Commentary From Crisis Management Expert Edward Segal, Bestselling Author of the Award-Winning Book "Crisis Ahead: 101 Ways to Prepare for and Bounce Back from Disasters, Scandals, and Other Emergencies" (Nicholas Brealey, 2020)  



Many chief information security officers work extra hours as they try to protect their companies from ransomware and other cyberattacks. Ironically, racking up too much overtime could make the companies vulnerable to a different kind of crisis.

That's one of the conclusions to be drawn from the results of a new survey by Tessian, an email security company.

According to their report, 18% of surveyed security leaders worked 25 extra hours a week, which was double the amount of overtime they worked last year.

Size Matters

The survey also found that security leaders at larger companies are putting in more overtime.

• Chief information security officers (CISOs) at smaller companies (10-99 employees) report working an average of 12 extra hours a week.
• Those in the same role at companies with 1,000+ employees report working an extra 19 hours. 
• Security leaders at small companies said they have more difficulty creating boundaries between work and home life. Twenty percent of CISOs at these companies say they can always switch off from work, compared to 31% of those at larger companies.  

The survey of 600 security leaders in the U.S, UK, Middle East and Africa was conducted by Censuswide in September 2022.

Wake-Up Call

"These stats should serve as a wake-up call to the entire organization about security hygiene and overall posture, Josh Yavor, Tessian's information security officer, said in a statement.

This is especially true "when employees are tired or stressed and more likely to make mistakes like clicking a phishing email or emailing sensitive material to the wrong person," he noted.

When Burnout Begins To Develop

When people "work too many hours of overtime on a consistent basis, that is when burnout begins to develop, according to the definition of burnout by the World Health Organization," Janice Litvin, author of the Banish Burnout Toolkit, noted.

Employees who suffer from burnout are not "able to think clearly due to physical and mental exhaustion. The whole body is busy trying to keep you upright rather than allowing the brain to think creatively," she observed.

That, in turn, can result in bad or delayed decisions, which can create or prolong a business-related crisis. As I wrote last November, "Cybersecurity staff who are stressed, fatigued or suffering burnout cannot function at their full potential and may be prone to errors or poor judgement in a cyber crisis, which could make a bad situation worse."

Consequences Of Working Extra Hours

"Some overtime or extra hours worked can be unavoidable, but the consequences of habitual overwork are real. Our recent study shows that employees are more likely to make mistakes when they're tired or stressed, which could have serious consequences for security pros," Tessian said in a press release.

"A career in information security can be demanding. And as recent headlines have shown, the stakes have never been higher as CISOs are charged with keeping all facets of their organization protected online," the company noted.

Too Much Overtime Can Be Pointless

Litvin pointed to the research of John Pencavel, a Stanford University economics professor, who "found that productivity per hour declines sharply when a person works more than 50 hours a week.

"After 55 hours, productivity drops so much that putting in any more hours would be pointless. And, those who work up to 70 hours a week are only getting the same amount of work done as those who put in the 55," she said.

"In a crisis, our natural human reaction is an emotional one, based in the fight-flight-or-freeze part of the brain. It's important during a crisis to try to remain calm, or in terms of the brain, move the reaction to the pre-frontal cortex, the executive functioning part of the brain, so that you can think rationally and make wise decisions," Litvin said.

"How do you control your initial emotional reaction? By using S-T-O-P, an acronym for Stop, Take a Breath, Observe, and Proceed," she counseled.

'Lead By Example'

"It's critical that CISOs lead by example for their teams, Tessian's Yavor recommended.

"This includes setting and managing expectations, outlining clear priorities and recognizing our own limits. When we set boundaries and acknowledge our own constraints and limitations, others on our team feel empowered to do so as well. The end result is a more efficient and less stressed team," he concluded.