Commentary From Crisis Management Expert Edward Segal, author of Crisis Ahead: 101 Ways to Prepare for and Bounce Back from Disasters, Scandals, and other Emergencies (Nicholas Brealey)

Chief information security officers (CISOs) have been on the frontlines of the cybersecurity wars for quite some time. The impact of heavy workloads on their professional and private lives is showing—and creating new dangers and potential crisis situations for business leaders.

Cybersecurity staff who are stressed, fatigued or suffering burnout cannot function at their full potential and may be prone to errors or poor judgement in a cyber crisis, which could make a bad situation worse.

Missing Out

Prior to the start of the holiday season, email security company Tessian surveyed U.S. and UK CISOs to explore burnout, pain points and other trends affecting these who are dealing directly with cyber threats. According to the company's report that was released today:

• Two in five CISOs have missed holidays like Thanksgiving due to work demands; 25% have not taken time off work in the past 12 months. 
• CISOs are missing out on important events and family holidays, and putting their health at risk by missing doctor's appointments—something 44% of CISOs have experienced in the last year. 
• 40% have missed a family vacation due to work.
• One-third of CISOs report being unable to exercise regularly. 

Working More Hours

Tessian's report found that CISOs work, on average:

• 11 more hours than they're contracted to each week, while one in 10 works 20 to 24 hours extra a week.
• As a result of their stressful jobs, 59% of CISOs say they struggle to always switch off from work once the working day is over.

Impact On Companies

"It's not surprising to hear that CISOs are burnt out, but the findings show how these feelings of burn out can cascade downhill in an organization," observed Josh Yavor, Tessian's CISO. "We need to be thinking about responsibility and risk in an effective and modern way, and we need to understand that while security is ultimately something that CISOs are accountable for, their executive teams need to support them as they can't do everything on their own."

He noted that, "The CISO role is also a difficult job to hold, and this research identifies the impact at a more granular and measurable level than what we've seen before. What comes next is the most important element. How do we make sure that the security functions are significantly empowered within larger organizations and that they have the resources, support and tools they need to perform while avoiding burnout? 

Advice

Yavor had the following advice for CISOs:

Set Expectations

"CISOs have the opportunity to pave the way and set expectations within their organization to deliver survivable and sustainable work experiences. They should ensure security programs and teams are set up appropriately for the best outcomes. To avoid burnout, CISOs should understand the capacity limits of their teams and themselves."

Establish Priorities

"They are ultimately responsible for ensuring that sufficient capacity exists for successful and sustainable execution relative to planned and unplanned work. CISOs need to be able to either say 'no' to unplanned work, or be empowered to effectively shift work priorities to enable capacity and [at] the expense of previously planned work."

Lead By Example

"Burnout often stems when people (in any role) can't manage situations when unplanned work runs up against capacity constraints, and the decision is to perform heroics at the expense of people rather than hold the organization accountable for sustainable work."

"It's critical that CISOs lead by example in these instances. Once we recognize our limitations as humans and leaders and embrace them, the better it is for everyone. [The] uncertainty and discomfort that comes with that kind of approach is a necessary cost of what it takes to do better as a CISO."

                                                                   ###