For the past 20 years, I've served as CISO for companies in different sectors. In this role, I have shouldered responsibility for protecting each organization from a wide swath of rapidly developing cybersecurity threats. I have also learned firsthand how much stress security leaders face day to day.
Recent conversations with my peers have shown stress in cybersecurity is an industrywide problem. The CISO role is one of the most stressful in any organization. And the security function — writ large across every company type and industry sector — stands on the precipice of a stress-induced crisis.
What Sets the CISO Role Apart
The security team is hardly the only group under pressure. Other corporate functions, and other executives, must meet elevated and sometimes unrealistic expectations. But what makes the CISO position unique is its relative newness; most jobs in a modern organization have been around for decades, so they're fairly well-defined. Companies have had many years to flesh out the responsibilities and accountabilities of the CEO, CFO, and COO, for example, and to develop processes that ensure their functions work smoothly.
By comparison, the corporate security function is a bit like the Wild West. From the CISO down, throughout the hierarchy, security roles are new and immature relative to many corporate positions. Thus, the CISO often ends up catching responsibility for everything that could possibly go wrong with an organization's digital presence. That gives the CISO a remit of astounding breadth.
If consumer data is compromised, the CISO may be held responsible for all the compliance, customer service, and brand implications that result. If fraudulent payments go through, the financial fallout may belong to the CISO. If machinery is damaged or processes disrupted through ransomware or another attack, that comes back to the CISO. If employees place corporate data in a cloud-based system, the CISO likely bears the responsibility, even if the security teams aren't aware the data transfer is happening. And if some new and previously unknown type of threat compromises systems in ways no one could have anticipated, once again: It's on the CISO.
Individual cybersecurity events have the potential to derail an organization's strategic plans. But most CISOs don't have a clear blueprint for preparing their organizations to defend themselves against the myriad threats heading their way. They don't even have a standard job description. In one company, access control might fall within the CISO's domain, while in another organization it might belong to the network team.
With every company defining the role and responsibilities for itself, CISOs are left without the safety net of "everybody's doing it this way." Companies aren't all handling security the same way. Each CISO is on their own to determine the best ways to secure a rapidly evolving infrastructure against the rapidly changing threat landscape.
Adding to the pressure is the fact that the C-suite may not have realistic expectations around the degree to which the security team can guarantee corporate data and applications are safe. CEOs, CFOs, COOs, and general counsel often see security as a mathematical equation. They think the CISO should be able to just identify all the possible gaps, then close those gaps. It seems a straightforward proposition. In reality, of course, securing a broad and dynamic corporate infrastructure is anything but simple.
The executive team and board often expect the CISO to have an immediate answer to every question that might come up. The organization may use many hundreds of applications and tools, which have accumulated over decades, but the C-suite may expect the CISO to know all the steps the security team has taken to protect each one. If the CISO can't answer right away, their job performance might be called into question, directly or indirectly.
Customer expectations around not just timely delivery of products and services, but also privacy and data confidentiality, can draw a direct line between the security team's effectiveness and corporate revenue. And then there is the regulatory environment. Many CISOs are expected to demonstrate the organization's security in specific areas to many relevant regulatory agencies.
For some CISOs, these stressors are compounded by a feeling of responsibility for the greater good of the community or nation. From oil pipelines to government offices to healthcare facilities, we've seen the ways in which successful ransomware can cripple critical infrastructure. Suddenly, national security is also on the CISO's agenda. It's a risk CISOs haven't been trained to manage, but that doesn't mean we can ignore it.
In Part 2, we'll talk about the risks to the company when the CISO is under pressure and what we can all do to defuse the situation.
Editor's Note: Dark Reading encourages security professionals to prioritize their mental health.