So far this year, I have been blessed to start off with some good podcasts, and I’ve got a bunch more coming down the pipe into April.  This will be a critical timeframe as well, as I will be expanding my services in this area for the first time. 

One question that I often ask my guests is to what degree should the C-Suite (primarily the CIO and/or CISO) should be held responsible if their respective organization is hit by a Cyberattack?

Not surprisingly, many of the, say it is the C-Suite, primarily because the buck stops at the top.  While this is true, should the CIO or CISO be fired immediately after a Cyberattack has occurred?  I ask this also, and many of them echo the same thoughts that I have:

Rather than engaging in knee jerk reactions, it is first important to take conduct an in-depth analysis (such as that of a forensics-based examination) to see what exactly happened, and from there, see who is ultimately responsible, and then hold accountability.

But no matter what how things to transpire in the blame game, one thing is for certain:  Today’s CIO/CSIO is really under the gun for Cybersecurity, and is feeling an enormous amount of hear and pressure both by the public and especially their Board of Directors to make sure all lines of defenses are up to snuff.

This is substantiated by a recent market research project conducted by a firm known as Nominet.  The report is entitled “The CISO Stress Report: Life Inside the Perimeter, One Year On”, and further details about this study can be seen at this link below:

The findings of the report are broken down into three main areas, as follows:

Impacts on health:

*48% of the respondents claimed that their mental health has completely deteriorated;

*40% of them report that the increased levels of stress have impacted their relationships with their families;

*32% of them have stated that the relationship that they have had with their spouse or partner is now pretty much non-existent;

*The total number of CIOs and CISOs turning over to mental and other forms of psychiatric medications increased by 17% on a Year Over Year (YoY) basis.

Impacts on job performance:

*The average tenure for a CIO/CISO is just 26 months (slightly over two years);

*71% of the respondents believe that they are being overworked just up to their breaking point;

*The average CIO/CISO is working an excessive amount of overtime without being compensated for it.  In fact, it was calculated that this amounted to a staggering $30,319 worth of free labor on a yearly basis;

*Only 2% of the respondents claimed that they were able to shut their minds down after work hours.  Meaning, the thoughts of more work haunts them when they go home and on the weekends;

*Almost 90% of them stated that their Board of Directors fully expect them to put in the overtime as needed without being compensated for it.  In fact, 74% of the respondents clearly stated that their Board of Directors are aware of the increased levels of stress, but are still expecting greater output all of the time;

*Surprisingly, 90% of the CIOs and CISOs polled said that they would take a pay cut of almost $10,000 if it meant having a better work-life balance.

The impacts upon the organization:

*Despite the heightened level of Cybersecurity awareness, 66% of the organizations that were polled suffered at least one major security breach, while 30% of them have been through multiple breaches;

*24% of the CIOs and CISOs believe that their Board of Directors still have no real understanding that they could become the victim of a large scale Cyberattack;

*97% of the respondents believe that they are not getting adequate funding from the Board of Directors.

My Thoughts On This

To be honest, to a certain degree, I am not at all surprised by these findings.  It is quite true that CIOs and CISOs are overburdened and overtaxed.  But it is not just them.  In fact, the entire IT Security team is completely on the breaking points of being overworked and overtaxed. 

As I have written about before, a primary reason for this is that are still a lot of security technologies being deployed, with a minimal amount of employees to filter through the all of the warnings and alerts that come through, and determining what is for real and what is not.

Another issue that is compounding this problem is that many businesses only want to hire experienced Cybersecurity workers to fill the workforce shortage.  This is despite the fact that there are plenty of workers out there that can be hired, but they simply need to be trained.  In the end, this is just a circle that keeps going on and on. 

In other words, it is the experienced Cyber workers that end up leaving because they are simply burnt out from being overworked, and the C-Suite are reluctant to hire new workers that do not have all of the training because they do not want to spend the time to bring them up to speed.  Thus, the workforce shortage is only going to widen that much further, with no end sight.

So, what can be done?  Either the C-Suite needs to take the chance to take on these newbies and train them, or somehow figure out a way so that their existing IT Security staff is not overburdened.  As I mentioned earlier in this blog, there are simply too many security technologies that are deployed in many businesses today.  The thinking is that the more that is deployed, the more fortified the lines of defenses will become.

But this is actually a contrarian way of thinking.  More does not mean better, as it simply increases the attack surface for the Cyberattacker.  As a result, there is now a fundamental shift staring to occur in this way of thinking, as CIOs and CISOs are starting to realize that strategically placing fewer security technologies where they will have the most impact is the way to go now.  So instead of deploying ten firewalls, it is probably far better off to deploy just three of them, but they need to be placed in the right areas of the Network Infrastructure in the business in order to provide maximum levels of protection.  This can only be done by conducting a rigorous security audit.

With this approach, there will probably be a better statistical probability that only those warnings and alerts coming in will actually have some real merit to them, thus decreasing the amount of false positives that are coming through, which in turn will hopefully lead to a less burdened IT Security staff.

But this study also underscores a very disturbing trend as well.  And that is, it still appears that there appears to be a huge disconnect in terms of the communications flow between the Board of Directors, the C-Suite, the IT Managers, and the employees. 

There are still too many bottlenecks here in existence, and eventually, if a company wants to be successful in their approach to combat Cybersecurity threats and stay one ahead of the game, communications has got to be a two street.

In other words, the Board of Directors need to listen to the people below them in the chain of command and likewise.  There needs to be a fundamental shift in thinking here that as well that anybody and any business is at risk from becoming a victim of a Cyberattack. 

Nobody is immune, and just because you have not been yet, does not mean that you will not become the next victim.  There has to be enough money allocated to do all of this, especially when it comes to rewarding and compensating your IT Security staff.

Finally, to the CIO and CISO:  If you are that burnt out, become a vCISO and start your own firm.  You can set your own hours, charge how much you feel that you are worth, and eve cherry pick your own clients that will actually listen to you and act on what you recommend to them.