Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
The Looming CISO Mental Health Crisis — and What to Do About It, Part 1
The next big threat to corporate security may not be a new strain of malware or innovative attacker tactics, techniques, and processes. It may be our own mental health.
January 28, 2022
4 Min Read
Source: TheDigitalArtist via Pixabay
For the past 20 years, I've served as CISO for companies in different sectors. In this role, I have shouldered responsibility for protecting each organization from a wide swath of rapidly developing cybersecurity threats. I have also learned firsthand how much stress security leaders face day to day.
Recent conversations with my peers have shown stress in cybersecurity is an industrywide problem. The CISO role is one of the most stressful in any organization. And the security function — writ large across every company type and industry sector — stands on the precipice of a stress-induced crisis.
What Sets the CISO Role Apart
The security team is hardly the only group under pressure. Other corporate functions, and other executives, must meet elevated and sometimes unrealistic expectations. But what makes the CISO position unique is its relative newness; most jobs in a modern organization have been around for decades, so they're fairly well-defined. Companies have had many years to flesh out the responsibilities and accountabilities of the CEO, CFO, and COO, for example, and to develop processes that ensure their functions work smoothly.
By comparison, the corporate security function is a bit like the Wild West. From the CISO down, throughout the hierarchy, security roles are new and immature relative to many corporate positions. Thus, the CISO often ends up catching responsibility for everything that could possibly go wrong with an organization's digital presence. That gives the CISO a remit of astounding breadth.
If consumer data is compromised, the CISO may be held responsible for all the compliance, customer service, and brand implications that result. If fraudulent payments go through, the financial fallout may belong to the CISO. If machinery is damaged or processes disrupted through ransomware or another attack, that comes back to the CISO. If employees place corporate data in a cloud-based system, the CISO likely bears the responsibility, even if the security teams aren't aware the data transfer is happening. And if some new and previously unknown type of threat compromises systems in ways no one could have anticipated, once again: It's on the CISO.
Individual cybersecurity events have the potential to derail an organization's strategic plans. But most CISOs don't have a clear blueprint for preparing their organizations to defend themselves against the myriad threats heading their way. They don't even have a standard job description. In one company, access control might fall within the CISO's domain, while in another organization it might belong to the network team.
With every company defining the role and responsibilities for itself, CISOs are left without the safety net of "everybody's doing it this way." Companies aren't all handling security the same way. Each CISO is on their own to determine the best ways to secure a rapidly evolving infrastructure against the rapidly changing threat landscape.
Adding to the pressure is the fact that the C-suite may not have realistic expectations around the degree to which the security team can guarantee corporate data and applications are safe. CEOs, CFOs, COOs, and general counsel often see security as a mathematical equation. They think the CISO should be able to just identify all the possible gaps, then close those gaps. It seems a straightforward proposition. In reality, of course, securing a broad and dynamic corporate infrastructure is anything but simple.
The executive team and board often expect the CISO to have an immediate answer to every question that might come up. The organization may use many hundreds of applications and tools, which have accumulated over decades, but the C-suite may expect the CISO to know all the steps the security team has taken to protect each one. If the CISO can't answer right away, their job performance might be called into question, directly or indirectly.
Customer expectations around not just timely delivery of products and services, but also privacy and data confidentiality, can draw a direct line between the security team's effectiveness and corporate revenue. And then there is the regulatory environment. Many CISOs are expected to demonstrate the organization's security in specific areas to many relevant regulatory agencies.
For some CISOs, these stressors are compounded by a feeling of responsibility for the greater good of the community or nation. From oil pipelines to government offices to healthcare facilities, we've seen the ways in which successful ransomware can cripple critical infrastructure. Suddenly, national security is also on the CISO's agenda. It's a risk CISOs haven't been trained to manage, but that doesn't mean we can ignore it.
In Part 2, we'll talk about the risks to the company when the CISO is under pressure and what we can all do to defuse the situation.
Editor's Note: Dark Reading encourages security professionals to prioritize their mental health.
About the Author(s)
Head of Cloud Strategy & Innovation, Netskope
Shamla Naidoo was born and raised in the slums of South Africa. She climbed her way out of poverty, creating a successful technology career in South Africa, where she worked for 15 years before moving to the US in 1998. She has worked in strategy, technology, cybersecurity, and risk-related roles for four decades, including as a C-Suite executive at some of world's largest and most powerful companies. Shamla now has a portfolio career where she serves as an independent director at multiple publicly traded companies; an adjunct professor at UIC Law, the law school of the University of Illinois in Chicago; an industry thought leader and head of Cloud Strategy at Netskope; and a coach and mentor. Shamla's most important roles will always be mom (to children with two legs and four), wife, daughter, and friend. Her goal is to continue making the world a better, safer, kinder, more inclusive place. Joining the Contentment Foundation offers her a way to accelerate these most personal of goals.
You May Also Like
Your Everywhere Security guide: Four steps to stop cyberattacksFeb 27, 2024
Your Everywhere Security Guide: 4 Steps to Stop CyberattacksFeb 27, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
API Security: Protecting Your Application's Attack SurfaceFeb 29, 2024
Securing the Software Development Life Cycle from Start to FinishMar 06, 2024
Latest Articles in The Edge
Redesigning the Network to Fend Off Living-Off-the-Land TacticsFeb 23, 2024|7 Min Read
Privacy Beats Ransomware as Top Insurance ConcernFeb 23, 2024|5 Min Read
Library Cyber Defenses Are Falling DownFeb 20, 2024|3 Min Read
Enterprises Worry End Users Will Be the Cause of Next Major BreachFeb 16, 2024|2 Min Read