Average tenure of a CISO is just 26 months due to high stress and burnout
Chief Information Security Officers (CISOs, or CSOs) across the industry are reporting high levels of stress.
Many say the heightened stress levels has led to mental and physical health issues, relationship problems, medication and alcohol abuse, and in some cases, an eventual burnout, resulting in an average 26-month tenure before CISOs find new employment.
The numbers, reported by Nominet, represent a growing issue that's been commonly acknowledged, but mostly ignored across the information security (infosec) community, but one that is slowly starting to rear its ugly head as once-ignored infosec roles are becoming more prominent inside today's companies.
Survey results
Today, many companies are adopting CISO roles. The constant threat of hacks, ransomware, phishing, and online scams makes establishing a cyber-security department in any company a unavoidable decision.
However, most companies are not ready to embed CISOs into their company culture and day-to-day operations.
Today, CISO jobs come with low budgets, long working hours, a lack of power on executive boards, a diminishing pool of trained professionals they can hire, but also a constant stress of not having done enough to secure the company's infrastructure against cyber-attacks, continuous pressure due to newly arising threats, and little thanks for the good work done, but all the blame if everything goes wrong.
Across the years, many CISOs have often pointed out the problems with their jobs and the stress and damage they inflict. However, there has been no conclusive study to support broad assertations.
In November 2019, internet and DNS security firm Nominet surveyed 800 CISOs and executives from companies in the US and UK in order to put the topic to bed and discover how much of a role stress plays for CISOs across the industry.
The survey's results paint a gloomy picture about one of today's most in-demand jobs. According to the numbers:
- 88% of CISOs reported being "moderately or tremendously stressed"
- 48% of CISOs said work stress has had a detrimental impact on their mental health
- 40% of CISOs said that their stress levels had affected their relationships with their partners or children
- 32% said that their job stress levels had repercussions on their marriage or romantic relationships
- 32% said that their stress levels had affected their personal friendships
- 23% of CISOs said they turned to medication or alcohol
"Even when they are not at work many CISOs feel unable to switch off," Nominet said. "As a result, CISOs reported missing family birthdays, holiday, weddings and even funerals.
"They're also not taking their annual leave, sick days, or time for doctor appointments - contributing to physical and mental health problems."
Nominet said that investigating the causes of CISO stress, they found that almost all CISOs were working beyond their contracted hours, by an average of 10 hours of extra-time per week.
Furthermore, many were under pressure from their boards. Almost a quarter of interviewed CISOs said boards didn't accept or understand that "breaches are inevitable" and said they'd hold them personally accountable for any security incidents.
Nominet said that 29% of CISOs who answered the survey said they'd be fired in the event of a breach, while 20% said they'd be fired anyway, even if they were responsible or not.
The answers explain why most CISOs don't last in their jobs more than 26 months, and why 90% of surveyed CISO were willing to take pay cuts if they could reduce stress levels.
Nominet said CISOs were willing to give up on $9,642 per year, on average, just to be reduce stress levels and improve their work-life balance -- which many CISOs said they had problems with.
An growing industry problem, not just CISOs
Nominet's numbers are staggering for someone looking from the outside, but not for professionals working in the field
The Nominet study only surveyed high-ranking CISO executive jobs, but the problem is widespread across the industry. Infosec -- or cyber-security -- has a habit of grinding through employees due to the rigors of the job.
Low-level infosec positions, like threat analyst or penetration tester, are just as bad in terms of stress level, if not worse, primarily for the same reasons -- constant fear of new incoming attacks, long-working hours, low pay, almost no job satisfaction.
In the infosec community, signs of the growing problem of stress and burnout leading to mental health issues have been mounting in recent years, at least for those with the eyes to spot the problem.
The topic has regularly popped up on social media, but has also been recently discussed in numerous blog posts, podcasts, and even security conferences.
mental health issues abound in #infosec... you are not alone and you're not a weirdo. reach out and ask for help <3 #WorldMentalHealthDay
— cje (@caseyjohnellis) October 11, 2016
Mental health in InfoSec is an industry problem. In so many ways.. the least of which is the culture demanding untenable hours in the pursuit and service of a company that doesn't reward you in kind.
— Sciuridae Hero (@attritionorg) November 22, 2019
I'll be sharing more on mental health issues, personally, soon.
Currently, there are efforts underway to raise awareness about infosec job stress levels, burnouts, along with the mental health issues arising from ignoring the first two.
Prominent among these efforts is Mental Health Hackers, an online community that has been attending cybersecurity conferences on a regular basis in order to raise awareness on the topic.