Too many CISOs are under constant pressure to defend their organization from cyber threats. They are feeling unsupported, and it’s taking a toll on their mental health, according to a new study.
CISOs are so frustrated with their mounting responsibilities that they would resort to radical measures in the face of a cyber attack, according to research by Nominet, the .uk domain name registry in the United Kingdom.
The company quizzed 400 C-suite executives of large businesses with a mean average of almost 9,000 employees across the UK and the US. Looking at CISOs in particular, the survey found some worrying trends. For one, almost 90% of CISOs are working more than 40 hours per week, and 27% admitted that the job stress was impacting their physical or mental health. Second, 52% of CISOs don’t feel they are viewed as a ‘must have’ by the Board, even though 76% of their peers saying they are. More alarmingly, one in three CISOs would immediately terminate any employee found responsible for a breach (i.e. a negligent staffer falling for a phishing attack).
Part of this frustration seemingly comes from feeling underpowered to take responsibility. 90% of the executives polled said they lacked at least one resource to defend themselves against cyber breaches. If they were to get this extra resource overnight, 59% would opt for “advanced technology,” the study indicates.
Another issue is disagreement between C-level types as to who should actually take responsibility in the event of a breach. Asked who was ultimately responsible for information security, 35% said the CEO, 32% said the CISO, and only 3% wisely accepted that no single person takes the full burden of cyber security in a large organization.
“This is not a sustainable way to approach leadership, nor manage the risks of cyber threats,” said Nominet CEO Russel Haworth. “We need to pull together if we truly want to do the best we can for the business. The C-suite needs to communicate better, educate each other, and recognize their individual limitations.”
The researchers hope to provoke discussions and encourage executives in every department to assess their strengths and weaknesses, identify responsibilities, create clearer lines of command, and above all, approach cyber security as a team effort.