Nearly a third of CISOs or IT security leaders in the United States and the United Kingdom are considering leaving their current role, according to research by BlackFog.
Of those considering leaving their current role, a third of those would do so within the next six months, according to the survey, which polled more than 500 IT security leaders.
The report also found that, among the top issues security pros have with their current role, the lack of work-life balance is the most troublesomeâcited by three in 10 survey respondents.
More than a quarter (27%) of respondents said that too much time was spent on firefighting rather than focusing on strategic issues.
Twenty percent said they felt that keeping their teamsâ skill levels in line with new frameworks and models such as zero-trust was a âserious challengeâ, while 43% of respondents said they found it difficult to keep pace with the newest innovations in the cybersecurity market.
Using Automation to Ease the Pressure
Phil Neray, vice president of cyber defense strategy at CardinalOps, a detection posture management company, said both CISOs and security operations center (SOC) personnel take pride in being cybersecurity defenders for their organizations and both groups feel the pain of information overload and constantly being on call to respond to the latest emergencies.
âWhat needs to change? The CISOâs peers in the business need to understand that cybersecurity risk is a top business risk, not just an IT issue, and they need to allocate higher budgets to support a higher level of staffing in the SOC,â he said.
In addition, Neray said by investing in more automation for the SOC, CISOs and their teams will be freed from performing mundane tasks.
âThis way, they can direct their human creativity and innovation toward proactive activities like threat hunting and remediating gaps in their defensive posture, rather than always being reactive,â he explained.
Darren Guccione, CEO and co-founder at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, added that there is âabsolutely no denyingâ that being a CISO is one of the most difficult and demanding roles in any company.
âThe board of directors and fellow business leaders must support their CISOâs priorities and needs, particularly when theyâre faced with a cyberattack or data breach,â he said. âWithout that support, talented CISOs wonât stick around as there are plenty of other job opportunities awaiting them.â
Indeed, the BlackFog report noted recruiting is a challenge globally and with stiff competition to attract the best talent, organizations need to address the well-being and work-life balance issues that have persisted across the industry.
Acknowledging CISO Burnout
Sounil Yu, CISO at JupiterOne, a provider of cybersecurity asset management and governance solutions, noted that CISOs face an uncommonly high risk of burnout due to the nature of security work.
âBurnout is more common than most realize,â he said. âAcknowledging burnout risks is an important way to be supportive and to let team members know that they are not alone.â
Yu pointed out that CISOs cannot personally shoulder the burden of mitigating burnout.
âInstead, CISOs should educate their companyâs board and fellow executive leaders on security burnout risks and collaborate with HR to improve resources such as employee resource programs, flexible working arrangements and systems of reward and recognition,â he said.
John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company, said CISOs are facing the same burnout risk as cybersecurity professionals with one key differenceâthe CISO is the designated âthroat to chokeâ when things go awry.
âOne of the biggest changes to be made in the C-suite to improve the situation for security leaders would be focusing on freeing the CISO to work on strategic issues,â he says. âConstant firefighting burns out everyone up and down the ladder. You can handle that with line staff with job rotation, but the CISO needs to have the resources to make their life better overall.â
Bambenek added that mandatory PTO that involves someone else tending to the fires while the CISO is gone would help, too.
âPTO where you are still on call isnât PTO,â he noted. âItâs just working from home.â
He explained that organizations that are well-funded should have emerging technology labs where they can explore both new technology and new security tools to help address the challenges CISOs are facing.
âA big part of this problem is threats evolve with rapid changes in technologyâsecurity is playing catch-up behind both,â Bambenek said.Â