Ride the Lightning

Average CISO Tenure? 26 Months Due to Stress and Burnout

February 18, 2020

ZDNet reported on February 12 that Chief Information Security Officers (CISOs or CSOs) across the industry are reporting high levels of stress.

Many say the heightened stress levels has led to mental and physical health issues, relationship problems, medication and alcohol abuse, and in some cases, a burnout, resulting in an average 26-month tenure before CISOs find new employment.

CISO jobs come with low budgets, long working hours, a lack of power on executive boards, a diminishing pool of trained professionals they can hire, but also the constant stress of not having done enough to secure the company's infrastructure against cyber-attacks, continuous pressure due to newly arising threats, and little thanks for the good work done, but all the blame if everything goes wrong.

In November 2019, internet and DNS security firm Nominet surveyed 800 CISOs and executives from companies in the US and UK in order to discover how much of a role stress plays for CISOs across the industry.

The survey's results?

• 88% of CISOs reported being "moderately or tremendously stressed"
• 48% of CISOs said work stress has had a detrimental impact on their mental health
• 40% of CISOs said that their stress levels had affected their relationships with their partners or children
• 32% said that their job stress levels had repercussions on their marriage or romantic relationships
• 32% said that their stress levels had affected their personal friendships
• 23% of CISOs said they turned to medication or alcohol

"Even when they are not at work many CISOs feel unable to switch off," Nominet said. "As a result, CISOs reported missing family birthdays, holiday, weddings and even funerals.

"They're also not taking their annual leave, sick days, or time for doctor appointments – contributing to physical and mental health problems."

Nominet said that investigating the causes of CISO stress, they found that almost all CISOs were working beyond their contracted hours, by an average of 10 hours of extra-time per week.

Many were under pressure from their boards. Almost a quarter of interviewed CISOs said boards didn't accept or understand that "breaches are inevitable" and said they'd hold them personally accountable for any security incidents.

Nominet said that 29% of CISOs who answered the survey said they'd be fired in the event of a breach, while 20% said they'd be fired whether or not they were responsible.

90% of surveyed CISOs were willing to take pay cuts if they could reduce stress levels. To those RTL readers who are lawyers, this will be a familiar refrain. Within the past several years, we have focused on the proposition that a good lawyer much be a healthy lawyer. It looks like CISOs are coming to a similar conclusion.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson