A new survey of CISO attitudes conducted by Symantec and Dr Chris Brauer of Goldsmiths, University of London will surprise few CISOs, but should be required reading for other business leaders. It describes adrenaline junkies that fear burnout and worry about being scapegoats in an impossible position, but remain dedicated to their job.
Symantec questioned 3,000 European CISOs from the UK, France and Germany. The results (PDF) highlight what many in the security industry will immediately recognize: 82% of CISOs already feel ‘burnt out’; 65% feel that their work and position are set up for failure; 64% consider quitting their job; and 63% have considered leaving the cybersecurity industry altogether.
It is, in short, a highly stressful position. But despite this, 92% are ‘thrilled’ by their work; 92% are fully immersed despite the stress; and 90% are motivated by high pressure situations.
But despite the adrenaline junkie thrill of the job, CISOs remain pragmatic about the effect they can have. They are short-staffed, overwhelmed by the volume of security alerts received, and generally believe that the attackers have a higher skill set than the defenders. This leads to the common belief that it is not if, but when, there will be a breach.
The most interesting part of this report analyzes the ‘after the breach’ change in CISOs’ attitudes. Although 55% of CISOs fear they will be fired if a breach occurs on their watch, and 40% are afraid they will be held personally liable for that breach, nevertheless the experience of navigating an avoidable breach seems to favorably affect the CISO’s outlook.
The survey looked at the impact of known stress factors and compared responses between those (26% of the respondents) who had been through a breach with those that had not. The stress factors included increasing regulation, the alert workload, too much data with too many access points, infrastructure complexity, and the skills gap. On average, only 23% of the experienced CISOs felt that these factors increased their stress levels, while 47% of those that hadn’t experienced a breach felt associated increased stress.
This reduced stress appears elsewhere. “Only 19% of the ‘experienced’ group say they are concerned about [dismissal resulting from a breach] compared to 28% of those who had not been through a breach,” says the report. “They also cite less feelings of personal responsibility for incidents that could have been avoided (22% versus 37%) and are less likely to feel like they’re in a position where they were set up for failure (21% versus 35%).”
The beneficial psychological effect of experiencing a breach continues into job satisfaction. Twenty-three percent versus 47% feel burnt out; 22% versus 42% feel apathy or indifference toward their work; 20% versus 34% consider quitting; and 20% versus 34% consider leaving the industry.
At the same time, however, some of the adrenaline-based excitement of the work seems to dissipate. Far fewer breach-experienced CISOs remain thrilled in their work, fewer feel fully supported by the business, fewer believe they have the opportunity for creative problem-solving, and fewer believe the work provides an opportunity to make an impact/difference on the world.
“This data is fascinating,” comments Darren Thomson, Symantec CTO EMEA, “but it’s important to understand the context — in my experience, those people who have experienced a cyber security breach and come out the other side, become much more sanguine and less emotionally charged in their approach. It doesn’t mean security leaders become less committed to their responsibilities after a major incident. If anything, more of a ‘I’ve seen it all before’ mindset enables them to think more clearly, with a greater focus on longer-term, strategic priorities.”
One of the changes between breach-experienced and unexperienced CISOs noted by the survey is an increased willingness to discuss breach/attack experiences with others. Seventeen percent of experienced CISOs don’t talk to professionals outside of their business, compared to 32% of those who haven’t experienced a breach. Similarly, 14% versus 18% worry that sharing such information might adversely affect their career.
There is no direct data from the survey to suggest that cross-industry information sharing benefits cyber security, but it is a widely held belief supported by the authors. The report notes, “The problem is that there isn’t a substantive culture of sharing insights in the cyber security sector: 54% of respondents don’t discuss breaches or attacks with peers in the industry. Over a third (36%) of security professionals are also worried that sharing information about a breach during their watch — with peers, colleagues or prospective employers — would adversely impact their career.”
It then quotes Dr Steve Purser, Head of Core Operations at ENISA: “Security leaders, and the industry more broadly, need a framework for structured information sharing — whether for ongoing best practice, or as a process for learning from a breach. Enterprises or governments should be set up to handle at least three types of information. The first is strategic information for high level decision making. The second is operational information, used for improving best practices over the longer term. And the third is tactical information, such as indicators of security compromise, used for day to day responses. In each case this information should be shared with the context of a specific goal that’s being addressed.”
The implication is that CISOs do not share information, and that they should do so within a formal structure — that is, despite all other pressures and workloads, they should do something extra. It is possibly the formality of this type of information sharing that is the problem. In practice, CISOs actively seek their peers at conferences and forums, and do talk to each other about problems and solutions — but informally.
Overall, this survey provides an excellent overview of the pressures and difficulties faced by CISOs on a day to day basis. They don’t need to be told this, because they live it daily. The big takeaway for the CISO, however, is the less obvious discovery that not only is there life after a breach, it may well be a more contented life.