By Stuart Reed, VP of Cyber Security, Nominet
Have you ever wondered what the most stressful job in your organisation is? If you were to rank them, the chances are that the person responsible for protecting your organisation from data breaches and cyber attacks would be quite near the top. In most organisations, this is primarily the role of the Chief Information Security Officer (CISO), who heads up the cyber security team. What’s more, while it’s true that everyone at the senior leadership level may be feeling stress and working long hours, it’s the nature of the fire CISOs are fighting which arguably makes their stress unique.
Over the last two years, we have conducted research into the working life of the CISO in order to better understand the role, its pain points, and how the stress they are under could be relieved. This year’s report, Life Insider the Perimeter: One Year On, found that the vast majority (88 percent) of CISOs remain moderately or tremendously stressed and that it is taking a greater toll on CISOs’ mental and physical health, and their personal relationships.
However, the research suggests that CISOs working in the financial services sector are, on average, suffering slightly less from stress. So what are financial services organisations doing right that other industries can learn from?
CISOs in finance have higher welfare
Responding to the survey, fewer CISOs in finance reported being tremendously stressed than any other industry (just 14 percent). The stress they are under is also less likely to impact their mental health and has fewer adverse effects on their personal life. For example, CISOs working in financial services companies are less likely to be abusing alcohol and reported that stress had taken less of a toll on their marriages or romantic relationships.
The better welfare of CISOs in finance is especially stark if you contrast it to an industry with a comparable amount of sensitive data – the legal industry. By comparison, 67 percent of CISOs at legal firms reported being tremendously stressed. A shocking 53 percent reported that stress had impacted their mental health and, for 60 percent, their physical health (compared to only 41 and 35 percent in finance). This is having a real impact on the lives of CISOs working in the legal industry. The vast majority (60 percent) reported that work-related stress had impacted their marriages or romantic relationships – way above the overall average of 32 percent and financial services on just 24 percent. Moreover, 27 percent reported using medication or alcohol to deal with their stress vs just 14 percent in financial services.
Therefore, it is clear that there is something different about the CISO role at financial services companies that means that they have a higher welfare than the legal industry and almost all other sectors.
Why are CISOs in finance less stressed?
One potential reason that the CISO role in finance organisations is less stressful can be immediately ruled out: it is not because their job is easier. CISOs in financial services are tasked with safeguarding some of the most sensitive data there is and are constantly battling against threats. In fact, 60 percent of CISOs admitted that their organisation has been affected by a security incident in the last year, and 33 percent said that it had happened more than once. Hardly a stress-free environment. Yet, in spite of this, CISOs are faring better than average when it comes to mental health.
The secret may lie in a better relationship between security teams and the board in finance organisations. While there were security incidents, 80 percent of CISOs believe that the board understands that breaches are inevitable – almost the highest level of understanding in any industry. When asked how they thought the board would respond if a security incident happened, 61 percent said the board would be understanding and assist in resolving the incident. Again, this is the highest of any other industry and probably demonstrates that the greater awareness of security risk among financial services institutions has resulted in a more collaborative and effective relationship between CISOs and the board.
This understanding seems to have also translated into a comparatively better work environment for CISOs – which may be contributing to them handling work stress better. For example, when asked about their work-life balance, only 12 percent said it was “far too heavily work focused” – almost half of the average (21 percent) and a fraction of the response in the legal industry (60 percent).
Perhaps even more importantly, 53 percent of CISOs in finance said that their organisation has support structures in place to help them cope with stress and that they were actively reminded of them, compared to 38 percent on average and just 30 percent in the legal industry. This proactive approach to encouraging good mental health stands out as one of the strengths of the financial services industry.
More needs to be done
However, that is not to say that there is not work to be done in helping CISOs in financial services. While it is below the average, 83 percent of CISOs in finance report being either “moderately” or “tremendously” stressed and 41 percent say this has had an impact on their mental health. These numbers are still far too high.
Moreover, while fewer finance CISOs thought their work life balance was “far” too focused on work, only 24 percent thought it was “balanced”. CISOs in financial services actually work slightly more overtime than average – 11 hours a week. Again, this has a real impact on people’s personal lives – 35 percent have missed a family milestone and 33 percent aren’t taking the annual leave they are entitled to. As always, money is perhaps the best indicator of how people feel. On average, CISOs said they would sacrifice £7,559.64 of their yearly salary for a better work-life balance.
All of this means that CISOs in finance are not immune to a trend we saw throughout this report – burnout. On average, CISOs in financial services only stay in their jobs for just over two years (27 months) – a very short tenure.
Financial services is definitely ahead in supporting the CISO role but clearly more has to be done. Most importantly, the board should build on its relationship with the CISO to remove the sole burden of responsibility the CISO feels for securing the business. More than any other industry, including legal, CISOs in finance believe that they hold this ultimate responsibility for a security incident, and that this is the most stress inducing part of their job. It’s no wonder they are feeling the pressure, when you consider that 20 percent of CISOs believe their contract would be terminated in the event of a security incident.
The role of the CISO can only be improved by a better working relationship with the board, and so it’s important that the C-Suite recognise that improving the CISO’s working life can only have positive outcomes for the business. With a strong and empowered CISO at the head of their security team, organisations will face less risk, be better protected, be more able to deal with a security breach when it hits, and ultimately become safer from cyber crime.