The Chief Information Security Officer (CISO) burnout landscape

A study by ISC2 reveals that 73% of CISOs in the U.S. reported experiencing burnout over the past year, based on a survey conducted by security firm Proofpoint involving 1,600 cybersecurity leaders across 16 countries.

According to Proofpoint’s recent Voice of the CISO report  61% of CISOs said they face excessive expectations from their employers, up from 49% in 2022. Many CISOs need to continue to defend their companies with stretched resources. Sixty-two percent of cyber leaders said they are concerned about personal liability related to a cyberattack on their company as legal and regulatory pressures grow.

 The Emotional Causes 

Even in other mission-critical IT functions, executives felt that they could have a work-life balance unless there was a crisis. Given that there is an ongoing arms war between bad actors and healthcare enterprises, the luxury of downtime is non-existent. As in military battlefields, the enemy doesn’t take holidays, so the defenders don’t have that luxury as well. 

 Add to this, unlike other industries, healthcare operates in a “do no time” mentality given that breaches could quite literally have life and death effects in addition to the privacy implications.  

The Business Case Causes

Most cybersecurity leaders admit that it’s not a matter of if you will be subject to attack, but when it will happen. Technology can only go so far in fortifying data. But CISO’s spend considerable time convincing the finance suite that investment is critical for business continuity purposes. Despite these arguments many CFOs are looking for an empirical return on this investment and in some cases looking for how cyber investment can increase profits.  

 CISOs are in the unenviable position of showing how breaches have cost other providers millions in ransom but not being able to model how significant investment would reduce risk from a quantitative perspective.   

Reducing CISO Burnout

At times because of the nature of their work and the stereotype that security experts are “tougher,” many of these critical executives might not get the same emotional support as frontline workers and physicians. It Is imperative that all the same preventative mental health services are being applied to CISO’s as they are to medical staff. 

As mentioned above one of the greatest challenges is assuring decompression time, so that cybersecurity teams can untether from alerts and smaller breach instances. This is not unlike the challenges of having doctors reduce “pajama time” where patient records are being updated in bed late at night.  

The technologies used to track excessive pajama time should be deployed to do the same with the cybersecurity team.  

All these burnout reduction strategies must be driven by senior leadership, including burnout within that community.