CISOs are willing to sacrifice an average of $9,642, or 7.76% of their salaries, for better work-life balance – an elusive goal among those whose employers demand more of their time and effort.
In a study conducted by Vanson Bourne and commissioned by Nominet, researchers interviewed 400 CISOs and 400 C-suite executives to learn more about the toll of continued stress on the mental health and personal lives of security leaders, who have increasingly reported poor work-life balance and little board-level support. They discovered most (88%) CISOs they surveyed are moderately or tremendously stressed, slightly down from 91% in 2019.
Nearly half (48%) of CISOs say work stress has had a detrimental effect on their mental health, nearly double the 27% who said the same last year. Thirty-one percent report the stress has affected their physical health, 40% say it has affected relationships with partners and children, and almost one-third say it has affected their ability to do their jobs. Ninety percent of CISOs would take a pay cut if it meant they could have a more even work-life balance.
There is no single source to CISOs' stress, but excessive hours are a major factor. Almost all CISO respondents (95%) work more hours than contracted, with an average of 10 extra hours per week. Eighty-seven percent say their employers expect them to work additional hours. Only 2% of CISOs say they can "switch off" when they leave the office, and 83% report they spend at least half of their evenings and weekends thinking about their jobs.
"At my level, at even more junior levels, there's an expectation that we're always on," says Nominet vice president of cybersecurity Stuart Reed. "There is this notion of never really switching off for any long period of time." All of these extra hours add up: Ten extra hours of work each week amounts to $30,319 in extra time CISOs give their organizations each year.
Security leaders are expected to wear many hats during those hours. "CISOs are very much expected to be experts not just from a technical perspective, but being able to translate those technical concepts into the business risk or business strategy concepts," Reed says. "The very blended nature of their role means they are potentially taking on the responsibility of more than one person's job."
It's impossible to decouple CISOs' stress from the evolving threat landscape. Mainstream news coverage of major cyberattacks puts an ever-growing spotlight on the CISO, explains Gary Foote, CIO of the Haas Formula One racing team, who also handles security for his employer. As soon as an organization gets media attention for a data breach, it escalates to the board level.
"That gets their attention, and they're going down to the CISO and saying, 'You have to make sure this doesn't happen to us,'" Foote says. "A good amount of C-suite executives will see an attack as inevitable, but there will always be a significant portion that don't." Nominet's study found 24% of CISOs report their boards don't view security breaches as inevitable.
Bonding with the Board
Researchers discovered a telling gap between CISOs and the C-suite when it comes to CISO responsibilities and expectations. The board does take cybersecurity seriously – 47% say it's a "great" concern – and 74% say their security teams are moderately or tremendously stressed.
The C-suite may recognize the importance of cybersecurity and appreciate CISOs' stress, but it doesn't translate into greater CISO support. Just about all (97%) of the C-suite say the security team could improve on delivering value for the amount of budget they receive. This indicates that despite their additional hours worked, the C-suite thinks they should still be doing more.
Demonstrating return on investment has long been a challenge for security teams. A low investment in cybersecurity could result in zero incidents; a high investment may still result in a breach. It's difficult to prove return on investment when the measure of success is a breach that doesn't happen. The challenge, says Foote, is trying to relay this to a corporate board.
Both CISOs (37%) and the C-suite (31%) say the CISO is ultimately responsible for responding to a data breach. Nearly 30% of CISOs say the executive team would fire the responsible party in the event of a breach; 31% of C-suite respondents confirmed this. Twenty percent of CISOs say they would be fired whether or not they were responsible for the incident.