security incident response team and you’ll quickly see how totally consuming, exhausting and relentless the cyber defense and response game can be.

The Nominet numbers might seem staggering to anyone looking in from the outside, but if you’ve been part of a large security program you know the pitfalls. Building and sustaining a comprehensive cyber program is as much art and psychology as it is tools and computer science. Not every leadership team or governing board of directors even knows what to ask their CSIO to deliver, let alone how to measure their success. There’s plenty off tools and methodologies out there, but are they making the job of the CSIO any less stressful? If not, pass the hammer and order me a new monitor please…