At the end of last year, I wrote that 2024 would go down as âthe year of the CISO.â This affirmation wasnât a CISO celebration. Rather, legal concerns, compliance requirements, board-level scrutiny, and continual job stress will make 2024 a challenging year for CISOs — so much so that some CISOs may simply declare âno masâ and seek out a more peaceful career path.
Iâve received a lot of feedback on this blog, much of it from CISOs who agreed with my perspective. Some asked for more data on why I came to my conclusion. While I formulated this thesis based on lots of one-one-one anecdotal conversations with CISO friends, I also reviewed some data from the Life and Times of Cybersecurity Professionals v6research from ESG and the Information Systems Security Association (ISSA) International.
According to that research, 63% of cybersecurity professionals believe that working as a cybersecurity professional is more difficult today than it was two years ago. Similarly, 62% of CISOs shared this opinion but there was a slight difference as nearly one-third (32%) of CISOs claimed that working as a cybersecurity professional was much moredifficult than two years ago, compared with 26% of non-CISOs.
Whatâs making things more difficult for CISOs? The ESG/ISSA data indicates that business aspects of running a cybersecurity program like working with the board, overseeing regulatory compliance, and managing a budget are primary contributing factors. This makes sense as the CISO role has evolved from technical overseer to business executive over the past few years. At the same time, organizations have increased their dependence on IT for automation, optimization, customer service, and digital transformation.
In aggregate, the CISO role is expanding within business strategy and enablement, while itâs increasingly difficult to accomplish core tasks like managing cyber risks, detecting threats, and responding to incidents. Not quite, âmission impossible,â but moving in that direction.
CISOs tend to be satisfied with their jobs
Despite the growing difficulties and job scope, most CISOs (82%) remain satisfied with their current jobs, slightly more so than non-CISO respondents (79%). Since CISOs tend to be more senior than other security professionals, they may have learned to be more proficient and managing stress, their careers, and job expectations than their non-CISO counterparts.
While CISOs may feel general job satisfaction, they do have different job fulfillment criteria than other cybersecurity professionals. For example, CISOs attribute satisfaction to business managementâs commitment to cybersecurity, as well as the ability to work closely with business units and attain a competitive salary. Alternatively (and not surprisingly), non-CISOs attain job satisfaction when their organization provides opportunities for career advancement.
Once again, this illustrates the business aspects of a CISO role. These individuals measure their own performance based on their ability to support and protect the business, and the businessâs commitment to strong cybersecurity. If either of these things arenât present, CISOs will either brood or (more likely) run to the exit door.
CISO job stresses
Despite CISO job satisfaction, the data clearly indicates that this position includes an unhealthy dose of on-the-job stress. In fact, 62% of CISOs claim that their job is stressful at least half the time. While non-CISOs are also stressed (another alarming trend), 51% claimed that their job is stressful half the time, further illustrating the pronounced pressure associated with a CISO position.
Like their non-CISOs colleagues, CISOs are particularly stressed by things like an overwhelming workload, working with disinterested business managers, and keeping up with the security requirements of new business initiatives. Itâs worth noting that 26% of CISOs are also stressed about monitoring the security status of third parties their organization does business with (e.g., suppliers, business partners, customers) as compared with 12% of non-CISOs.
Third-party relationships are often associated with business processes (e.g., suppliers, contractors, outsourced partners) and therefore tied closely with business units. Unfortunately, security teams probably donât have deep visibility into the day-to-day security performance at these firms. This mix of business criticality combined with a lack of continuous oversight appears to create a recipe for CISO angst.
An overwhelming workload, job stress, and expanding responsibilities seem to lead to an inevitable result: 36% of CISOs say it is very likely or likely that they will leave their current job within the next year, compared with 26% of non-CISOs. Yes, some CISOs will seek other employers, but nearly half (46%) have considered leaving cybersecurity altogether, compared with 28% of non-CISOs. Why would CISOs move on from cybersecurity? As I mentioned in my previous blog, 65% say they have considered a departure due to the high stress associated with a cybersecurity job, 43% claim they are frustrated because their organization doesnât take cybersecurity seriously, and 39% say they are close to retirement age and will leave the cybersecurity profession upon retirement.
CEOs and corporate boards should take note here: CISO attrition can be highly disruptive, leading to competition for new candidates and lengthy vacancies. Once hired, new CISOs need to assess security status and develop new security programs. During these periods of uncertainty, cyber-risk tends to escalate while rudderless cybersecurity teams become disenfranchised from and disillusioned with their organizations.
Balancing act getting harder for CISOs
The ESG/ISSA research reveals that the CISO balancing act is getting increasingly difficult as CISOs strive to walk the tightrope between business operations, regulatory compliance, and keeping their organizations safe. Despite professional and emotional challenges, most CISOs remain satisfied with their careers, illustrating their unwavering commitment to the cybersecurity mission.
While CISO devotion is evident in the research, executives and corporate boards must not take this commitment for granted. The research highlights that a CISO position is quite stressful, causing many security executives to change jobs or leave the profession. While CISOs strive to get closer to the business, many are still rebuked or attain marginal support from executives and the board. Itâs also worth repeating that more than half of CISOs surveyed have worked as cybersecurity professionals for more than 20 years and may be reaching retirement age soon.
Executives and board members must reassess their thinking about the CISO position, moving beyond performance metrics alone, to assess relationships, reporting structures, resources, workloads, and the mental health of the CISO. Given the ESG/ISSA research, new CISOs are likely to become rare and expensive individuals moving forward. Therefore, itâs better to optimize a current CISOs effectiveness (assuming he or she is doing a good job) than try and break in a new one every two to three years.