It can be challenging to be a CISO, or chief information security officer. Few people inside the organization understand what they do, but still place an enormous amount of pressure on them to safeguard the organization.
The average CISO spends just 1.5 to 2 years on the job because of constant stress, according to Rick McElroy of cybersecurity company Carbon Black. A study by Nominet, a U.K. cybersecurity firm, found an epidemic of high levels of stress and long work hours. Eight-nine percent of the 408 CISOs surveyed in the United States and United Kingdom reported they never had at least a two-week break from work. Twenty-two percent said they are available 24/7.
More than half said they were suffering from inadequate budgets and 63% said they struggled to put the right people in place. More than 60% said they had found malware embedded in their organizations and didn’t know how long it had been there.
The Nominet survey challenged some prevailing notions about the role. For example, although the majority said their role is appreciated by senior management teams, most companies don’t find the CISO role strategically valuable to the organization.
Nasdaq CISO Lou Modano spoke about the challenges of the role in a recent interview. He emphasized the importance of CISOs to the company’s strategy and how a strong cybersecurity program can help improve business.
Communication with the board is an important part of a mature cybersecurity program.
At a minimum, the board should be having “unfiltered discussions with the chief information security officer (CISO) in executive sessions and consistently send a clear message to management that prioritizing cybersecurity is part of the company’s DNA,” says consulting firm Ernst & Young.
Consulting firm PwC has some advice for CISOs hoping to communicate directly with the board, including preparing materials and developing relationships with board members.
Senior management should set the right tone and make it clear that cybersecurity is not just an IT concern, but an enterprise-wide business issue that cuts across all divisions and functions, writes Ernst & Young. “Giving cybersecurity the same prominence as finance and legal in board decisions reinforces the message that it’s a critical business issue.”
Companies are sometimes forced or encouraged by regulators to make changes. One example is the Office of the Comptroller of the Currency’s involvement in Wells Fargo & Co.’s hiring of a new senior technology executive who would report directly to the chief financial officer. The regulators found problems with the bank’s cybersecurity program and inconsistencies in risk management, according to a report obtained by The Wall Street Journal. Ultimately, the bank changed the senior technology executive position so that the employee would report directly to the CEO instead.
The stresses of the job of CISO are legendary. The least boards can do is listen to the CISO and make sure that person’s concerns are met.