Skip to main content

Feeling the burn? How to lighten the load on CISOs’ mental health

Brian Martin at Integrity360 explains how CISOs can adjust to enhance productivity and reduce stress

The stresses of sustaining an all-round view in real time of cyber-security and incident response are taking their toll on chief information security officers (CISOs) and their teams. It can feel like a never-ending fire fight, with teams putting out one blaze after another, and then another as fast as possible – before the sparks have a chance to catch and spread, doing real damage to the organisation.

This feeling of ‘never getting ahead’ on projects or plans for innovation can have knock-on effects for an entire organisation. Human beings, no matter how talented and energetic, cannot sustain high levels of productivity forever in the face of increasing stress – regardless of how many cups of coffee are drunk or how much one rests at home.

Early symptoms of burnout can include subtle signs such as apathy, well ahead of more or less serious levels of exhaustion or even the awareness of a problem emerging that could encourage a trip to the general practitioner for a consultation.

CISOs, and IT security professionals in general, can be more vulnerable to burnout than some other classes of employee. They’re often expected not only to understand technology and technical aspects of cyber-security but to communicate them clearly in a way that everyone can understand and act upon. This is a big ask and can be frustrating even for highly educated and talented professionals who enjoy working across sectors.

Ultimately, the effect on stress levels and mental health can encourage even highly valued and skilled employees to seek a better work-life balance, or simply move on in the hopes that the grass will be greener elsewhere. It should be no surprise, then, that a typical average tenure for CISOs in one role has been found to be about 26 months – with all the costs and complications that staff departures create for the organisation as well as the team members who are left to shoulder the burden.

Yet the demands on cyber-security infrastructures and departments have been compounded during 2020-21, as a result of the pandemic and the consequent increase in remote working and hybridised workplaces. So, the situation is set to potentially worsen if organisations don’t tackle these challenges head-on.

Where to begin to reduce the load?

The demands on professionals handling cybersecurity issues are dynamic and ongoing, calling for continued vigilance through the week, through the months and years. Investments can therefore be needed, including in skillsets, reducing complexity and tackling compliance issues where possible. Education can improve communication or focus on the evolving issues of cybersecurity and their solutions – and team members encouraged to switch off from work regularly and completely.

All this should go without saying – but remember that staff members may need different workplace adjustments to manage their stress levels. Some cope better with more structure, others may prefer fewer distractions overall.

And still more can be achieved.

According to a Ponemon Institute/FireEye study, high performers typically have more effective MSSPs, which highlights that managed services and outsourcing solutions can ease the strain on in-house security teams. Eighty-six percent of high-performing respondents rated the effectiveness of their MSSPs as “very high”, versus about half (51%) of the overall sample.

Of course, preventing every cyberattack or threat isn’t realistic – and CISOs should be sure they don’t expect too much of themselves and others, causing unneeded stress. Instead, decide on acceptable levels of risk, and focus on addressing breaches – incident response, rather than expecting to achieve complete threat prevention.

Refresh the list of priorities in light of the critical and serious threats and tasks required and make adjustments across workflows and schedules that alleviate staff stresses where possible. This should be considered alongside the deployment of the various cybersecurity offerings on the market.

In fact, according to Deep Instinct, 62 per cent of surveyed IT Decision makers agree that threats in their organisation could get missed due to the sheer quantity of false positives, and 69 per cent of respondents agreed that low staff morale is a result from alert fatigue due to the overwhelming volume of false positives. This has the result that tasks are less efficiently executed and workflows and processes slow down.

Keep in mind that the less time required to research and monitor those ubiquitous threats and nagging security alerts, the more productive a security operations centre and its team members can be. In addition, effective, streamlined and automated threat monitoring and management services can promote a more agile response as well as reduce the drag on individual productivity caused by manual handling of these tasks.

On top of automating where possible and an overall strengthening of the security posture, Managed Detection and Response (MDR) services as well as security orchestration automation and response (SOAR) technologies can empower organisations to automate the collection and analysis of threat detection inputs, triaging alerts from endpoints and security information and event management (SIEM) systems to define, prioritise and drive responses to incidents as they happen.

These services can also include reporting as well as threat intelligence, and it all helps free up the cybersecurity team for the more productive tasks that generate real business value – and for less of the continual firefighting that contributes to burnout over time.

Brian Martin is Head of Product Management at Integrity360

Main image courtesy of


All rights reserved Teiss Recruitment Ltd.