Regardless of the company, industry or geographic location, the chief information security officer role is not for the faint of heart.
Nearly 90% of CISOs say they are under moderate or high stress, according to a Nominet survey of C-suite executives and CISOs. Of those CISOs, 48% say stress took a toll on their mental health.
Cybersecurity jobs might as well have stress built into the job description.
"Stress is a part of any defensive-oriented endeavor. Some people thrive under stress while others suffer," Greg Touhill, president of AppGate Federal and former U.S. federal CISO, told CIO Dive in an email.
CIO Dive asked four CISOs across industries over email how they handle stress of a typically thankless job. Here's what they said:
1. Andy Kim, CISO of Allstate's eBusiness:
"Stress is directly proportional to the expertise of the CISO," Kim said. "Less experienced [CISOs] are going to be stressed out as they are usually faking it until they make it."
Over the last four years, executive leadership's overall sentiments around cybersecurity practices are down, according to a Cisco survey of 2,800 global IT decision makers. While the practices — including cyber risk assessments — are still marginally high, the decrease in sentiment could be due to security becoming operationalized.
Kim approaches cybersecurity like an automobile assembly line. His team pulls in the metaphorical steering wheel, air bags, brakes and seat belts. "Security just happens because it is part of the product delivery, like air bags and brakes," he said.
During a conversation with another CISO, Kim found his peer feared ransomware. Kim does not. He relies on account passwords to prevent backups becoming encrypted. He asked the CISO, "did you protect the password in a vault so only the right system administrators could use it?" His peer said "no."
"That is why you're afraid of ransomware. You're afraid of ransomware because you did not do the basics," he said. "I believe that CISOs who think their jobs are thankless are not real CISOs."
2. Greg Touhill, president of AppGate Federal and former U.S. federal CISO:
"I learned during my military career that stress is not a bad thing as long as it is managed well," Touhill said.
But CISO stress is dependent on several factors, including the relationship with executive leadership. "I've seen too many CISOs fail in communicating risk up the chain of command," he said.
A good CISO knows they "will never get risk to zero" and security is a distributed effort throughout an organization. "Never over-promise and under-deliver."
"I'll confess that there have been a few instances where I played like Scotty from [Star Trek's] USS Enterprise and added a bit more time to project implementation estimates to give the team some breathing space. In almost every instance, that relieved pressure, they delivered early, and the team was boosted by feeling they were 'miracle workers.'"
By sharing responsibility, teams can also share pride. "During my combat deployments, I enlisted the help of the senior generals and enlisted leaders to fete the troops doing the difficult, yet often invisible jobs."
When creating the radio-over-IP-routed-tetwork for supporting convoys in Iraq, he enlisted the "night shift team" to demonstrate the technology for the Joint Force Air Component Commander. In doing so, the night shift, which is not the "glamour" shift, was energized. The team was ultimately awarded the Air Force Science and Engineering Award.
3. Jadee Hanson, CISO of Code42:
"It's important for any high stress role to be able to step away and take time off. Time off does not mean you are tethered to your phone every waking minute," said Hanson. "I am talking about real time off, where you can step away from work and recharge, gain perspective, and come back refreshed to tackle the countless problems that will always be there."
CISOs struggle with work-life balance. About half of CISOs have missed a family milestone or activity due to work, according to Nominet. More than one-third of CISOs didn't take the annual leave they were entitled to.
"Many security leaders struggle with being underfunded and under-resourced. It's all too common of a theme," she said. Cybersecurity suffers a mounting burnout rate "driven by the constant need to be 'on' when monitoring threats to the business." The result? Breaches or cyberattacks.
4. Dave Estlick, CISO of Chipotle Mexican Grill:
Estlick has chosen to work at companies that align with his values. "This authentic connection fosters a positive culture of growth and a network of support, allowing for me to maintain a professional and personal sense of self. I enjoy what I do and find gratitude for having a job where I can impact the business with thoughtful leadership and strategic teams."
The CISO role is an easy scapegoat when issues arise. Because of this "in addition to identifying risk, our job as security leaders, is to accurately describe cyber risk and not to serve as the solitary holder of security risk resulting from business decisions," he said.
While public relations may be less forgiving, industry recognizes a CISO's performance is quantified beyond a singular event. "Developing a strong team, building relationships, growing trust with key stakeholders and the ability to align executive leadership is key to success."
Correction: This article has been updated to correct the spelling of Greg Touhill's name.