In Part 1 of this article, I wrote about how stress factors and sky-high expectations were merging to create a crucible for mental health among CISOs. The executive team often expects CISOs to be able to discover and block all attacks; thus, the responsibility is laid at their feet when a breach happens. And even when one hasn't happened yet, CISOs must constantly worry about what is around the corner. In addition, they are saddled with issues of regulatory compliance, customer expectations, and a general lack of clarity about their roles.
All of these factors combine to create a siege mentality among many CISOs and security teams. Adversaries are perpetually testing their competence, looking for the smallest oversight that they might leverage for their own advantage. From a mental health perspective, this takes a staggering toll. Unfortunately, corporate security functions typically lack the mission clarity, knowledge base, or support structure that other high-stress organizations, such as military forces, have built over centuries.
The Mental Health Implications
This has put many CISOs on a collision course with mental health challenges. Yet many of us shy away from talking about the mental health ramifications of our profession. It's easy to ask the C-suite for headcount or additional technology and tools. We can do the analysis and make the business case. Requesting mental health support is different. Some CISOs feel doing so would be perceived as a lack of competence. They worry that a mental health conversation may suggest that their skills, knowledge, and abilities are inadequate to do the job.
However, letting mental health issues fester may result in dire consequences. One might be burnout among key security leaders and their staff, something many are already experiencing to some degree. Another consequence is that some young people are choosing not to pursue a security career because they don't want to take on the stress. Both of these trends exacerbate the security staff shortages that have been dominating headlines for the past few years.
One more consequence that is highly alarming is CISOs who deal with the stress of the job by self-medicating and using alcohol. In early 2019, pre-pandemic, Forbes published the results of a survey where one in six CISOs admitted to turning to these options to deal with the stress of the job. There were likely many more who did not admit to these practices. CISOs' stress level increased during the pandemic with work from anywhere and the need for seamless access to digital resources at all times, leading to more opportunity for compromise and disruption. All of this pivoting has a mental health toll, and nobody wants the security staff to be impaired when a crisis strikes. Well, nobody except the attackers. A less-than-alert CISO is a major security risk.
What to Do About It
Companies must confront the mental health crisis, both to ensure a sober response when corporate security is on the line and to create and compete for the best security talent. The C-suite needs to recognize the level of pressure CISOs and their teams are under every day. They need to promote a healthy work-life balance for security folks, and they need to make sure the company provides a safe environment to ask for and participate in mental health support. And they also need to seek out and fund support programs that equip CISOs with simple tools to manage stress, without taking too much time away from their jobs or otherwise penalizing them.
Those of us who are not afraid to speak out, and are not intimidated by risks to our careers, should do so. We have a role to play in educating CEOs about this looming crisis. Corporate leaders need to be reminded to reach out to their CISOs proactively and without judgment. CEOs need to recognize that this job is hard, and many CISOs and security staff are dealing with legitimate concerns about speaking up regarding mental health challenges. Our peers — and our profession — need us to spread the word.
For CISOs who are struggling and are not comfortable asking for help, there are resources available. Because our jobs are simultaneously complex and important, CISOs will always be under pressure. The stress will never fully go away. But there are methods that can help us mitigate the stress. This is an industrywide problem, and more common than we realize.
Remember, you can't pour from an empty cup, so refill yourself. Personally, how I recover from stress is with 20-minute blocks of stretching, deep and conscious breathing, and being out in nature. I do yoga and meditation, and I spend part of my day outside with my animals. Stress relief will look different for everyone, however.
For more ideas about finding a calmer life, The Contentment Foundation offers a course on its Four Pillars of well-being. It's aimed at schools, but you can use the concepts to build your own foundation and to keep your staff balanced.
Editor's Note: Dark Reading encourages security professionals to prioritize their mental health.