Bigger salaries, more burnout: Is the CISO role in crisis?
Chief information security officers (CISOs) are more stressed than ever before. And so far, money hasn’t solved the problem.
CISO salaries have surged the last 12 months, but so has the stress associated with the role, according to new research. The average wage for a security worker now stands at £87,205 – which is £10,000 higher than the previous year’s average, a survey by CIISec found.
According to the survey, 21% of security staff are working long hours, with over half (55%) of respondents saying the associated stress is keeping them up at night. The fear of suffering a cyber attack is cited by 39% as hurting their ability to relax at home.
Another survey by cybersecurity firm Splunk reveals 35% of UK CISOs have experienced stress regularly over the past year, with 23% actively looking for new roles as a result.
It comes after the 2024 UK Government Cyber Security Breaches Survey revealed the amount of UK businesses suffering a breach had surged from 39% to 50% over the last 12 months.
With stats such as these, it’s no surprise that CISOs are stressed. Many security leaders feel like they’re “constantly firefighting, with little time left to focus on strategic priorities – or even their own wellbeing”, says James Hodge, chief strategic advisor for Splunk EMEA.
“Stressed leaders and overwhelmed teams mean slower response times, greater vulnerability to cyber-attacks and ultimately, a weakened security posture,” Hodge warns. “If businesses don’t address this, they risk losing top talent and eroding their ability to defend against threats.”
More to manage
There’s no doubt that cybersecurity is a complex sector, and it can be difficult for CISOs to keep up. Adversaries are using more advanced tactics, such as deepfakes, sophisticated phishing campaigns and ransomware.
At the same time, businesses are operating in “sprawling, complex digital environments that are harder to secure”, Hodge points out.
Add to this the increasing pressure from fellow c-suite executives and “the cat-and-mouse nature of modern cybersecurity” and it’s easy to see why defending an organization has become “infinitely more challenging”, says Chaim Mazal CSO at Gigamon.
With so much on their plates, many CISOs find themselves “trapped in survival mode”, focusing on immediate crises rather than driving long-term strategy and innovation, says Simon Riggs, CISO at OneAdvanced.
He says this “reactive stance” risks inhibiting business growth, stalling strategic initiatives, and limiting CISOs’ potential to offer broader enterprise value. “Over time, this narrow focus can limit a CISO’s role to one of compliance policing, rather than business enablement.”
Making things worse, CISOs are facing increased accountability when cyber attacks do hit the business. Chris Campbell, SVP, CISO and head of technology at Bitsight highlights the plight of the SolarWinds former CISO, who was “was mired in SEC charges for internal control failures”.
“Today’s security leaders can now hold personal blame for cyber incidents and faulty security, risking their careers,” says Campbell. “The legal and personal risks for CISOs, including financial liability and legal actions, have made enterprise security deeply personal.”
Tackling CISO stress
CISO burnout is real, but there are ways to manage the issue and boost morale in the business.
Attacks are increasing in volume and sophistication, but context is important, given the evolving nature of global cyber-threats, says Ian Thornton-Trump, CISO at Inversion6 UK. “The CISO’s job of security, set against a backdrop of the changing global situation, is far more uncertain than ever before.”
Uncertainty leads many CISOs to doubt their abilities to protect the business, and this concern manifests itself in several different ways, he says. “Stress is one of them, along with depression and anxiety. CISOs I know – and I would include myself in this assessment – are passionate about the job they do and there is a lot of anxiety in not being able to move as fast as the threat actors when it comes to defending the organization.”
However, much can be done to improve the situation, including changing perspectives and “building and relying on a community of fellow information security professionals”, says Thornton-Trump. “Despite the title having ‘chief’ in it, as a CISO, you are not alone. You have resources, including vendors and your connections from years of industry experience.”
Jim Doggett, CISO, Semperis thinks additional pressure is being put on security teams because too much time is spent on non-security work. “On a couple of occasions, I have measured what my team spends their time doing,” he says. “I was surprised to find that on average, over 30% of their time was spent pulling data, creating reports and preparing for presentations, rather than on actual security work. Not only is this unproductive for the security team; it’s boring work that can lead to dissatisfaction.”
In cases such as this, technology can help ease the pressure on stressed teams. Doggett himself addressed the issue through automation. “I’ve adopted the philosophy of not implementing new tools or processes unless they can be automated end-to-end,” he says. “We must utilize our scarce resources doing security and not administrative work.”
Another area key to reducing stress is ensuring a clear role for the CISO, Rob O’Connor, CISO EMEA and technology lead, Insight. “Security has become much more complex and there’s a need for specialists in different areas. Firms should define the responsibilities of the CISO and identify what can be left to the specialists – this will be particularly important at critical moments when there’s a requirement to act quickly.”
Access to mental health resources, encouragement to take time off to recharge, and fostering a culture that prioritizes balance can significantly improve morale and retention, Hodge says. “Leaders need to engage in open dialog with security teams, ensuring they have the resources, tools and support needed to succeed. With the right blend of proactive investment and cultural change, organizations can strengthen their defenses while empowering their people.”
Making changes such as these is worth it: Inaction will have “severe consequences”, says Hodge. “Burnout among CISOs and their teams not only threatens talent retention, but also increases the likelihood of costly breaches due to slower or less effective responses.”
Source link
