Cybersecurity Leaders Suffer Burnout as Pressures of the Job Intensify


Relentless cyberattacks and pressure to fix security gaps despite budget constraints are raising the stress levels of corporate cyber leaders and their worries about personal liability, a growing concern since the criminal case against

Uber Technologies

’ former security chief.

Hacks on companies’ IT systems often come with business disruptions, reputational damage, regulatory investigations and lawsuits. Chief information security officers must manage cybersecurity risks and, at the same time, educate C-suite colleagues and the board. Three in four CISOs in the U.S. report feeling burned out, according to one survey, putting them at risk of quitting. 

“This role has always been on an island. There hasn’t been a lot of support there,” said Curtis Simpson, chief information security officer at Armis Security, a cybersecurity company. 

At his previous job as a CISO at a large foodservices company, Simpson said he frequently worked 80-hour weeks and missed family birthdays and other personal commitments. 

For years, many executives showed little interest in cybersecurity, but the Covid-19 pandemic was a wake-up call as companies quickly moved to remote work and required extra security protections for employees at home, he said. 

After putting some technology projects and acquisitions on hold during the pandemic, many companies are now moving on certain tech initiatives and acquisitions that require the attention of CISOs, adding more responsibilities to their plates, Simpson said. “The person that was already tired through the pandemic, got burned out during the pandemic, is now being told to run faster than ever,” he said.

Seventy-three percent of CISOs in the U.S. said they had experienced burnout in the past 12 months, according to a survey of 1,600 cyber leaders across 16 countries, carried out by security firm Proofpoint. Sixty percent of all the CISOs surveyed said they had experienced burnout in the past year.  

Potential liability risks related to a cyberattack have become a growing worry for some CISOs. Two or three years ago, around 25% of candidates for the job asked about being under the insurance policy of a company director or corporate officer, but now almost all candidates ask for it, said Michael Piacente, managing partner at Hitch Partners, a cybersecurity-focused recruitment company. 

Directors and officers’ insurance policies protect people in senior management roles from personal losses if they are sued as a result of a decision they made on the job. Around 42% of publicly traded companies granted CISOs’ requests to be under the D&O insurance in 2022, up 5% from 2021, according to a Hitch Partners’ survey last month of around 637 U.S. cybersecurity leaders. 

“It stems from this balance of having high stress, pressure on what is an expanding and more complex attack surface,” Piacente said. 

LinkedIn Chief Information Security Officer Geoff Belknap at last year’s Reuters Momentum event, Reuters’s flagship AI Summit, in Austin, Texas.



Photo:

SPENCER SELVIDGE/REUTERS

The fallout from budget and staffing constraints is more serious and stressful for cybersecurity leaders even if similar limitations apply to every department, said

Geoff Belknap,

CISO at LinkedIn. 

“In security, if you don’t handle your constraints well, what you’re potentially looking at is your brand is significantly damaged, your customers are at risk,” he said. 

Around 61% of CISOs said they face excessive expectations from their employers, up from 49% in 2022. Many CISOs need to continue to defend their companies with stretched resources. Sixty-two percent of cyber leaders said they are concerned about personal liability related to a cyberattack on their company as legal and regulatory pressures grow. 

The recent legal case against former Uber Chief Security Officer Joe Sullivan, charged with obstruction of justice, has heightened awareness among CISOs about their own accountability. A federal judge sentenced Sullivan on May 4 to three years of probation and ordered him to pay a fine of $50,000 for failing to report a 2016 data breach to the Federal Trade Commission.

Current and former security chiefs wrote letters of support for Sullivan to the court, expressing concern that his conviction might cause CISOs to fear regulatory scrutiny and therefore go overboard in disclosing cyber incidents. 

Among the CISOs that Hitch Partners’ Piacente interviewed recently, around three-quarters of the ones looking for new jobs said they were experiencing significant stress or burnout at their current workplace, he said. The respondents told Piacente that they want more support from their next employer and are seeking to join companies that care about cybersecurity beyond complying with baseline requirements. 

The increased stress is leading a lot of cybersecurity leaders to leave jobs managing security and to move into positions at cybersecurity companies, roles advising firms on security or posts at venture-capital firms, said Lucia Milică Stacy, global resident CISO at cybersecurity firm Proofpoint. 

“They’re more and more focused on life after CISO,” she said.

Jerry Perullo, founder of cybersecurity advisory firm Adversarial Risk Management and former CISO at Intercontinental Exchange.



Photo:

INTERCONTINENTAL EXCHANGE

Tools such as OpenAI’s ChatGPT bot are a special challenge. CISOs must figure out which employees are using such tools, bearing in mind that most employees won’t consider the security risks that come with the new technology, said Patrick Gaul, executive director of the National Technology Security Coalition, an advocacy group of chief information security officers.

RELX,

parent of publisher Elsevier and information service LexisNexis, is drafting rules outlining how employees may use ChatGPT as the company explores how to use the technology. 

Companies experimenting with or rolling out products that use ChatGPT have cautioned employees about risks involving data leaks and privacy. “CISOs can’t be seen as barriers to progress,” Gaul said.

Corporate bureaucracy causes stress for cyber leaders, said Jerry Perullo, who retired last year as CISO of

Intercontinental Exchange.

CISOs see resistance to their requests because executives often don’t understand cyber risks sufficiently, said Perullo, founder of cybersecurity advisory firm Adversarial Risk Management.

“Every decision has to be second-guessed and third-guessed, potentially by people with less subject matter knowledge,” he said.

Write to Catherine Stupp at catherine.stupp@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8



Source link