- A recent survey from executive search firm Heidrick & Struggles shows stress and burnout are the top personal risks for CISOs.
- Pressure from the role is causing some CISOs to leave at an age or stage of life when they can clearly take on another operational role.
- Companies need to create the conditions for CISOs to be successful in order to attract and retain this tech talent.
There's little argument over how important chief information security officers are to organizations. As digital technologies become more prevalent across every type of company, and with cyber threats among the top concerns of leaders today, CISOs will remain a vital member of an organization's information security team.
Yet, a recent survey from executive search firm Heidrick & Struggles shows there's some turbulence in the CISO world.
Front and center: stress and burnout. When asked to state the most significant personal risks CISOs are facing relating to their role, stress (59%) and burnout (48%) were the top responses.
Get Southern California news, weather forecasts and entertainment stories to your inbox. Sign up for NBC LA newsletters.
That these issues are present is not all that surprising, said Matt Aiello, partner and leader of the cyber practice at Heidrick. However, he said the more worrisome undercurrent is that, as a result, some of these professionals are leaving the CISO role at an age or stage of life when they clearly can take on another operational role.
"They're choosing to punch out," said Aiello. "What we're hearing in off-line conversations is that it's a great role, but it's very hard and the regulatory pressures are increasing, and that makes being a CISO even more challenging."
Dannie Combs, CISO at Donnelley Financial, adds that breaches and the tech talent shortage are contributing to the mounting stress and burnout that CISOs are experiencing. "It makes the job that much more difficult when you're carrying that weight on your shoulders and then you need to ask your team to do the same," he said.
Less interest in the CISO role
Stress and burnout also seem to be dampening enthusiasm for the top role among CISOs' direct reports. Aiello said he's hearing from some No. 2s that they don't want the job for the very reasons cited by their bosses. "A lot of people who get into cyber do it for the mission, and they're seeing all the outside issues that make the role too high pressure," he adds. "They realize they can stay focused on the mission in other ways."
If CISOs are leaving, where are they going? And what can companies do to keep them?
Some are heading into private equity as chief trust officers or chief security officers, Aiello said. In these roles, they oversee both the internal security for the enterprise, but can also have a big impact on customer security and trust. He points out that most of this migration is into cyber companies within the private equity space.
"CISOs going into this area want to change the industry," he said. "They recognize that there are cyber companies and platforms that can make the world more secure, so this is an extension of their mission. And oh, by the way, they can enjoy significant financial gains as well."
For C-suite leaders looking to retain this talent, Aiello said the first step is creating the conditions for the CISO to be successful. This would include placing the position at the right level, not buried five rungs below the CEO, and giving it a title of senior or executive vice president to signal enterprise respect. He went on to say the position also needs competitive compensation and must offer reasonable liability protections in the form of D&O insurance.
Jamil Farshchi, CISO at Equifax, said leaders need to make sure that the role is "built to succeed, meaning that it has the right visibility, mandate, and investment from the CEO and the board. If you view the CISO as an ancillary role, you're not going to be able to attract or retain a first round draft pick."
Combs said CISOs need to feel confident that they have an adequate level of support from the executive team and board, including financial investments. He also said that when a breach occurs, it's important to let the investigation process work itself out rather than immediately rushing to place all that blame on the CISO.
"Clearly CISOs are accountable for explaining a materially significant event, but it's equally important that they feel they have support in this because every company at one time or another is going to experience a breach," Combs said.
"A CISOs job can often feel as demanding and complex as the threats we face," said Farshchi. Aside from the support needed from senior leaders, there are steps CISOs can take themselves to combat stress and burnout, he said. Farshchi said he finds it helpful to stay hyper-focused on his routine and to have strong calendar management skills to protect his most valuable asset: his time.
"It's also really important for CISOs to always remember the 'why' of their job rather than the 'what,'" Farshchi said. "We're here to protect the castle from bad guys. That job isn't for the faint of heart, but it's a powerful mission that helps me stay focused."