On our behalf, Osterman Research surveyed over 400 CISOs at organisations with a mean average of 8,942 employees, split between the UK and the US, spread across a range of sectors.
In many ways the findings were not surprising. Modern CISOs have to be as much leaders, motivators and politicians as they are technically aware. The surprises came from scale of the effects that the pressures were having on careers and personal well-being, detailed in the full report.
CISO well-being – survey highlights
The report uncovered three key findings:
- As CISOs struggle to gain the resources they need, breaches become inevitable.
- Board level understanding of the cyber threat organisations face is still patchy, causing numerous problems.
- Inevitably CISOs are finding it hard to cope with the pressure.
These three findings are clearly intertwined and lead to significant job insecurity, whether justified or not.
Resources vs Risk
As with any other aspect of business the CISO has to compete for and justify spending. Most C-suite executives feel they don’t have enough resources to do their job the way they would like, but CISOs face a particularly difficult job in that spending can only deliver a probably of lower costs, not demonstrably lower costs, or higher revenue.
While cyber security has traditionally been about protecting assets – a specialist insurance policy – the reality is that it should now be seen as an enabler for change. Strong cyber security, that doesn’t put up frustrating barriers, provides a platform for organisations to take on digital transformation and reap the benefits of technical innovations such as the Internet of Things, cloud & mobile, AI and big data. Without the highest levels of protection, attempts to make companies digitally agile simply expose larger attack surfaces to cyber criminals.
Life inside the perimeter - understanding the modern CISO
Our report focuses on the external and internal stresses and pressures facing a modern CISO.
Download the report in full to get a better understanding of the challenges that they face.
Understanding today’s cyber threats
Our survey revealed that CISO’s are still having difficulty getting their messages across. Although CISOs generally feel valued, the level of cyber security knowledge at board level is still lacking.
The effects of this are that CISOs suffer from job insecurity. A third believe that they would be sacked or otherwise disciplined if the firm suffered a major breach, because at board level there isn’t the appreciation that breaches are almost inevitable – what matters is prevention as far as possible, then minimising damage if something gets through the defences.
It’s telling that the average job tenure is less than three years, with 30% reporting an average of less than two years in the job.
Living with the worry
The third key finding unearthed by Nominet’s research is an inevitable outcome of the two points made above: CISOs are having a hard time switching off and relaxing under the pressure.
One in four CISOs admits having to deal with mental or physical health issues, with 17% either medicating or drinking to cope with job-related stress. The vast majority, nearly 90%, work more than 40 hours a week; exhaustion compounding stress levels.
There is another side to the coin though. Following up on our research we interviewed a number of CISOs to find that many feel they handle the pressure and are able to lead a full life too. Gary Foote, Haas F1 Team CISO, comes almost completely offline when he’s at home and Joseph Da Silva, CISO of Electrocomponents, fits in 15 hours of study a week for his PhD.
A helping hand?
How can Nominet help? By providing an extra layer to companies’ security stacks, one that can predict, detect and block malware, phishing and data theft.
In recent customer installations Nominet’s NTX platform has identified previously undetected malware infestations, spotted malicious domains days before any third-party feeds, diagnosed network inefficiencies and found malware on Android phones and tablets brought into an organisation with a bring-your-own-device (BYOD) policy.
NTX uses deep-packet DNS analysis using unique algorithms, data science and machine learning to close the gap between malicious domains going live and being blocked them. This makes it harder for them to operate and limits the damage they can do to any organisation, in turn helping CISOs to sleep at night.