If your IT and cybersecurity staff seem burnt out, they probably are. Scaling up remote work and securing your organization against an onslaught of recent cybercrime waves has had teams scrambling over the last two years.
However, a new report from email security software provider Tessian finds burnout is not just amongst the rank-and-file, as CISOs are increasingly reporting burnout and the inability to take time off.
Missed vacations, long hours leading to burnout
Although not surprising given the current climate, the report paints a dire picture of the life of an information security chief. According to the report’s findings, 25% of CISOs have not taken time off in the last year, 42% have missed holidays due to work demands, 44% have missed a doctor’s appointment and 40% have missed a family vacation.
On average, CISOs work 11 more hours than they’re contracted to each week, while 10% work at least an extra 20 hours.
And, one-third are not able to exercise regularly, the report found.
“We now have more concrete numbers and deeper examples of what the impact is of what CISOs and many organizations face today as they try to do all of the things as superheroes,” Tessian CISO Josh Yavor said in an interview with My TechDecisions.
What’s more dangerous that a burnt out CISO is the possibility that those feelings cascade down to the rest of the organization, which illustrates the importance of not placing an organization’s cybersecurity in the hands of just one person.
CISOs can’t do it all
CISOs are responsible and accountable for their organization’s security, but those responsibilities should be shared throughout an organization’s IT and security staff, as well as end users.
“A CISO team can’t do everything on their own,” Yavor says. “So, how do organizations all the way up to a CEO level of responsibility actually set the precursor realities in place for a more sustainable and humane set of working experiences by driving cross-organizational accountability and partnership?”
That answer, Yavor says, is achieving buy in from the rest of the executive team and having that cascade down to managers and end users.
“The most critical part is that security leadership is actually sufficiently engaged with the top level executive team, so that alignment on those types of initiatives about broadly effecting organization wide culture have sufficient buy-in in and empowerment from the top,” Yavor says.
Software alone won’t solve this issue
The report also found that human error is laying a significant role in burnout, with human error-caused attacks leading to many hours spent responding to incidents.
A quarter of respondents said they spend 9-12 hours per month investigating and remediating each threat caused by human error, and more than one-third spend excessive time investigating.
Automation and investing in the right cybersecurity solutions can make a dent in these issues, but Yavor is adamant that tooling alone won’t solve this problem.
According to Yavor, security departments aren’t spending enough time on properly configuring programs, automating security tasks, skilling up their workforce or staffing appropriately.
“You can create actually a worse situation for your security teams and your CISO if you adopt all the tooling, but you don’t have the right staffing to actually support the outcome of that tooling,” Yavor says.
For example, email security tools that prompt end users to be aware about the security of an email empowers the employee to make the decision to open the email themselves, rather than sending an IT ticket.
“That creates a much more efficient and effective experience for everyone involved,” Yavor says. “The security team doesn’t need to get directly involved.”
Advice from a CISO to other CISOs
Yavor, who has held management or executive-level information security jobs for nearly a decade, said he was suffering from these very conditions his company’s report describes before he made changes about four years ago.
Aside from emergencies, Yavor set new expectations for himself, including working a predictable amount of time on a consistent basis.
While that obviously led to a diminished capacity for him to work on his organization’s security posture, it empowered others in the organization and the security team.
“That led to not perfect – but ongoing improvements to the overall efficacy of my team and its output, and also the actual conditions in which all of the employees on my team operated under,” Yavor says.