Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

CISOs Suffering From Increasingly Complex Workload: Cisco

Growing Complexity of Managing Enterprise Cybersecurity is Increasing CISO Fatigue and Burnout

A CISO’s life is complex, with business transformation, cloud adoption, working from home and use of mobile devices, and sometimes just too many solutions. Many see automation and AI as a partial solution.

Growing Complexity of Managing Enterprise Cybersecurity is Increasing CISO Fatigue and Burnout

A CISO’s life is complex, with business transformation, cloud adoption, working from home and use of mobile devices, and sometimes just too many solutions. Many see automation and AI as a partial solution.

The annual Cisco CISO benchmark report (PDF) examines what it means to be a CISO today by surveying 2,800 IT decision makers, and discussing issues with a panel of CISOs. The 2020 report found the growing complexity of managing corporate cybersecurity is increasing fatigue and burnout among CISOs. Worryingly, 42% of respondents defined cybersecurity fatigue as virtually giving up on proactively defending against malicious actors. Ninety-six percent said that the complexity of managing a multi-vendor environment is a major contributor to this fatigue.

This is not the first time that too many solutions has been highlighted as possibly counter-productive — in November 2019, a Forrester Tanium report suggested that too many best of breed security solutions could reduce a company’s overall security posture. “The devil in that detail is that rarely do the organizations figure out how they are going to leverage those tools effectively. It becomes difficult when you have too many of them.”

According to Cisco, a primary cause for too many solutions is the tendency to rely on technology to solve the problems of increased security complexity. “As organizations increasingly embrace digital transformation, CISOs are placing higher priority in adopting new security technologies to reduce exposure against malicious actors and threats,” comments Steve Martino, SVP and CISO at Cisco. “Often, many of these solutions don’t integrate, creating substantial complexity in managing their security environment.” In this sense, the perceived solution to the problem perpetuates the problem.

Read MoreVerizon, AT&T CISOs Talk Communications Sector Security

“To address this issue, security professionals will continue steady movement towards vendor consolidation, while increasing reliance on cloud security and automation to strengthen their security posture and reduce the risk of breaches,” continued Martino.

One concerning finding in the survey is that despite increasing exhortations to patch fully and promptly, 46% of organizations (up from 30% in last year’s survey) had an incident caused by an unpatched vulnerability. Of those respondents who reported a breach, 68% of those breached in this way lost 10,000 or more records. Only 41% of those who reported a breach through other causes lost 10,000 or more records.

Fifty-two percent of respondents said that securing the mobile workforce is very or extremely challenging (and this was before the coronavirus stimulus to working from home). Cisco suggests that adopting a zero-trust approach to authentication would solve many of the concerns currently voiced by the respondents (52% finding mobile devices to be challenging, 39% struggling to secure applications, and 52% saying that data in the public cloud is very or extremely challenging).

However, the primary components of a zero-trust solution are not well-implemented. Multi-factor authentication, which Cisco describes as a valuable zero-trust technology to secure the workforce, is currently used by only 27% of organizations. Micro-segmentation. another key component of zero-trust described as an approach to secure access of workloads, has been adopted by only 17% of the respondents. Implementing a zero-trust solution is difficult and time-consuming, and is a long-term project — but it is considered by many security experts to be a solid approach to cybersecurity.

Despite the increasing complexity of security, and the somewhat disappointing findings in some areas, the Cisco survey finds that security professionals have made positive steps to improve their security posture. Collaboration between network teams and security teams is high, with 91% of respondents reporting they are very or extremely collaborative. 

Seventy-seven percent are planning to increase automation to simplify and speed up alert response times, while 86% say the use of cloud security has increased visibility into their networks.

Cisco’s own recommendations to the CISO community include a layered defense (that could help towards a zero-trust posture) that includes MFA, network segmentation, and endpoint protection. Improve visibility (which is always good advice), and get the basics of security hygiene right (including a robust patching regime); and to reduce complexity in both security practice and security tools by adopting an integrated platform approach.

Related: Verizon, AT&T CISOs Talk Communications Sector Security

Related: The (Re-)Emergence of Zero Trust 

Related: Investment in Privacy Pays Cybersecurity Dividends: Cisco 

Related: Cisco Unveils SecureX Security Platform

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

CISO Conversations

SecurityWeek speaks with two leading CISOs in the aviation industry – Mitch Cyrus of Honda Aircraft, and Mark Ferguson of Bombardier.