Why the CISO role is so demanding – and how leaders can help
Battling decreasing budgets and stressful working patterns, those in the CISO role need support and space to communicate to do their jobs well
In today’s tech sector, getting the most out of the role of chief information security officer (CISO) means overcoming a number of challenges. CISOs often face low job satisfaction driven by mounting job demands, poor c-suite collaboration, and stressful working patterns.
The CISO role is not easy. In 2024, it involves tackling decreasing budgets while facing an evolving attack surface and complex regulatory landscape. On top of all this, CISOs are expected to communicate with their CEOs about the importance of cyber security to the company.
The share of CISOs satisfied with their job has dropped by 10 points to 64%, according to consultant IAN Research’s State of the CISO report, with the majority feeling overworked and under-supported.
So what should firms do to get the most out of CISOs already working in the business?
The changing CISO role
There’s no doubt the CISO role is changing. It has evolved from being a “peripheral function solely within IT departments” to a “central and highly accountable business leader position”, says Quentyn Taylor, director of information security at Canon EMEA.
Yet at the same time, CISOs are having to deal with an expanding threat landscape, often with shrinking budgets. This is “not a happy combination”, says Paul Lewis, the CISO of Nominet.
Increased regulation and governance have also impacted the way CISOs work. The risk of holding the CISO position has never been higher, with security leaders being scrutinized for personal liability in security breaches, Lewis points out.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Amid all this added responsibility it’s no wonder that CISOs are under strain and burning out. “Previously, the role was less regulated and carried fewer consequences. However, today's CISOs are expected to bear the responsibility for defending the entire company against a growing array of cyber threats.”
The story of former Uber security chief Joseph Sullivan – who was sentenced to three years’ probation by the US Department of Justice for helping to cover up a 2016 security breach – is “a great example” of the increased pressure faced by CISOs, says Taylor. “The case was the first time the Department of Justice had prosecuted an executive for the handling of a data breach, highlighting the increased scrutiny on CISOs.”
Taylor adds that the shift to assuming a business-defining role has meant that many CISOs have acquired “hero syndrome”. This sees them placing an undue burden on themselves to ensure every possible security incident is detected and eliminated. “Moreover, while some CISOs lack direct representation on the board, they still bear significant responsibility, further exacerbating their stress levels.”
Relationship between the CISO role and C-suite
The changing role of the CISO means security leaders are in closer contact with the board. The relationship between CISOs and the board only thrives when there is a clear understanding of the CISO’s role and responsibilities, says Taylor.
It can be relatively straightforward to set up a positive CISO-board relationship, says Chris Evans, CISO at HackerOne. He explains how HackerOne has a dedicated subcommittee of the board devoted to cyber and tech risk. “This committee meets regularly and reports to the full board. In addition, the CISO reports directly to the full board on a less regular cadence.”
Those holding the CISO role should be trusted by their company’s board to provide accurate insight into security threats. At the same time, the board should take necessary action based on that data, says Brian Jack, CISO at KnowBe4. He calls recent creations of a cyber committee or similar board sub-committee focused on security “a great step in the right direction”.
The ideal CISO-board relationship should be one of “collaboration and mutual understanding”, says Taylor. “Importantly, the board needs to understand that CISOs cannot prevent every cyber security threat. Instead, CISOs should be judged on how they handle a crisis – this will reveal their true benefit to the company.”
Additionally, firms can reorganize by ensuring that the CISO’s role and responsibilities are clearly defined and communicated to all stakeholders, including the board, says Taylor. “The role of the CISO must not be underestimated, and they must be provided with the right tools and support. Integrating the CISO into strategic decision-making processes from the start and providing direct access to the board can enhance communication and align objectives.”
CISOs, in turn, must be transparent with their communications. A recent study by Dynatrace found that C-suite colleagues feel CISOs should cut down on jargon so that those without technical know-how in the boardroom can still be appraised of cyber threats.
What CISOs need from the business
CISOs need all the help and support from the business they can get, particularly in those darkest moments during a hectic cyber incident, says Ian Thornton-Trump, CISO at Cyjax. “It’s all hands on deck to get the company from crisis back to business as usual – that must be the permanent mindset.”
As a CISO himself, Thornton-Trump says the main thing he focuses on is finding the experts he needs in a crisis. “That’s all about building relationships inside and outside the business,” he says.
“Sometimes, it leads to new opportunities, but while you hold the position in your organization as a CISO, your job is to be prepared for the worst by making incremental security improvements every day.”
One crucial aspect that CISOs often need from the company is education on how the business operates and the essential terminology used, says Greg Day, VP and global field CISO at Cybereason. “This knowledge empowers CISOs to align their cyber security strategy accordingly and communicate it effectively within a business context.”
Additionally, he says it's essential to emphasize the significance of robust collaboration skills. “CISOs must be able to work seamlessly across the entire business ecosystem.”
Security culture needs to change. The expectation to prevent every security breach is unrealistic, and CISOs are realising the need to shift their focus towards resilience rather than solely focusing on prevention, says Taylor.
Yet CISOs require support and buy-in from business leaders to effectively fulfill their role and enhance the organization’s overall security posture, says Taylor. “By cultivating a culture of trust and humility within the organization, CISOs will be empowered to effectively collaborate with stakeholders and implement security measures that align with business objectives.”
Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.