As Pressures Mount on CISOs, Boosting Self-Resilience Takes Priority
By Lucia Milică Stacy, Global Resident CISO, Proofpoint
Chief Information Security Officers (CISOs) have gone through another challenging year. They are grappling with increased expectations from regulators and retail investors to ensure their companies are protected while dealing with a security talent gap and damaging cyber threats. It is no wonder that burnout and mental health issues are growing problems for security leaders. And things will not improve soon.
Many of us joined our profession because we are passionate about cybersecurity and want to make a difference. As security leaders, we see a phenomenal opportunity to improve organizations’ resilience and operations. However, these motivations may no longer be enough to keep many of us in our roles.
Yet, despite this turbulent time, work for CISOs is more important than ever. So, what does this mean for you as a security leader in the future?
If you are stressed and constantly burned-out, you cannot be a positive role model for your team or make solid decisions for strengthening your organization’s cybersecurity. To be successful in your role, you need to boost your personal resilience—as well as support others in the CISO community and help them do the same.
Facing mounting challenges
The job of the CISO has always been draining, but the past year has stretched security leaders’ limits like never before. Concerns about burnout and stress rose to the top. Mental health is a big topic of conversation in CISO circles, albeit behind closed doors.
A public breach can make shareholders question their investment which in turn lowers the value of a company. CISOs will feel that pressure coming from the CFO and the overall board.
Then there is the demand coming from regulators, especially new transparency rules from the U.S. Securities and Exchange Commission (SEC). The much needed proposed SEC rule on cyber roles creates anxiety as to what that means for the CISO-board of directors relationship, especially since this relationship is already strained. Will the proposed SEC changes help you create allies on the board? And will those newly forged alliances be enough to elevate cyber risk to business risk within your organization? These and other questions cause uncertainty for CISOs.
The increased scrutiny of the CISO role at the regulatory level, as we saw in Uber’s U.S. federal court case, brings even more uncertainty. The Uber verdict has wide-reaching implications for CISOs, setting a dangerous precedent inducing boards to shift personal liability to their cybersecurity chiefs.
One potential solution that could mitigate your personal risk is directors and officers (D&O) insurance, which provides coverage for performing three basic duties: diligence, loyalty, and obedience. (Of course, there will be various limitations and exclusions, such as fraud, intentional criminal acts, and certain fines and penalties.) One type of D&O insurance, called “Side A,” should protect named officers and directors when their company does not indemnify them. Many organizations make this option available to their CISOs.
It is incredibly important to take the time to recharge. This sounds like a tall order, given the long hours the role demands, but it is not impossible—especially if you make it a priority. Think of it as an integral part of being an effective leader. When you are constantly exhausted and stressed, what kind of example do you set for your team? How well can you communicate if you are always fighting fires? How well can you react and think clearly if a security incident emerges?
Step back and spend time with family. Find quiet moments to unplug by yourself. Being available for yourself will help you become more grounded personally and professionally. This is one of the best ways to boost your resilience and give yourself the strength you need to cope under the pressure of the job.
In the cybersecurity industry, we have shied away from discussing mental health. It is time to discuss it more candidly with our peers. A strong CISO community that supports its members can go a long way in overcoming the stigma of mental health issues.
It is important to create safe spaces for your team and encourage open conversations and more transparency about mental health. They are just as burned out and stressed as you are, particularly if your organization faces the same talent gap that is prevalent across the industry, requiring your team to do a lot more with fewer resources.
Forrester even predicts that the long hours of the job will conclude with security workers alerting regulators of unsafe work conditions. The onus is on you to make your team’s wellbeing a priority. Creating a supportive environment will also help you with talent retention, alleviating some burdens you face as a leader because of the worker shortage.
Forging alliances with board members
Strengthening your relationships with your board and investors will also help you get the support you and your team need for the job. Instead of waiting for your directors to start the cybersecurity conversation, look for opportunities to find allies and drive the dialogue yourself. If you take the time to understand your directors’ experiences and priorities as well as their personalities and desires, you can put yourself in their shoes and speak their language better.
This proactive approach takes a lot more time and effort but will pay dividends for you in the long term. It is a lot easier to agree when the board has a better understanding of cybersecurity and what your organization faces—and this helps you create trust and build a successful relationship. While doing so will not cure away all your stress, it will certainly take some weight off your shoulders.
The CISO job was never easy, and it looks a lot less appealing when you add liability and criminal responsibility to the high pressure, the on-call hours, and the stress. But if you still believe in making a difference and creating a positive impact in the industry, you can be your own advocate and drive your success.
Part of your job is to work together with your board and executive team to make sure that together you enable the business to grow securely. But boosting your self-resilience is an equally important aspect of the job. This, too, cannot be done in a vacuum—the stronger your relationships with your board and your executives, the better you can help them understand the challenges you face and the support they can provide to you and your team.
With over 20 years of experience as a senior technology leader, Lucia Milică Stacy is the global resident chief information security officer (CISO) for Proofpoint. Organizations worldwide rely on her guidance to build effective cybersecurity programs and combat today’s toughest threats. Prior to Proofpoint, she served as Polycom’s chief information security officer and chief privacy officer. Her leadership and technical roles have spanned IT governance and strategy, security risk and compliance, corporate security, data privacy, and IT infrastructure at companies including HP, Palm, Wells Fargo, and Franklin Templeton.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.