5 reasons why even experienced CISOs struggle in the job

You might think that to be a good CISO, the most important skill is technical expertise. But that’s just one aspect of what it takes to be a successful CISO or head of cyber security. Even CISOs with years of experience in the security industry sometimes struggle to be effective and end up feeling stressed and anxious. If it happens frequently enough, it can leave them demoralised. For CISOs new to the role, the stress can be overwhelming. Burnout is common and, on average, CISOs move on to a new role — perhaps hoping things will be different this time — every 18 to 26 months.

So why is this role so difficult? Speaking to CISOs, we’ve identified five common challenges.

1.            Stakeholder engagement

A significant number of CISOs report that it’s hard to communicate with and get buy-in from stakeholders, especially the senior leadership team. The result is that the business doesn’t understand the risks as well as the benefits of its business decisions — such as deploying new technologies to support digital transformation — and doesn’t have the necessary insights to ensure it can make good choices when it comes to investing in cyber security. It also means that end users — and their managers — frequently don’t develop a cyber-savvy mindset where it’s second nature to avoid behaviours that put business operations at risk. Stakeholder engagement can be an issue for CISOs whether they’re coming from a technical background or from a non-technical business role. Technical experts may not have been given opportunities to develop “softer” skills such as the ability to facilitate, negotiate and influence others, or have much experience of relating technical issues to business goals. Those coming into the role from the business will likely have those skills but not the technical background that aids in engaging important technical stakeholders.

2.            Inadequate resources

Security was never easy, but it used to be simpler: you could set up a perimeter around your data centre and the places your employees worked, and then defend it. The world is no longer so simple. CISOs are dealing with an increasing attack surface thanks to advances such as cloud computing, O365, remote working, business transformation initiatives and the use of advanced techniques by malicious actors. In this more complex world, traditional monitoring systems don’t scale well: alerts can’t be easily correlated across different systems and infrastructures to allow early identification of malicious behaviours, while the security team is spending time on the “busy work” of reviewing and cancelling low-level alerts. And if the CISO isn’t engaging effectively with stakeholders, tying security measures to business goals, they’re probably not being given the budget to drive through the kind of improvements and efficiencies that would let them maintain — and increase — their organisation’s cyber-resilience without simply throwing more money at it.

3.            Constant firefighting

All too often, CISOs can’t make the space to engage more effectively with the business or implement improvements to security operations because they’re stuck in permanent firefighting mode. Controls are failing invisibly, leading to more incidents and more serious incidents — which means there’s no time for threat hunting to spot issues before they blow up or for implementing more automation to improve visibility and scale. It’s even more frustrating when CISOs see the same issues cropping up again and again because the root causes sit outside the security team’s sphere of control: in the practices of the in-house IT development team or because of a poor security culture among end users, perhaps. It’s a vicious circle of being too busy responding to immediate issues to have the time to build better relationships with stakeholders in order to allow upstream issues to be addressed before they have an impact.

4.            Building and keeping the right team

Demand for skilled cybersecurity staff is high around the globe and there are too few candidates to fill the jobs being advertised. Even the best CISOs can struggle to recruit and hold on to cyber security specialists. Some CISOs do themselves no favours by creating job specifications that demand an impossible range of accreditations and skills, instead of trying to recruit from the much larger pool of highly competent candidates who have some of the skills they need and would jump at being given the chance to acquire more. Other CISOs struggle to attract and keep staff because they aren’t creating a work environment in which people can thrive. For example, less experienced analysts will become frustrated if they’re bogged down in repetitive, routine work, with no chance to develop their skills. More experienced analysts will feel overwhelmed when there’s no way to separate critical threats from less important issues. Everyone ends up suffering from alert fatigue, stress and burnout.

Some of the ways CISOs can tackle the skills gap are by using automation and artificial intelligence to take away the grunt work, by hiring people without a cyber-security background or only some of the cyber-security skills the business needs and giving them a strong pathway to develop their skills, and by encouraging mentoring and peer support. Above all, however, CISOs need to be looking at creating “high-performing teams”, where members have a common purpose and a high degree of trust in each other, are able to hold each other mutually accountable, challenge the status quo through healthy conflict, and are — individually and as a group — “mentally fit”. (You can read more about high-performing teams in part one of our whitepaper, People Inspired Cyber Resilience, here.)

5.            Information overwhelm

The final challenge is simply the sheer amount of security-related information out there. CISOs are constantly bombarded with reports about new threats, new technologies and approaches and new products, and it’s coming from a plethora of news sources, vendors and partners. Figuring out what to pay attention to, who can be trusted to provide accurate and impartial information, and which “fashionable” technology and cyber-management trends are worth investigating further and which can be ignored — and how to apply it all to your own organisation’s operations and goals — is no easy task. It all feeds into not having the right insights to make the right choices at the right time to secure the business’s operations and support its goals.

Of course, not every CISO is wrestling with every challenge on this list. Many CISOs — often the ones who are investing heavily in their own continuous learning and growth —  have been able to build strong relationships with the business and are leading happy, productive cyber-security departments. Yet we’d be surprised if even the best CISOs aren’t frustrated by at least one of these issues for at least some of the time. And for some CISOs, especially those new to the role, everything on this list is a struggle and they’re wondering how long they should stick it out before they crack.

Clearly, most CISOs would like to figure out how to become more effective without running themselves ragged and sacrificing their own well-being to one of the toughest jobs in the IT industry.

Helping CISOs tackle this challenge was one of the driving forces behind why we founded our company, Bright Cyber. Our aim is to provide CISOs with services and solutions that allow them to create sustainable and scalable cybersecurity operations that protect their organisations in the ways that matter. At the heart of our approach is the concept of human cyber resilience: the ability of your people to prevent, identify and respond to security incidents. Our aim is always to increase the human cyber resilience of everyone in the organisation — including the CISO — through a combination of leadership, people, process and technology.

One of the ways we support CISOs is by helping them increase their own personal resilience through our course, Positive Intelligence for Security Leaders. Based on the Positive Intelligence programme created by NY Times best seller, Stanford lecturer and leadership coach, Shirzad Chamine, and delivered through a mobile app, it uses neuroscience, psychology and coaching to increase the positive intelligence quotient (PQ) of security leaders. This equips them to operate as more effective leaders and facilitators, and develop sustainable techniques to drive wellbeing, personal and team performance, and relationship improvements — in just 15 mins a day for 6 weeks.

Click here to receive our information on our course.

Share:

More Posts

Send Us A Message

HOW CAN WE HELP YOU

Please provide your details and a brief description of what you need. We’ll be in contact within 4 hours.

To speak to us now, call:

0345 257 0071

Under Attack? Please call us or click here for free, professional, and immediate Incident Response.

Registered address: 88 Crawford Street, London, England, W1H 2EJ