By putting in 12 years as chief information security officer for the Commonwealth of Pennsylvania, Erik Avakian not only managed to outlast three successive governors but also far exceeded the average tenure of other CISOs—18 to 26 months.
It’s not that Avakian didn’t have stresses or feel burned out like his industry peers. He occasionally did. But he considered himself a fighter and loved the challenge of fending off hackers—that is, until last fall, when he decided it was finally time to do something else.
“I actually feel better mentally and physically now,” admits Avakian, now in the private sector as a technical counselor for Info-Tech Research. “My face is brighter, and I am healthier overall.”
Avakian isn’t alone in wanting a change. In fact, a 2022 BlackFog survey reported nearly a third (32%) of U.S. and U.K. CISOs are considering leaving their current organizations.
Meanwhile, another recent study from executive recruiter Heidrick & Struggles found 60% of CISOs are affected by stress and 53% suffer from job burnout.
It is a situation that’s been spinning out of control for a while now. But security professionals say they believe it can be turned around if they actively address the root causes of the problems.
The heart of the matter
One issue is feeling stuck in a thankless job. Most CISOs report to chief information officers (CIOs). Like their bosses, they are expected to foster operational efficiency. They rarely get a pat on the back. They only hear from leadership when things go wrong, and they spend more time telling people no than asking how they can help their colleagues drive innovation. CISOs are also considered cost centers as opposed to sources of revenue.
None of this makes them popular.
You get a lot of people who think security is about slowing things down when they’re trying to get business done.
“You get a lot of people who think security is all about slowing things down when they’re trying to get business done,” says Chris Prewitt, CTO/CISO for Inversion6, a cybersecurity risk management provider. “You’re pushing against the inertia of the business—or at least that’s the common perception.”
What’s more, because CISOs sit several hierarchical levels down from the C-suite and only report to the board a few times a year, they suffer from being out of sight and out of mind. The development of their success metrics often cycles through multiple levels of review, by which time expectations may have been watered down so much that they no longer reflect reality.
One CISO for a major food and snack producer says a CIO at his previous company once even changed his plant compliance report to show better results during a board of directors presentation.
“That’s the kind of thing that adds stress,” says the CISO, who wished to remain anonymous. “I don’t know if it was necessarily malicious, but I viewed it as a violation of my integrity, and so I voiced that a little bit. Ultimately, as a CISO reporting up to the board, it really told me it might be time to get out of there.”
A related difficulty: accountability without authority. Most CISOs are on call 24 hours a day, because breaches can happen at any time. In fact, 60% of those surveyed “rarely disconnect.” Most work 16.5 grueling hours per week more than they’re contracted for. But if a cyberattack occurs, and they cannot reach someone to authorize a rapid response, the blame is likely to land squarely on the CISO’s shoulders.
“A lot of CISOs struggle to be accepted as part of the C-suite fraternity, but all are expected to behave like a C-suite exec when it suits our lords and masters,” says Paul Watts, a former CISO at Kantar, a data analytics consultancy, as well as at Domino’s Pizza. He now serves as a distinguished analyst for the Information Security Forum (ISF).
Working with senior leadership
Of course, if CISOs were able to forge strong relationships with senior leaders and board members, unwarranted blame might be avoided. But many are tactical technologists who lack the soft skills to manage up. As such, they miss out on having senior sponsors watching their backs while struggling to gain executive support for critical budgeting and staffing needs.
“Being a CISO is no longer about knowing how to read a packet capture; it’s about communicating to business executives how what’s in that packet capture affects the organization,” says Avakian. “Unfortunately, you see a lot of young CISOs who still need to develop their business communication skills. They sometimes struggle communicating with leadership, don’t get buy-in for their programs, and end up leaving.”
Many CISOs also struggle with the growing complexity, sophistication, and breadth of cyberattacks coming their way, security professionals say. Automated hacking tools, which use artificial intelligence (AI) and machine learning (ML) to look for holes in networks and penetrate them at scale, may soon give hackers an edge. Even with their own AI and ML countermeasures, IT security teams are often too understaffed or inexperienced to keep the swarm of AI-armed hackers at bay.
Steve Zalewski, former CISO for Levi Strauss, says his team often punched above its weight because it only had so much budget and capability to fight increasingly capable hackers.
“I came to the realization that we’d used every trick in the book and were relying more and more often on luck,” says Zalewski, who left the profession to start S3 Consulting, a cybersecurity advisory service. “That’s when the frustration builds up, because you want to do so much more.”
So how to rise above the fray?
Overcoming exasperation and low morale is not easy. But CISOs can enhance their well-being and extend their careers by following these four recommendations:
1. Negotiate a better deal
In the CISO role, it’s important—for sanity’s sake—to negotiate the terms of employment. A discussion ideally should occur before accepting a position. But if you’ve already been hired, having a candid conversation about issues with the CIO or department lead should happen before you throw up your hands and walk out the door.
Young CISOs… sometimes struggle communicating with leadership, don’t get buy-in for their programs, and end up leaving.
Part of this conversation should include reaching an understanding up-front about what to expect in terms of budget and staffing. If an organization is limiting or reducing cybersecurity investment, it cannot expect resource-strapped CISOs to deliver the same results as they did before the cuts.
“I’ve seen multiple situations where CISOs were retained but their budget and staffing were dramatically cut, and they weren’t able to do their jobs effectively,” says Zalewski. “If your budget is cut, you have an obligation to renegotiate contractual expectations with your leadership. If you just imply you will do more with less, shame on you, because that’s what the executive team is hoping you will do.”
The CISO from the food and snack company also recommends getting on top of the accountability-without-authority dilemma by securing the right to act if a serious cyberattack has already taken place, a hallmark of the zero-trust framework. CISOs should also make sure their employers offer them the same cyber protection through directors and officers (D&O) liability insurance as the C-suite and board members receive, he says. Insurance protects them if they are sued, or even face criminal charges, following an attack, as Uber chief security officer Joseph Sullivan experienced after he was convicted of a felony for concealing a breach.
“If some kind of civil or criminal case came along and you had no D&O protection, then you’d have to have your own policy,” the CISO says. “That’s a key thing CISOs should discuss when considering a job.”
2. Learn and practice soft skills
CISOs of the future cannot be successful relying on their technical chops alone. As cybersecurity issues have an increasing impact on the bottom line, senior leaders will look to IT security staffers to explain how they are protecting the organization’s critical data and assets, while enabling it to conduct business and drive innovation more easily. Job preservation, therefore, requires CISOs to learn how to speak in business rather than technical terms.
Some CISOs acquire these soft skills over time. But with the threat landscape constantly expanding and intensifying, that’s not fast enough. Avakian recommends enrolling in a business communication training program to accelerate learning. Some cybersecurity certificate programs also offer executive communications courses as part of their curriculum, he notes.
3. Do work you care about
Michael P. Leiter, an organizational psychologist and co-author of The Burnout Challenge, says CISOs can also minimize irritations by jotting down what elements of their jobs motivate them, then slowly nudging their programs and workloads in those directions.
“Few people have jobs that they love every single minute of the day,” says Leiter, a former professor of organizational psychology at Deakin University in Australia. “The goal should be to get a better balance between the stuff you really like to do and the stuff that you do not.”
4. Prioritize mind and body
Cybersecurity work can threaten to drive CISOs crazy or cost them peace of mind. For that reason, some security professionals recommend investing time in therapy or other mental health activities.
If your budget is cut [and] you just imply you will do more with less, shame on you.
“I think every CISO needs to focus on their overall well-being,” says Avakian. “You need a lot of mental strength in this job. You’ll want to make a commitment to staying healthy, both physically and mentally, so that you can be an effective leader and good steward for your team.”
It’s also important for the CISO to routinely check in with individuals on the security team to see how they’re doing, he adds.
CISOs also need physical strength and stamina, which is why 80% of 250 tech leaders globally told OneLogin they use exercise to offset their job pressures.
“What we know is the current state of the body influences behaviors, feelings, and thinking,” said Robin Massey, an industrial-organizational psychologist, in a statement. “Therefore, it is important to understand how physiological factors are interrelated with the relational and psychological.”
That’s hard-won mind-body advice. But it’s helpful for anyone who sits in the cybersecurity hot seat.