- A quarter of CISOs worldwide suffer from physical or mental health issues due to stress, with just under one-in-five turning to alcohol or medication, and more than half failing to switch off from their work
- Almost a third fear for their jobs, as cyberattacks continue to threaten their organisations, while other board members don’t recognise the inevitability of an attack
- More than half don’t feel as though they have enough budget or resources to deal with the growing threat landscape, as they struggle to spot existing vulnerabilities within their business
14 February 2019 – Oxford, UK. – Today, Nominet publishes Life Inside the Perimeter: Understanding the Modern CISO, a report which examines the external and internal stresses and pressures facing a modern CISO, and looks at how it’s affecting their personal and professional lives.
Nominet commissioned a survey of 408 CISOs in the UK and US, each overseeing the cyber security of businesses that have an average of just under 9,000 employees. Download Full Report:
Increasing stress levels
The report finds that every CISO is experiencing stress in their role. Almost all (91%) say that they suffer moderate or high stress, with 60% saying that they rarely disconnect from their job.
They are also working long hours. Eighty-eight percent of CISOs are working more than forty hours a week, while 22% say that they are available 24/7. The US CISO is particularly bad at disconnecting, with 89% saying that never have a break for two weeks or more from work.
All of this is causing a physical response to a very digital problem. Over a quarter of those questioned (26.5%) say stress is impacting their mental or physical health, while 23% say the job is eroding their personal relationships.
Most concerning is the 17% of CISOs who admitted to turning to medication or alcohol to deal with job stress.
Pressure from within
Only half (52%) of CISOs feel the executive teams value the security team from a revenue and brand protection standpoint. Worryingly, almost one-in-five (18%) believe their board members are indifferent to the security team, or see them as an inconvenience.
This lack of engagement is troubling, as only 60% of CISOs believe that their CEO / President agrees a breach is inevitable. Coupled with the fact that nearly a third (32%) of all those questioned believe that, in the event of a breach they would either lose their job or receive an official warning, and it adds significant individual pressure from within the business.
This is worse in the UK, as 37% of CISOs believe that they would receive a warning or be fired, compared with 28% in the US.
Despite awareness about the pervasiveness of cyber threats, 60% of CISOs questioned admitted to having found malware on their infrastructure which had been there for an unknown period of time. The average length of time for discovery was 14 days, plenty of time for data to be exfiltrated and sold on or exploited.
More than half of CISOs (57%) believe that a lack of resources is what holds back an effective security posture, while 63% said they were struggling to recruit the right people.
Echoing the internal pressures, CISOs also stated that a lack of senior buy in to the problem is an issue, with 65% claiming this as a barrier within their organisation.
There’s also a budget deficiency, as fewer than half of respondents (43%) believe that they have adequate, or very adequate budget to tackle cyberattacks. Only half (51%) think they have adequate or very adequate technology.
Life Inside the Perimeter: Understanding the Modern CISO
The report looks to highlight the very physical effects that the heightened cyber threat is causing to those who are at the coalface, tasked with defending their organisations from financial, legal and reputational damage.
Russell Haworth, CEO, Nominet says: “CISOs around the world are facing mounting pressures amid a rapidly shifting cyber landscape. Criminals are forever finding ways to exploit vulnerabilities, and do not discriminate against the businesses they attack. Everyone is a target.”
Haworth continues: “It’s no surprise that CISOs are facing burnout. Many lack support from within their organisations, and senior business leaders need to face the facts: the threats are real, and CISOs need to be given the resources and support to tackle them. If not, the board must face the consequences.”
“The risk is not only personal to a CISO, but a business’ hard-won reputation. The growing economic cost is also a worrying trend – A recent report put the cost of global cybercrime at $600 billion in 2017. With that cost likely to rise in the future. We must all work harder, and cooperatively, to mitigate potential losses by having the right strategy, tools and resource in place to prevent breaches in the first place.”
Dr Dimitrios Tsivrikos, a business psychologist and lecturer at University College London, says: “It is of paramount importance that we address organisational stress and extra emphasis ought to be paid to CISOs. As a group of employees, they are faced with overwhelming pressure. Errors in their judgment, caused by excessive work-related stress, can indeed have detrimental effects upon business and personal data.”
Dr Tsivrikos continues: “In addition, individuals who are stressed at work are oftentimes not living their best lives privately, either. Most of us find it difficult to suppress the pressures from work, and they do indeed spill over into our private life. This poses significant health-related threats to personal well-being as individuals rely on alcohol and other non-constructive behaviours in order to relax and find relief from those pressures.”
A copy of the full report, which goes into the survey’s findings in more detail, can be found at https://www.nominet.uk/life-inside-the-perimeter-understanding-the-modern-ciso/.
Notes to editors
About the research
Nominet commissioned Osterman Research, one of the leading cyber security research firms, to survey 408 CISOs overseeing security for organisations with a mean average of 8,942 employees. This comprises 207 companies in the USA and 201 companies in the UK, spread across a range of sectors. The objective was to collect and analyse a large enough dataset to make valid conclusions into the opinions, behaviours and mindset of those making cyber security decisions at large organisations.
Nominet is driven by a commitment to use technology to improve connectivity, security and inclusivity online. For 20 years, Nominet has run the .UK internet infrastructure, developing an expertise in the Domain Name System (DNS) that now underpins sophisticated threat monitoring, detection, prevention, and analytics that is used by governments and enterprises to mitigate cyber threats. A profit with a purpose company, Nominet supports initiatives that contribute to a vibrant digital future and has donated over £45 million to tech for good causes since 2008, benefitting more than 10 million people. The company has offices in Oxford and London in the UK and Washington D.C in the U.S. www.nominet.uk.
About Nominet Cyber Security Services
Nominet’s cyber security solution – Nominet NTX – cuts through the sea of data that teams are working with and provides immediate visibility of threats and anomalies to preserve the integrity of your network. All networks rely on DNS traffic, but it is often over-looked in the security stack and therefore becomes the ‘open back-door’ for cyber criminals. Using patented machine learning techniques, Nominet NTX analyses vast volumes of traffic to predict threats, identify infected devices and pinpoint malicious behaviour, alerting security teams so action can be taken before threats become a problem.
To learn more, please visit www.nominet.uk/ntx