The modern day CISO spends approximately 1.5 years filling the role before moving on to another endeavour. This short tenure is in stark contrast to the average duration of a CEO, who spends nearly 9 years in the role, and a CFO, who lasts 6 years at a company. These numbers speak volumes and point to a larger, uncomfortable trend.
To add to these daunting figures, CISOs are now under more pressure than ever before, as organisations spanning all sizes and sectors are now forced to conduct business remotely as a result of the Covid-19 pandemic. In fact, between February 4, 2020 and April 7, 2020, we’ve seen an estimated 70 per cent increase in remote work. Some employees who have never worked from home before are now doing so on a daily basis, creating a greater attack surface for cybercriminals, as well as immense stress for CISOs and their notoriously short-staffed security teams.
Let’s take a closer look at the running list of responsibilities facing today’s CISOs, as well as how we, as industry peers and colleagues, can help alleviate the pressures.
Mounting security challenges
During a “normal” time period, when CISOs come to work each day, there’s a long list of issues to face. But during a global pandemic, this list becomes never ending, as sophisticated cybercriminals capitalise on remote work, public fear as well as a major world event affecting us all. Recent attack data from the VMware Carbon Black Cloud found that in March 2020, ransomware attacks increased 148 per cent over baseline levels from the previous month, with spikes occurring during key moments in the Covid-19 news cycle, such as when the U.S. announced its first Covid-19 case or on the day multiple U.S. states declared public health emergencies. These spikes suggest attackers are being nefariously opportunistic and leveraging breaking news to take advantage of vulnerable populations.
In addition to opportunistic scams, CISOs are also forced to defend against increasingly sophisticated cyberattacks that are often fuelled by geopolitical tension and carried out by clever techniques such as lateral movement, island hopping and counter incident response in order to stay invisible. These sophisticated tactics have caused more organisations to fall victim to a cyberattack, with 88 per cent saying they’ve suffered one or more breaches in 2019 alone. What was once a question of if organisations will get attacked, has now become a matter of when the attack will happen, causing increased stress and anxiety throughout all departments.
But cybercriminals aren’t the only stressors facing CISOs, specifically. This role is also managing an accelerated rate of evolving business technology as organisations dive head first into digital transformation, often without knowing where to begin. CISOs are also the ones tasked with understanding the constantly evolving global and regional regulatory environment, with GDPR, CCPA and other legislation causing severe internal confusion. Add to this the fact that everyone within an organisation thinks they’re an expert in security, and you have a recipe for disaster -- a burnt out, overly stressed CISO during a time when the role is needed most. As industry peers, it’s time to step in before things get worse.
How we can help
With 60 per cent of CISOs admitting they rarely disconnect from work, and 88 per cent working more than 40 hours per week, mental health is all too often ignored. As a result, nearly 17 per cent of CISOs are either medicating or using alcohol to deal with the job stress. It’s time to stop overlooking this uncomfortable situation, and instead, asking -- how can we help?
Other business leaders and functions can help play a great part in relieving the CISO’s stress. For example, when it’s time to allocate the annual budget, understand that the CISO’s team needs a significant amount of financial support to ensure security teams have the right tools, talent and resources to protect the organisation at large. Sacrifice asking for extra budget, and instead, lend it to the CISO’s business unit. If that isn’t an option, then think to help by tapping your network. Do you know anyone who would be a great addition to a very busy security team? Reach out and try to bring them in to support the CISO’s team. In another instance, proactively, and regularly, check in with the CISO to ask -- how can I help improve security across my specific team? How can I help you? What are you seeing across the business that I can help raise awareness of? How are you doing?
Everyone in the organisation -- from the CEO to the seasonal intern -- should understand that security is everyone’s responsibility. Oftentimes, we place it all on the CISO’s shoulders, and blame them when an employee accidentally clicks on a malicious link or downloads a problematic file. Let’s start taking responsibility for our actions, and increase our vigilance now more than ever before. Regular cybersecurity training can help educate all employees, especially now when cybercriminals are capitalising on the Covid-19 pandemic, but only when responsibility is taken, can security best practices truly be enforced.
Additionally, and it’s easier said than done, but CISOs need a mindset shift. If traditional strategy isn’t working, it’s time to change it. For example, let’s stop opting into annual legacy technology subscriptions if they’ve proven to be ineffective. Alternatively, if the organisation is overspending on technology with all the bells and whistles, and it’s also not doing the job, it’s time to cancel. Take a step back and understand where the true issue lies, and work from there to resolve it -- even if it requires change.
Lastly, it’s time to remind ourselves that ‘perfect’ just doesn't exist in any aspect of life, both personally and professionally. Failure often leads to success; testing a new way to solve a problem is in fact a good thing; and we should never be afraid to explore other options if our first option isn’t working. The battle against adversaries is never-ending, and we need our CISOs to be less stressed in order to win. Are you with me in lending a helping hand?
Rick McElroy, Principal Security Strategist, VMware Carbon Black