Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

The Looming CISO Mental Health Crisis — and What to Do About It, Part 2

Letting mental health issues fester may result in burnout and attrition, which affect both the company and the humans it employs.

Shamla Naidoo, Head of Cloud Strategy & Innovation, Netskope

January 31, 2022

4 Min Read
A rustic metal footbridge with handrails leads into a thick, verdant forest.
Source: Tim Swaan via Unsplash

In Part 1 of this article, I wrote about how stress factors and sky-high expectations were merging to create a crucible for mental health among CISOs. The executive team often expects CISOs to be able to discover and block all attacks; thus, the responsibility is laid at their feet when a breach happens. And even when one hasn't happened yet, CISOs must constantly worry about what is around the corner. In addition, they are saddled with issues of regulatory compliance, customer expectations, and a general lack of clarity about their roles.

All of these factors combine to create a siege mentality among many CISOs and security teams. Adversaries are perpetually testing their competence, looking for the smallest oversight that they might leverage for their own advantage. From a mental health perspective, this takes a staggering toll. Unfortunately, corporate security functions typically lack the mission clarity, knowledge base, or support structure that other high-stress organizations, such as military forces, have built over centuries.

The Mental Health Implications
This has put many CISOs on a collision course with mental health challenges. Yet many of us shy away from talking about the mental health ramifications of our profession. It's easy to ask the C-suite for headcount or additional technology and tools. We can do the analysis and make the business case. Requesting mental health support is different. Some CISOs feel doing so would be perceived as a lack of competence. They worry that a mental health conversation may suggest that their skills, knowledge, and abilities are inadequate to do the job.

However, letting mental health issues fester may result in dire consequences. One might be burnout among key security leaders and their staff, something many are already experiencing to some degree. Another consequence is that some young people are choosing not to pursue a security career because they don't want to take on the stress. Both of these trends exacerbate the security staff shortages that have been dominating headlines for the past few years.

One more consequence that is highly alarming is CISOs who deal with the stress of the job by self-medicating and using alcohol. In early 2019, pre-pandemic, Forbes published the results of a survey where one in six CISOs admitted to turning to these options to deal with the stress of the job. There were likely many more who did not admit to these practices. CISOs' stress level increased during the pandemic with work from anywhere and the need for seamless access to digital resources at all times, leading to more opportunity for compromise and disruption. All of this pivoting has a mental health toll, and nobody wants the security staff to be impaired when a crisis strikes. Well, nobody except the attackers. A less-than-alert CISO is a major security risk.

What to Do About It
Companies must confront the mental health crisis, both to ensure a sober response when corporate security is on the line and to create and compete for the best security talent. The C-suite needs to recognize the level of pressure CISOs and their teams are under every day. They need to promote a healthy work-life balance for security folks, and they need to make sure the company provides a safe environment to ask for and participate in mental health support. And they also need to seek out and fund support programs that equip CISOs with simple tools to manage stress, without taking too much time away from their jobs or otherwise penalizing them.

Those of us who are not afraid to speak out, and are not intimidated by risks to our careers, should do so. We have a role to play in educating CEOs about this looming crisis. Corporate leaders need to be reminded to reach out to their CISOs proactively and without judgment. CEOs need to recognize that this job is hard, and many CISOs and security staff are dealing with legitimate concerns about speaking up regarding mental health challenges. Our peers — and our profession — need us to spread the word.

For CISOs who are struggling and are not comfortable asking for help, there are resources available. Because our jobs are simultaneously complex and important, CISOs will always be under pressure. The stress will never fully go away. But there are methods that can help us mitigate the stress. This is an industrywide problem, and more common than we realize.

Remember, you can't pour from an empty cup, so refill yourself. Personally, how I recover from stress is with 20-minute blocks of stretching, deep and conscious breathing, and being out in nature. I do yoga and meditation, and I spend part of my day outside with my animals. Stress relief will look different for everyone, however.

For more ideas about finding a calmer life, The Contentment Foundation offers a course on its Four Pillars of well-being. It's aimed at schools, but you can use the concepts to build your own foundation and to keep your staff balanced.

Editor's Note: Dark Reading encourages security professionals to prioritize their mental health.

About the Author(s)

Shamla Naidoo

Head of Cloud Strategy & Innovation, Netskope

Currently the head of cloud strategy & innovation at Netskope, Shamla Naidoo is a technology industry veteran with experience helping businesses across diverse sectors and cultures use technology more effectively. She has successfully embraced and led digital strategy in executive leadership roles such as Global CISO, CIO, VP, and Managing Partner, at companies like IBM, Anthem (Wellpoint), Marriott (Starwood), and Northern Trust.

Shamla has helped organizations in over 20 countries recognize the impact of digital transformation globally and advise their stakeholders on predicting and navigating the necessary changes in laws and regulations. In addition, she has worked with intelligence communities to use digital and cyber within their organizations to protect businesses and society from technology misuse.

Shamla remains actively engaged in the industry, with organizations like the Security Advisor Alliance, the Shared Security Assessments Group, Institute for Applied Network Security (IANS), Executive Women’s Forum (EWF), HMG Strategy Group, and the Round Table Network. In addition, she is an influential member of the legal community, creating and teaching courses on law, technology, and privacy for the University of Illinois Chicago School of Law. She frequently speaks at the American Bar Association and formerly served as the Committee Chair on Legal Technology for the Illinois State Bar Association. As a practitioner, teacher and coach, she enjoys the opportunity to help seasoned professionals to take their careers to the next level.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights