UK-based cyber company Nominet released its CISO Stress Report, attempting to shed light on the burden carried by the person responsible for protecting corporate networks in 2020. The U. S./UK study serves as a follow-on to Nominet’s first couple of reports looking at the role of the CISO, including one on the perspectives of boards. Some well-known facts are confirmed, as well as important current data points on CISO-C-suite dynamics:
- 88% of CISOs remain moderately or tremendously stressed,
- 90% of CISOs said they’d take a pay cut if it improved their work-life balance.
Most CISOs still lack strong support from rest of C-suite.
CISOs are the human embodiment of the modern cyber challenge. Though the study reads like a study of mental health in the workplace, the extremely high levels of stress result in extremely high CISO turnover—what Nominet cited as only 26 months. This injects a near-constant level of change into a corporate security team that, like any corporate function, requires a degree of stability and continuity in leadership and strategic direction to perform at optimal levels. This human dimension of cyber contextualizes the results of the IBM security report showing high levels (80%+) of server misconfiguration that result in most data loss incidents.
This strain and poor mental health cascades across the security team as they carry all of the downside risk without sharing in the positive performance incentives enjoyed by other corporate functions. This also demonstrates the importance of defining good versus bad cyber performance and establishing commonly accepted metrics beyond “breach or no breach.” How else can good performance actually be incentivized and move beyond constant fear of the next breach?
Taking this into account, it should come as no surprise that a growing skills gap in cybersecurity (500,000 in the U. S. alone) is dragging down cyber governance performance at many companies. Cyberhedge data shows that a decisive factor in good or bad cyber performance is having the people in place to execute policy and process—more critical than the technology itself.