CISO stress and burnout cause high churn rate
The nature of the CISO role can take a toll, say industry vets, with frustration and stress contributing to high turnover rates and burnout. Learn how to make it work.
John Masserini has had a long and distinguished career as a high-profile CISO, working first for Dow Jones, then the Miami International Securities Exchange and now Millicom Telecommunications in Miami. But at one time, he felt so burned out that he said he left the tech industry for a year to run a gas station.
CISO burnout is a real thing, Masserini said. "When I came back, I was determined to never get like that again."
Research from Enterprise Strategy Group (ESG) suggests that, on average, a CISO lasts just two to four years on the job before moving on to another position -- and many point to cybersecurity burnout as a top driver of CISO churn. In another report, from security firm Nominet, 88% of CISOs reported being "moderately or tremendously stressed," with 48% saying the role has negatively affected their mental health.
"We wake up every day ready to fight to protect our company," Masserini said. "And when there aren't adequate resources, most CISOs will step in and fill the gaps themselves."
That inevitably takes a toll, according to Jinan Budge, a principal analyst at Forrester Research who studies cybersecurity burnout at the executive level. Budge said most CISOs take their social responsibility -- to their organizations, customers and society at large -- very seriously. But they often lack the resources and support necessary to keep their companies safe. That leads many to work harder and longer, sacrificing their own well-being for the sake of a job that quickly becomes unsustainable.
"There's a C in CISO, but they don't always have the executive mandate, budget or support they expect will come with the title," Budge said. "It's crazy. That's a very difficult dynamic. Imagine going to sleep every night with all these things to worry about."
Thomas Johnson -- now CISO of ServerCentral Turing Group, a colocation, cloud and disaster recovery provider based in Chicago -- recalled the challenges he faced while CISO at a bank during the 2008 financial crisis.
"We were bleeding money at an incredible rate, and they didn't want to spend a dollar on information security," Johnson said. "All of a sudden, I'm seeing our risk profile go way up. It's a precarious spot to be in."
He added that convincing decision-makers to invest in security remains one of the most difficult challenges a CISO faces. According to research by ESG, security professionals reported a lack of organizational support as a leading contributor to CISO burnout and the resulting turnover; recruitment by other companies offering better compensation packages contributes to CISO churn too. Based on that research, Jon Oltsik, senior principal analyst at ESG, urged boards to a) invest in ongoing cybersecurity education for corporate leadership, and b) establish strong, formalized relationships with their CISOs.
"That might mean having them report to CEOs rather than CIOs," he added. "But CISOs must have a seat at the table and be included in business planning from the onset."
With adequate organizational support, the CISO job is a tough one, Budge and Oltsik agreed. Without it, it's an exercise in futility, and the CISO starts to feel like a scapegoat staring down the barrel of an inevitable breach.
"It's only a matter of time before too much sleep is lost, too much stress is endured or that major breach occurs," Masserini said.
And another CISO bites the dust.
Finding the right CISO for the right job
The CISO position is uniquely challenging, having rapidly evolved from a purely technical role to one that also requires sophisticated management and communication capabilities. CISO challenges, including the job's diverse demands, can pull CISOs in many different directions, compounding CISO burnout.
"I'm worried about the next generation of CISOs," Oltsik said. "The position is difficult and changing rapidly."
He added that CISOs often fail because they don't have the full portfolio of skills necessary to succeed. And without formal industry training programs, they must amass that broad and ever-growing skillset on their own time and dime.
Even the most impressive professional pedigree can't guarantee a CISO's success. Those with technical backgrounds often find navigating the politics of the C-suite "extremely stressful," according to Budge. On the other hand, CISOs who come from management environments may be unprepared for the day-to-day grind of operational support, said Tony Buffomante, principal and cybersecurity leader at professional services firm KPMG.
"Taking those calls and fixing systems in the middle of the night -- that's the part that drives burnout," he added.
Budge suggested that problems arise when the right CISO takes the wrong job. "A lot of us are so eager for that title, we don't actually do the homework," she said, adding that she knows few security executives who conducted adequate due diligence before accepting job offers.
In her research, Budge identified six distinct types of CISO, all with different backgrounds and abilities: transformational, post-breach, tactical/operational, compliance/risk, steady-state and customer-facing evangelist. Transformational CISOs, for example, tend to be energetic, business-oriented types with large appetites for change.
"If you're a transformational CISO in an organization that really wants you to do compliance work, you will feel like you're dying a slow death inside," Budge said. "And there will be a lot of issues as you try to push change programs uphill."
Morey Haber, CISO at security software vendor BeyondTrust, said CISOs of all stripes need to feel they are making an impact. He suggested crafting a strategic plan, reviewing it frequently and adjusting as necessary.
"If you can measure your progress, frustration can be managed," Haber said. "If every day is a firefight, you will burn out. No amount of money, cigars or vacation time will stop it."
Self-care for CISOs
Budge said she finds those who successfully dodge CISO burnout -- and even actively enjoy their work -- have all committed to their mental health. They take time off, exercise regularly, sleep consistently and eat healthily, despite the considerable pressures and demands of their jobs.
Research suggests they are in the minority, however. In the Nominet survey, nearly one in two CISOs said work stress has affected their psychological well-being, and 35% reported a negative impact on their physical health. Almost one in four said they have used medication or alcohol to cope.
"We don't talk enough about mental health in security," Budge said. "We need to get back to basics and recognize the importance of self-care."
Masserini agreed, urging his fellow CISOs to find healthy ways to disconnect, unwind and clear their heads.
"I'm a beach guy," he said. "It's my sanity savior. I escape there as often as I can to recharge, refresh and get a little perspective."
CISO Mark Houpt has been in his role at DataBank, a data center service provider based in Dallas, for more than five years. He said he loves his job but also makes a point to take vacation days and unplug.
"If you're like me, and that's difficult, find a place where the phone doesn't work," Houpt said. "I go to the mountains in Montana."
Johnson -- another longtime, career CISO -- also stressed the importance of connecting with others in the field. He belongs to a "support group for CISOs" in Chicago, which meets regularly to socialize and discuss shared challenges.
"Because the workload is so high, a lot of CISOs tend to just hunker down," he said. "But I think having that camaraderie is really important from a sanity standpoint."