This year’s CISO Stress report had some sobering findings and particularly shocking were the number of CISOs who believe that their job is impacting their mental health.
We also looked at drivers of CISO stress and this got me thinking about the wider issue of expectation in the workplace. Expectations around working hours, delivery and measurements of success.
Unlike our parents’ generation, we have mobiles that are always on and a culture of agile working that means, rather than a 5pm ‘clock-out’ time, we have to physically switch off devices and step into our personal lives.
For some, it may be just that simple. One mode off, another mode on. But, for many of us, the lines are far more blurred than that.
Our research found:
- 95% of CISOs work more than their contracted hours, on average 10 hours more than expected
- Only 2% of CISOs said that they were always able to switch off
- 87% of CISOs said that working additional hours was expected by their organization
- 78% of C-Level respondents agreed that they expect the security team to work beyond their contracted hours
- Expectations for longer working hours were reported to be higher in the US, although the hours the CISO works overall were comparable
Often, in an effort to always be delivering value and exceeding expectations, we accept that the traditional division of work-life vs home-life are blurred, but is this necessary? Does it do us more harm than good – both professionally and personally? Are we missing the point and is setting expectations around what value looks like, really the answer?
For the CISO specifically, for example, while there will inevitably be obligations to your team and for contribution to the technical delivery, good processes and procedures, combined with well-oiled team should mean that your input is more about strategy and guidance rather than the day-to-day nitty-gritty.
Then there is the support for the business. Understandably, the leadership would want to call on the CISO in matters of concern or as the business goes through transformative changes that may have an impact on security. This should be built into the role though, and not represent additional hours or concern. It certainly shouldn’t be last minute firefighting, as this would imply that the CISO really hasn’t been integrated into the leadership of the business.
Arguably, ensuring the wider business is clear on what value a CISO brings, which has to be a long-term vision that is measured over time, could alleviate some stress. And I believe that critical to setting these expectations is a good relationship between CISO and the leadership team.
It will be interesting to talk to CISOs in the field now our research has been launched, to understand whether they believe expectations need to be better aligned as the role of CISO has evolved and whether they truly do feel an integrated member of the team.
One thing is for sure; with such worrying statistics, we need to get on board with security being a team sport, not a solo game for CISOs of win or lose.
Read the full CISO stress report.
You can also see where you score using our Stressulator, which was based on the research.