CISOs have never been more important to organizations than they are today. Threat actors are capitalizing on unprecedented disruption due to economic and geopolitical uncertainty to launch increasingly advanced attacks. Seasoned security leaders bring the requisite depth of experience to ensure their teams have the tools and processes in place to address the latest threats. Additionally, new SEC cyber incident disclosure rules come into effect starting this month. So, organizations must ensure they have adequate security expertise on their board in order comply with the requirement that they “describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cyber threats.”
The flip side is that CISOs – and their teams – have never been more stressed. Between an overwhelming workload, constant firefighting, technology issues, keeping up with compliance audits, and fear that a compromise will make the headlines, there are many reasons why stress is rampant. In fact, burnout is one of the top reasons CISOs cite for leaving their jobs according to new research by Enterprise Strategy Group (ESG), and 55% of cybersecurity professionals say they experience on-the-job stress at least half the time.
Just when organizations need their security leaders to step up even more, a rising number are considering stepping away. However, a strong consensus has emerged that cybersecurity automation can help break the cycle of burn and churn.
The role of cybersecurity automation
Last year, senior cybersecurity professionals at companies in the U.S., U.K. and Australia were divided on the best way to determine cybersecurity automation ROI. But this year, 61.5% report (PDF) that ROI is measured by how well they are managing the team in terms of employee satisfaction and retention. Less than half that figure (29%) say ROI is determined by how well the solution is performing in security terms. This points to a signal shift in what organizations view as the “point” of investing in cybersecurity automation – the prime motivation is to improve the experience of employees.
I’ve been talking about the interplay between automation and the human element for years, and it’s been two years since I first used the term balanced automation. When you balance automation so that machines take on the tedious, repetitive tasks that you don’t need your people to do, including time-consuming manual monitoring, identification, triage, and prioritization, you can free-up analysts to focus on more interesting and fulfilling work. This is now being proven by the prevailing thinking among CISOs that the value of automation is to remove the pedantic, administrative aspects of security and address the biggest issue they face: high team member churn rates.
Additionally, employee turnover is costly. The standard industry range of 100-200% of an employee’s annual salary in hiring, onboarding, development, and unfilled time is just the beginning when replacing cybersecurity talent. You also lose finely honed skills, institutional knowledge, and team camaraderie that are hard to replace and integral to security efficiency and effectiveness. In a highly competitive and tight labor market, in which there are currently more than 572,000 job openings in the U.S. alone, finding qualified workers takes even longer and can expose the organization to additional risk.
CISOs are speaking up loud and clear. When their teams burn and churn, so do they.
The pressure on executive leadership and boards to retain their security leaders and teams is two-fold: to meet new SEC requirements and to defend against a rising volume and variety of increasingly advanced threats. However, research shows few organizations have security representation at executive levels, much less on their boards. And not a day goes by without news of damaging cyberattacks in the headlines.
Organizations need to listen to their CISOs and start turning to cybersecurity automation for the qualitative benefits of employee satisfaction and well-being. There’s never a good time to lose good people but especially now, organizations can’t afford to lose the valuable security leaders and analysts they have.