There is little discussion about the importance of CIOs to organizations. As digital technologies become more pervasive across all types of businesses and cyber threats are among the top concerns of today’s executives, CISOs will remain a critical member of the corporate security team. information from an organization.
Yet a recent survey by executive search firm Heidrick & Struggles shows that there is turmoil in the world of CISOs.
Front and center: stress and burnout. When asked to indicate the most significant personal risks that CISOs face in their role, stress (59%) and burnout (48%) were the top responses.
That these issues are present isn’t all that surprising, said Matt Aiello, partner and cyber practice lead at Heidrick. However, he said the most worrying undercurrent is that, as a result, some of these professionals are leaving the CISO role at an age or stage in life where they can clearly take on another operational role.
“They choose to strike,” Aiello said. “What we’re hearing in offline conversations is that it’s a great role, but it’s very challenging and regulatory pressures are increasing, which makes the role of CISO even more challenging.”
Dannie Combs, CISO at Donnelley Financial, adds that breaches and shortages of tech talent are contributing to the growing stress and burnout that CISOs are experiencing. “It makes the job a lot harder when you’re carrying that weight on your shoulders and then having to ask your team to do the same,” he said.
Less interest in the CISO role
Stress and burnout also appear to dampen enthusiasm for the leadership position among CISOs’ direct reports. Aiello said he’s heard some No. 2s say they don’t want the job for the very reasons cited by their bosses. “A lot of people who get into cyber do it for the mission, and they see all the outside issues that make the role too pressing,” he adds. “They realize they can stay focused on the mission in other ways.”
If CISOs leave, where do they go? And what can companies do to keep them?
Some go into private equity as trust managers or security chiefs, Aiello said. In these roles, they both oversee internal company security, but can also have a significant impact on customer security and trust. He points out that most of this migration is for cyber businesses in the private equity industry.
“CISOs who get into this field want to change the industry,” he said. “They recognize that there are cyber businesses and platforms that can make the world safer, so this is an extension of their mission. And oh, by the way, they can also enjoy great financial gains .”
For C-suite leaders looking to retain this talent, Aiello said the first step is to create the conditions for the CISO to succeed. This would include placing the position at the right level, not buried five rungs below the CEO, and giving it a senior or executive vice president title to signal respect for the company. He went on to say that the position also required competitive compensation and had to offer reasonable liability protections in the form of D&D insurance.
Jamil Farshchi, CISO at Equifax, said leaders need to ensure the role is “built for success, which means it has the right visibility, mandate and investment from the CEO and board. If you think of the CISO as an ancillary role, you won’t be able to attract or retain a first draft pick.”
Combs said CISOs need to be sure they have the right level of support from the management team and the board, including financial investments. He also said that when a breach occurs, it’s important to let the investigation process unfold rather than immediately rushing to pin all blame on the CISO.
“Clearly CISOs have a responsibility to explain a significant event, but it’s equally important that they feel supported because every company at one time or another will experience a breach,” Combs said.
“The job of a CISO can often seem as demanding and complex as the threats we face,” Farshchi said. Along with the necessary support from senior management, there are steps CISOs can take on their own to combat stress and burnout, he said. Farshchi said he finds it helpful to stay hyper-focused on his routine and have strong calendar management skills to protect his most valuable asset: his time.
“It’s also very important that CISOs always remember the ‘why’ of their work rather than the ‘what,'” Farshchi said. “We’re here to protect the castle from the bad guys. This job isn’t for the faint-hearted, but it’s a powerful mission that helps keep me focused.”