Nearly a third of CISOs or IT security leaders in the United States and the United Kingdom are considering leaving their current role, according to research by BlackFog.

Of those considering leaving their current role, a third of those would do so within the next six months, according to the survey, which polled more than 500 IT security leaders.

The report also found that, among the top issues security pros have with their current role, the lack of work-life balance is the most troublesome—cited by three in 10 survey respondents.

More than a quarter (27%) of respondents said that too much time was spent on firefighting rather than focusing on strategic issues.

Twenty percent said they felt that keeping their teams’ skill levels in line with new frameworks and models such as zero-trust was a “serious challenge”, while 43% of respondents said they found it difficult to keep pace with the newest innovations in the cybersecurity market.

Using Automation to Ease the Pressure

Phil Neray, vice president of cyber defense strategy at CardinalOps, a detection posture management company, said both CISOs and security operations center (SOC) personnel take pride in being cybersecurity defenders for their organizations and both groups feel the pain of information overload and constantly being on call to respond to the latest emergencies.

“What needs to change? The CISO’s peers in the business need to understand that cybersecurity risk is a top business risk, not just an IT issue, and they need to allocate higher budgets to support a higher level of staffing in the SOC,” he said.

In addition, Neray said by investing in more automation for the SOC, CISOs and their teams will be freed from performing mundane tasks.

“This way, they can direct their human creativity and innovation toward proactive activities like threat hunting and remediating gaps in their defensive posture, rather than always being reactive,” he explained. 

Darren Guccione, CEO and co-founder at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, added that there is “absolutely no denying” that being a CISO is one of the most difficult and demanding roles in any company.

“The board of directors and fellow business leaders must support their CISO’s priorities and needs, particularly when they’re faced with a cyberattack or data breach,” he said. “Without that support, talented CISOs won’t stick around as there are plenty of other job opportunities awaiting them.”

Indeed, the BlackFog report noted recruiting is a challenge globally and with stiff competition to attract the best talent, organizations need to address the well-being and work-life balance issues that have persisted across the industry.

Acknowledging CISO Burnout

Sounil Yu, CISO at JupiterOne, a provider of cybersecurity asset management and governance solutions, noted that CISOs face an uncommonly high risk of burnout due to the nature of security work. 

“Burnout is more common than most realize,” he said. “Acknowledging burnout risks is an important way to be supportive and to let team members know that they are not alone.”

Yu pointed out that CISOs cannot personally shoulder the burden of mitigating burnout.

“Instead, CISOs should educate their company’s board and fellow executive leaders on security burnout risks and collaborate with HR to improve resources such as employee resource programs, flexible working arrangements and systems of reward and recognition,” he said. 

John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, said CISOs are facing the same burnout risk as cybersecurity professionals with one key difference–the CISO is the designated ‘throat to choke’ when things go awry.

“One of the biggest changes to be made in the C-suite to improve the situation for security leaders would be focusing on freeing the CISO to work on strategic issues,” he says. “Constant firefighting burns out everyone up and down the ladder. You can handle that with line staff with job rotation, but the CISO needs to have the resources to make their life better overall.”

Bambenek added that mandatory PTO that involves someone else tending to the fires while the CISO is gone would help, too.

“PTO where you are still on call isn’t PTO,” he noted. “It’s just working from home.”

He explained that organizations that are well-funded should have emerging technology labs where they can explore both new technology and new security tools to help address the challenges CISOs are facing. 

“A big part of this problem is threats evolve with rapid changes in technology—security is playing catch-up behind both,” Bambenek said.