The CISO role is generally considered one the highest stress, least appreciated executive\managerial jobs. Even before the COVID crisis, nearly 9 out of 10 executives holding the title of chief information security officer (CISO) or chief security officer (CSO) reported “moderate or tremendous” job-related stress. Many say the heightened stress levels has led to mental and physical health issues, relationship problems, medication and alcohol abuse, and eventual burnout. The average tenure of a chief information security officer (CISO) is only 18 to 24 months, citing constant stress and urgency of the job as the core reasons. For comparison, the average tenure of a chief financial officer is 6.2 years and the average tenure of a chief executive officer is 8.4 years. This is a real problem for cyber security.
So, what is the root cause of the tremendous stress on CISOs? More importantly – what can be done about it? I don’t believe it is mainly because of the hours or the workload. The real root cause is, drumroll…, – CISOs are human. A downside of human consciousness is the ability to worry about the future. We know the future exists, but we don’t know what’s going to happen in it. “In other animals, unpredictability or uncertainty can lead to heightened vigilance, but I think what’s unique about humans is the ability to reflect on the fact that these future events are unknown or unpredictable,” says Dan Grupe, a postdoctoral research associate at the University of Wisconsin-Madison’s Center for Investigating Healthy Minds. “Uncertainty itself can lead to a lot of distress for humans in particular.”. See – “Uncertainty and anticipation in anxiety: an integrated neurobiological and psychological perspective by Dan W. Grupe and Jack B. Nitschke, Nature Reviews Neuroscience, June 2013”.
Threats come in two forms – short-lived, ‘fearful’ responses to discrete threats and sustained, ‘anxious’ responses to unpredictable threats. Anxiety is a response to uncertainty about a potential future threat. Anxiety is the root of burnout for CISOs, and anxiety is tightly bound to uncertainty. Uncertainty makes it difficult to prepare properly for future events: one must strike a balance between preparatory actions that are more efficient (but potentially inadequate) and those that are more effective (but potentially unnecessary). Uncertainty is also linked to uncontrollability, and lack of control at work can literally kill you. Uncontrollability is present when the probability or nature of a given event remains unchanged irrespective of any actions an individual may take. Control is the belief that one has at one’s disposal a response that can influence the aversiveness of an event. So even when unable to prevent negative events from occurring, increased certainty about the future provides control over adaptive anticipatory responses that can mitigate these events’ negative impact.
Uncertainty hinders this form of control and leads to preparations that are diffuse, expensive, and of questionable effectiveness. So we have the CISO anxiety casualty chain: CISO burnout is caused by anxiety which is caused by threat uncertainty. This causality chain is causing CISO burnout and has three major negative outcomes for cyber defense:
- Inflated estimates of threat cost and probability: Adaptive responses to future cyber threats rely on accurate estimates of the probability and cost of such events. Biased assessments of the probability or cost of uncertain negative events, result in incorrect assessment and prioritization.
- False beliefs. Because cyber events that are avoided or worried about typically fail to occur, false beliefs develop about how to prevent negative outcomes.
- Heightened reactivity to threat uncertainty. Threat response is exaggerated when there is uncertainty about its nature, probability or timing.
Restoring control and lowering uncertainty is the only way to break the chain, save our CISOs and provide effective cyber defense. Unlike conditions of certainty (i.e. the “obvious” domain of the cynefin framework), which automatic or habitual processes allow navigation of the environment and goal attainment, uncertainty introduces potential conflict between competing options or motivating factors. This is leads us to 3 guidelines all CISOs should adopt:
- Understand that cyber security is a risk assessment and management exercise with two types of threat to manage:
- discrete “knowable” threats and
- unpredictable “complicated and complex” threats.
- Explicitly address both types of threats based on the organization’s risk appetite. Accept that this analysis will uncover threats that the organization is explicitly ignoring and creating residual risk.
- Focus on lowering residual risk by prioritizing the transition of threats from the “complex” and “complicated” domains to the “obvious” domain (as described in my previous post) as much as possible:
- Standardize threat and risk metrics
- Formalize threat and risk analysis
- Focus on graphs and emergent threats, not lists