Nominet CISO Stress Report: businesses get £23k ($30k) ‘free’ CISO time while impact of stress on mental health doubles in 2020

6th February 2020


CISO’s say they’d give up £7.5k ($10k) of salary for a better work-life balance, while 97% of the board says they want CISOs to deliver even more value

Nominet has published The CISO Stress Report – Life Inside the Perimeter: One Year On, on the working life of the CISO. This year’s report looks deeper at the impact of continued stress on the mental health and personal lives of CISOs, and drills down into the causes of stress including poor work life balance and a lack of support from the board. Nominet interviewed 400 CISOs and 400 C-Suite executives on the challenges of the CISOs role – with an even split between the UK and the US.

Work stress is impacting CISO health and damaging relationships

The research found that the vast majority of CISOs (88%) remain moderately or tremendously stressed, a small decrease from 91% in 2019. However, this stress is now taking a greater toll on CISOs’ mental and physical health, and their personal relationships.

Key findings:

  • 48% of CISOs said work stress has had a detrimental impact on their mental health, almost twice as high as last year (27%). 31% also reported that their stress had impacted their physical health.
  • 40% of CISOs said that their stress levels had affected their relationships with their partners or children
  • 32% said that their stress levels had repercussions on their marriage or romantic relationships and 32% said that their stress levels had affected their personal friendships
  • The number of CISOs turning to medication or alcohol has increased by a quarter year on year, from 17% in 2019 to 23% in 2020

This personal impact is also having negative effects for organisations, with (31%) of CISOs saying that stress had affected their ability to do their job, 2% more than in 2019. This results in a high rate of burnout, with the survey reporting that the average tenure of a CISO is just over two years (26 months).

Russell Haworth, CEO of Nominet: “We are potentially heading towards a burnout crisis if the very people who we are relying on to keep businesses secure are operating under mounting pressure. CISO stress is on the rise – with almost 90% moderately or tremendously affected – and it’s taking a greater toll on their personal lives and well-being.Not only is this harming the lives of CISOs but it will ultimately make it harder to retain staff, catch attacks early and improve security.It is worrying that at board level, understanding of these pressures appears not to have translated into action.”

Dr Dimitrios Tsivrikos, Lecturer in Consumer and Business Psychology, University College London: “While there have been positive steps in mental health and stress-related issues, the essence of tackling these issues has not received as much attention as needed. While measuring, understanding and incorporating key findings within the work is incredibly important, we also need to consider that there is a lack of research that looks into the work-life balance.

“We do anticipate that stress levels will continue to rise until we address the issue of stress, mental health and well-being at work. These are issues that are recognised but we have to match awareness with passion for actually tackling stress and allowing employees to live a happier and healthier life.”

Overworked CISOs would sacrifice salary for better work-life balance

Investigating the causes of CISO stress, the research found that almost all CISOs are working beyond their contracted hours, on average by 10 hours per week. Even when they are not at work many CISOs feel unable to switch off. As a result, CISOs reported missing family birthdays, holiday, weddings and even funerals. They’re also not taking their annual leave, sick days, or time for doctor appointments – contributing to physical and mental health problems.

Key findings:

  • 71% of CISOs said their work-life balance is too heavily weighted towards work
  • 95% work more than their contracted hours – on average, 10 hours longer a week – which means CISOs are giving organisations $30,319 (£23,503) worth of extra time per year
  • Only 2% of CISOs said they were always able to switch off from work outside of the office, with the vast majority (83%) reporting that they spend half their evenings and weekends or more thinking about work
  • 87% of CISOs say that working additional hours was expected by their organisation

Revealingly, almost all surveyed CISOs (90%) said they’d take a pay cut if it improved their work-life balance. On average, CISOs said they’d be willing to give up 7.76% of their wage, which equates to $9,642 (£7,475) per year.

Gary Foote, CIO, Haas F1 Team: “I’m not surprised to see that stress levels are consistently high from 2019 to 2020, with the threat landscape continuously shifting.But it is always disappointing to read that it continues to have a big impact on the personal lives of my peers. Mental and physical health at work is a hugely important subject, and though some organisations are recognising this and reacting positively, there is still a lot of progress to be made.Burnout will neither help the CISOs, the board or the business, and consequently accelerated change is required to ensure security teams are supported; technically, financially and personally.”

More support needed from the board

So where does the C-Suite sit in all this? The research found that the board does take security seriously, with 47% saying that cyber security is a “great” concern to them. They are actually more likely than CISOs to think that cyber threats are a “high” or “very high” risk to their business (90% vs 66%). They are also aware of the high-pressure nature of the CISO’s job, with 74% saying they believe their security team to be moderately or tremendously stressed. However, many still hold the CISO responsible for a breach and expect them to deliver more value to the business.

Key findings:

  • 66% of the organisations surveyed had experienced at least one security breach in the past year, 30% had experienced multiple
  • 24% of CISOs said that their board doesn’t accept breaches are inevitable
  • The majority of both CISOs (37%) and C-Suite (31%) believe the CISO is ultimately responsible for the response to a security breach
  • 29% of CISOs believe that the executive team would fire the responsible party, which is confirmed by the C-Suite (31%). A fifth (20%) of CISOs believe they would be fired whether they were responsible or not.
  • 97% of the C-Suite said that the security team could improve on delivering value for the amount of budget they receive

Stuart Reed, VP of Cyber at Nominet concluded:

“Our research into the attitudes of the board shows that they understand the risk of cyber crime to their organisation and they even appreciate that the CISO is placed under considerable stress to combat this risk. However, this awareness has clearly not translated into support for the CISO. Until this stress is relieved, the CISO’s ability to deliver value to the business will be diminished as their ability to do their job is hampered and they quickly become burnt out.

“The role of the CISO can only be improved by a better working relationship with the board, and so it’s important that the C-Suite recognise that improving the CISO’s working life can only have positive outcomes for the business. With a strong and empowered CISO at the head of their security team, organisations will face less risk, be better protected, be more able to deal with a security breach when it hits, and ultimately become safer from cyber crime.”

You can download the full report: The CISO Stress Report – Life Inside the Perimeter: One Year On here.

Want to see where your stress stands against other CISOs? Try out our CISO Stressulator

— ENDS —

Methodology

In autumn 2019, Nominet commissioned Vanson Bourne to conduct 800 online surveys with C-suite executives and Chief Information Security Officers (CISOs) in the US and UK.

Respondents all worked at organisations with 3000 or more employees, across a range of public and private sectors. C-suite executives were all members of the board.

400 surveys were achieved for each job role split (C-suite and CISO), with six extra CISO respondents included, all of whom were recommended to participate via Nominet.

About Nominet

Nominet is driven by a commitment to use technology to improve connectivity, security and inclusivity online. For over 20 years, Nominet has run the .UK internet infrastructure, developing an expertise in the Domain Name System (DNS) that now underpins sophisticated threat monitoring, detection, prevention and analytics that is used by governments and enterprises to mitigate cyber threats.

A profit with a purpose company, Nominet supports initiatives that contribute to a vibrant digital future and has donated over £47m to tech for good causes since 2008, benefitting more than 10 million people. The company has offices in Oxford and London in the UK and Washington DC in the US.

For more information please contact:

Nominet Cyber Press Team, FieldHouse Associates, +44 (0)7961 311080, [email protected]