{"id":1736,"date":"2025-01-31T16:25:01","date_gmt":"2025-01-31T16:25:01","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1736"},"modified":"2025-01-31T16:25:01","modified_gmt":"2025-01-31T16:25:01","slug":"how-cisos-can-fight-burnout-and-extend-their-careers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1736","title":{"rendered":"How CISOs can fight burnout and extend their careers"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

By putting in over a decade as chief information security officer for the Commonwealth of Pennsylvania, Erik Avakian not only managed to outlast three successive governors but also far exceeded the\u00a0average tenure<\/a> of other CISOs\u201418 to 26 months.<\/p>\n

It\u2019s not that Avakian didn\u2019t have stresses or\u00a0feel burned out<\/a>\u00a0like his industry peers. He occasionally did. But he considered himself a fighter and loved the challenge of fending off hackers\u2014that is, until last fall, when he decided it was finally time to do something else.<\/p>\n

\u201cI actually feel better mentally and physically now,\u201d admits Avakian, now in the private sector as a technical counselor for Info-Tech Research. \u201cMy face is brighter, and I am healthier overall.\u201d<\/p>\n

Avakian isn\u2019t alone in wanting a change. In fact, a\u00a02024 BlackFog survey<\/a>\u00a0reported nearly 1 in 4 CISOs are considering leaving the profession because of stress.<\/p>\n

It is a situation that\u2019s been spinning out of control for a while now. But security professionals say they believe it can be turned around if they actively address the root causes of the problems.<\/p>\n

The heart of the matter<\/strong><\/p>\n

One issue is feeling stuck in a thankless job. Most CISOs report to chief information officers (CIOs). Like their bosses, they are expected to foster operational efficiency. They rarely get a pat on the back. They only hear from leadership when things go wrong, and they spend more time telling people no than asking how they can help their colleagues drive innovation. CISOs are also considered cost centers as opposed to sources of revenue.\u00a0<\/p>\n

None of this makes them popular.<\/p>\n

\u201cYou get a lot of people who think security is all about slowing things down when they\u2019re trying to get business done,\u201d says Chris Prewitt, CTO\/CISO for Inversion6, a cybersecurity risk management provider. \u201cYou\u2019re pushing against the inertia of the business\u2014or at least that\u2019s the common perception.\u201d<\/p>\n

What\u2019s more, because CISOs sit several hierarchical levels down from the C-suite and only report to the board a few times a year, they suffer from being out of sight and out of mind. The development of their success metrics often cycles through multiple levels of review, by which time expectations may have been watered down so much that they no longer reflect reality.<\/p>\n

One CISO for a major food and snack producer says a CIO at his previous company once even changed his plant compliance report to show better results during a board of directors presentation.<\/p>\n

\u201cThat\u2019s the kind of thing that adds stress,\u201d says the CISO, who wished to remain anonymous. \u201cI don\u2019t know if it was necessarily malicious, but I viewed it as a violation of my integrity, and so I voiced that a little bit. Ultimately, as a CISO reporting up to the board, it really told me it might be time to get out of there.\u201d<\/p>\n

A related difficulty: accountability without authority. Most CISOs are on call 24 hours a day, because breaches can happen at any time.\u00a0\u00a0Most work\u00a016.5 grueling hours<\/a>\u00a0per week more than they\u2019re contracted for. But if a cyberattack occurs, and they cannot reach someone to authorize a rapid response, the blame is likely to land squarely on the CISO\u2019s shoulders.<\/p>\n

\u201cA lot of CISOs struggle to be accepted as part of the C-suite fraternity, but all are expected to behave like a C-suite exec when it suits our lords and masters,\u201d says Paul Watts, a former CISO at Kantar, a data analytics consultancy, as well as at Domino\u2019s Pizza. He now serves as a distinguished analyst for the Information Security Forum (ISF).<\/p>\n

Working with senior leadership<\/strong><\/p>\n

Of course, if CISOs were able to forge strong relationships with senior leaders and board members, unwarranted blame might be avoided. But many are tactical technologists who lack the soft skills to manage up. As such, they miss out on having senior sponsors watching their backs while struggling to gain executive support for critical budgeting and staffing needs.<\/p>\n

\u201cBeing a CISO is no longer about knowing how to read a packet capture; it\u2019s about\u00a0\u00a0how what\u2019s in that packet capture affects the organization,\u201d says Avakian. \u201cUnfortunately, you see a lot of young CISOs who still need to develop their business communication skills. They sometimes struggle communicating with leadership,don\u2019t get buy-in for their programs, and end up leaving.\u201d<\/p>\n

Many CISOs also struggle with the growing complexity, sophistication, and breadth of cyberattacks coming their way, security professionals say. Automated hacking tools, which\u00a0use artificial intelligence (AI)<\/a>\u00a0and machine learning (ML) to look for holes in networks and penetrate them at scale, may\u00a0soon give hackers an edge<\/a>. Even with their own AI and ML countermeasures, IT security teams are often too understaffed or inexperienced to keep the swarm of AI-armed hackers at bay.<\/p>\n

Steve Zalewski, former CISO for Levi Strauss, says his team often punched above its weight because it only had so much budget and capability to fight increasingly capable hackers. \u201cI came to the realization that we\u2019d used every trick in the book and were relying more and more often on luck,\u201d says Zalewski, who left the profession to start S3 Consulting, a cybersecurity advisory service. \u201cThat\u2019s when the frustration builds up, because you want to do so much more.\u201d<\/p>\n

So how to rise above the fray?<\/p>\n

Overcoming exasperation and low morale is not easy. But CISOs can enhance their well-being and extend their careers by following these four recommendations:<\/p>\n

1. Negotiate a better deal<\/strong><\/p>\n

In the CISO role, it\u2019s important\u2014for sanity\u2019s sake\u2014to negotiate the terms of employment. A discussion ideally should occur before accepting a position. But if you\u2019ve already been hired, having a candid conversation about issues with the CIO or department lead should happen before you throw up your hands and walk out the door.<\/p>\n

Part of this conversation should include reaching an understanding up-front about what to expect in terms of budget and staffing. If an organization is limiting or reducing cybersecurity investment, it cannot expect resource-strapped CISOs to deliver the same results as they did before the cuts.<\/p>\n

\u201cI\u2019ve seen multiple situations where CISOs were retained but their budget and staffing were dramatically cut, and they weren\u2019t able to do their jobs effectively,\u201d says Zalewski. \u201cIf your budget is cut, you have an obligation to renegotiate contractual expectations with your leadership. If you just imply you will do more with less, shame on you, because that\u2019s what the executive team is hoping you will do.\u201d<\/p>\n

The CISO from the food and snack company also recommends getting on top of the accountability-without-authority dilemma by securing the right to act if a serious cyberattack has already taken place, a hallmark of the\u00a0zero-trust framework<\/a>. CISOs should also make sure their employers offer them the same cyber protection through directors and officers (D&O) liability\u00a0\u00a0as the C-suite and board members receive, he says. Insurance protects them if they are sued or even face criminal charges following an attack, as Uber chief security officer Joseph Sullivan experienced\u00a0after he was convicted of a felony<\/a>\u00a0for concealing a breach.<\/p>\n

\u201cIf some kind of civil or criminal case came along and you had no D&O protection, then you\u2019d have to have your own policy,\u201d the CISO says. \u201cThat\u2019s a key thing CISOs should discuss when considering a job.\u201d<\/p>\n

2. Learn and practice soft skills<\/strong><\/p>\n

CISOs of the future cannot be successful relying on their technical chops alone. As cybersecurity issues have an increasing impact on the bottom line, senior leaders will look to IT security staffers to explain how they are protecting the organization\u2019s\u00a0\u00a0assets while enabling it to conduct business and drive innovation more easily. Job preservation, therefore, requires CISOs to learn how to speak in business rather than technical terms.<\/p>\n

Some CISOs acquire these soft skills over time. But with the threat landscape constantly expanding and intensifying, that\u2019s not fast enough. Avakian recommends enrolling in a business communication training program to accelerate learning. Some cybersecurity certificate programs also offer executive communications courses as part of their curriculum, he notes.<\/p>\n

3. Do work you care about<\/strong><\/p>\n

Michael P. Leiter, an organizational psychologist and co-author of\u00a0The Burnout Challenge<\/a>, says CISOs can also minimize irritations by jotting down what elements of their jobs motivate them, then slowly nudging their programs and workloads in those directions.<\/p>\n

\u201cFew people have jobs that they love every single minute of the day,\u201d says Leiter, a former professor of organizational psychology at Deakin University in Australia. \u201cThe goal should be to get a better balance between the stuff you really like to do and the stuff that you do not.\u201d<\/p>\n

4. Prioritize mind and body<\/p>\n

Cybersecurity work can threaten to drive CISOs crazy or cost them peace of mind. For that reason, some security professionals recommend investing time in therapy or other mental health activities.<\/p>\n

\u201cI think every CISO needs to focus on their overall well-being,\u201d says Avakian. \u201cYou need a lot of mental strength in this job. You\u2019ll want to make a commitment to staying healthy, both physically and mentally, so that you can be an effective leader and good steward for your team.\u201d<\/p>\n

It\u2019s also important for the CISO to routinely check in with individuals on the security team to see how they\u2019re doing, he adds.<\/p>\n

CISOs also need physical strength and stamina, which is why 80% of 250 tech leaders globally\u00a0told OneLogin<\/a>\u00a0they use exercise to offset their job pressures.<\/p>\n

\u201cWhat we know is the current state of the body influences behaviors, feelings, and thinking,\u201d said Robin Massey, an industrial-organizational psychologist, in a statement.\u00a0<\/p>\n

\u201cTherefore, it is important to understand how physiological factors are interrelated with the relational and psychological.\u201d<\/p>\n

That\u2019s hard-won mind-body advice. But it\u2019s helpful for anyone who sits in the cybersecurity hot seat.<\/p>\n

Learn how to protect your business-critical endpoints and cloud workloads with the Tanium platform.<\/a><\/p>\n

This article was written by David Rand and originally appeared in\u00a0<\/em>Focal Point<\/em><\/a>\u00a0magazine.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

By putting in over a decade as chief information security officer for the Commonwealth of Pennsylvania, Erik Avakian not only managed to outlast three successive governors but also far exceeded the\u00a0average tenure of other CISOs\u201418 to 26 months. It\u2019s not that Avakian didn\u2019t have stresses or\u00a0feel burned out\u00a0like his industry peers. He occasionally did. But […]<\/p>\n","protected":false},"author":0,"featured_media":1737,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1736","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1736"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1736"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1736\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1737"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1736"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1736"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1736"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}