Late last year, I wrote that 2024 would be the “year of the CISO.” This affirmation was not meant to celebrate his CISO. Rather, 2024 will be a difficult year for his CISO due to legal concerns, compliance requirements, board-level oversight, and ongoing job stress. As such, some he CISOs may simply declare “no mas” and seek a more peaceful career path.
I received a lot of feedback on this blog, much of it from CISOs who agreed with my views. Some people asked for more data on why I came to this conclusion. I based this paper on numerous anecdotal conversations with his CISO friends, but also considered the following data: The life and times of a cybersecurity expert v6ESG and Information System Security Association (ISSA) International research.
According to the survey, 63% of cybersecurity professionals believe it is more difficult to work as a cybersecurity professional today than it was two years ago. Similarly, 62% of CISOs shared this opinion, but nearly a third (32%) of CISOs said their job as a cybersecurity professional was There was a slight difference as they claim it has become much more difficult than it was two years ago.
What makes things even more difficult for CISOs? ESG/ISSA data is primarily driven by the business aspects of running a cybersecurity program, such as working with the board, overseeing regulatory compliance, and managing budgets. It shows that. This is not surprising given that over the past few years the CISO’s role has evolved from technical oversight to executive leadership. At the same time, organizations are increasingly relying on IT for automation, optimization, customer service, and digital transformation.
Overall, the CISO’s role is expanding within business strategy and enablement, but core tasks such as managing cyber risk, detecting threats, and responding to incidents are becoming increasingly difficult to accomplish. It has become. It’s not quite “Mission Impossible,” but it’s moving in that direction.
CISOs tend to be satisfied with their jobs
Despite the increased challenges and scope of their job, most CISOs (82%) are satisfied with their current job, slightly more satisfied than non-CISO respondents (79%). Masu. Because CISOs tend to be more senior than other security professionals, they may have learned how to manage stress, careers, and work expectations more skillfully than non-CISOs.
While CISOs may generally find job satisfaction, they have different standards of accomplishment than other cybersecurity professionals. For example, CISOs attribute satisfaction to company leadership’s commitment to cybersecurity and their ability to work closely with business units and earn competitive salaries. Alternatively (and not surprisingly), non-CISOs are more satisfied with their jobs when their organizations offer career advancement opportunities.
Again, this illustrates the business side of the CISO role. These individuals measure their performance based on their ability to support and protect the business and the company’s commitment to strong cybersecurity. If either of these aren’t present, the CISO will be left pondering or (perhaps) running for the exit door.
CISO job stress
Despite CISO job satisfaction, the data clearly shows that the position involves an unhealthy amount of job stress. In fact, 62% of CISOs claim that at least half of their jobs are stressful. Non-CISOs are also stressed (another worrying trend), with 51% claiming that half of their jobs are stressful, making them more likely to experience significant pressure that comes with the CISO position. Shows more.
Like their non-CISO colleagues, CISOs are especially stressed by overwhelming workloads, working with uninterested business managers, and meeting the security requirements of new business initiatives. It’s worth noting that 26% of CISOs also feel stressed about monitoring the security status of third parties their organization does business with, such as suppliers, business partners, and customers, compared to 12% of non-CISOs. Masu.
Third-party relationships are often tied to business processes (suppliers, contractors, outsourcing partners, etc.) and therefore closely tied to business units. Unfortunately, your security team likely doesn’t have detailed visibility into the day-to-day security performance of these companies. The combination of business criticality and lack of continuous monitoring appears to be the cause of CISO anxiety.
Overwhelming workloads, job stress, and increased responsibilities seem to lead to inevitable consequences. 36% of CISOs say they are very likely or likely to leave their current job within the next year, compared to his 26% of non-CISOs. Yes, some he CISOs will look for other employers, but nearly half (46%) are considering leaving cybersecurity altogether, compared to 28% of non-CISOs. Why are CISOs leaving cybersecurity? As mentioned in our previous blog, 65% said they had considered quitting due to the high stress associated with cybersecurity work, and 43% They say they’re frustrated because their organization doesn’t take cybersecurity seriously, and 39% say they plan to quit their job soon. You will retire to retirement age and leave the cybersecurity profession upon retirement.
CEOs and corporate boards should take note here. CISO attrition can be extremely disruptive, leading to competition for new candidates and long-term vacancies. Once hired, a new CISO must assess the security landscape and develop a new security program. During times of uncertainty like these, cyber risks tend to increase while rudderless cybersecurity teams become disenfranchised and disillusioned with their organizations.
Balancing is becoming increasingly difficult for CISOs
ESG/ISSA research reveals that balancing is becoming increasingly difficult for CISOs as they strive to walk a tightrope between business operations, regulatory compliance, and keeping their organizations safe. Masu. Despite the professional and emotional challenges, most CISOs are satisfied with their careers, which demonstrates their unwavering commitment to the cybersecurity mission.
Research shows the dedication of CISOs, but executives and boards must not take this commitment for granted. This study highlights that the CISO job is extremely stressful, causing many security executives to change jobs or leave the job. Although CISOs strive to be closer to the business, many he CISOs are still reprimanded or receive little support from management or the board of directors. It’s also worth reiterating that more than half of his CISOs surveyed have been working as cybersecurity professionals for more than 20 years and may soon reach retirement age.
Executives and board members need to reevaluate how they think about the CISO position and look beyond performance metrics alone to evaluate the CISO’s relationships, reporting structure, resources, workload, and mental health. Given the ESG/ISSA research, new CISOs may become rare and expensive in the future. Therefore, it would be better (assuming the CISO is doing his job properly) to optimize the effectiveness of his current CISO than to bring in a new CISO every 2-3 years.