Blog
CISO Stress and Tenure – Looking Beyond the Numbers
Being a CISO can be stressful. That should come as no surprise. According to a new report, the stress is bad enough to cause health issues and personal relationship crises, and on average, CISOs stay in each job for just 26 months.
The CISO Stress Report by Nominet , a U.K. domain registry, reveals that 95% of CISOs work longer hours than they are contracted for and 88% are “moderately or tremendously stressed.”
While CISOs are undoubtedly under a lot of pressure, it’s important to not paint all of cybersecurity with the same brush, and to draw a distinction between job stressors and job dissatisfaction. The two are not always synonymous. In fact, the 2019 (ISC)2 Cybersecurity Workforce Study found that a majority of cybersecurity professionals (68%) are at least somewhat satisfied with their jobs, while only 19% are dissatisfied.
Easing the Stress
Nominet suggests that a better working relationship with the board would improve the CISO’s role. This would start with a recognition of the stress that CISOs are experiencing. “The causes of CISO stress – poor work-life balance, overbearing responsibility for security breaches, and a lack of support – are within the C-Suite’s power to change.”
Nominet’s recommendation for a better working relationship between CISOs and their boards is supported by (ISC)2’s own research. (ISC)2 studies over the years have shown that a strong culture of support for cybersecurity efforts goes a long way to not just protecting an organization but also elevating satisfaction levels in the cybersecurity team. Companies with C-suites and boards that support their cybersecurity teams and demonstrate an understanding of their job challenges are more likely to see less turnover in those teams.
Creating a strong cybersecurity culture entails, among other things, recognizing the value of CISOs and their teams. That means treating them as experts who can lead projects and serve as respected advisors to executives and rank-and-file employees.
Organizations can also boost satisfaction by creating a clear, rewarding career path for cybersecurity professionals. The 2019 (ISC)2 Cybersecurity Workforce Study also found that 84% of cybersecurity workers “are where they expected to be in their careers, given their skills and experience.” Satisfaction with their achievements helps employees remain in their positions.
Another strong contributor to job satisfaction and retention is help with training and certification costs. 58% of (ISC)2 study respondents say their employer pays for at least some portion of their cybersecurity certification process. Those “whose organizations pick up that tab display significantly higher job satisfaction rates,” with 72% saying they are very or somewhat satisfied with their jobs.
So while stress certainly exists in cybersecurity, the picture isn’t quite as bleak as some may make it out to be. An organization that properly supports the entire cybersecurity team is likely to see the overall stress level decline. And that could help extend the tenure of the CISO, eliminating the need to bring someone new up to speed on cybersecurity and company culture every couple of years.