A recent report by Goldsmiths at the University of London has revealed that four out of five Chief Information Security Officers (CISOs) have felt burned out and nearly two thirds were considering either leaving their job or quitting the industry altogether. 

It's no surprise. What’s clear is that the world around them is changing, and changing fast, with the introduction of new regulations, integration of new technologies and fast-paced digital transformation projects changing the way we work. Yet, for all this, the reality is that many organizations still take a siloed approach when it comes to cybersecurity.

Our latest Risk:Value Report is an interesting barometer based on responses from those sitting outside of the IT function – and is often very revealing. Nearly half of global respondents believe cybersecurity is the IT department’s problem and not the wider business. This rises to 57% for C-level respondents, demonstrating an alarming hands-off attitude to cyber risk in the organizations concerned.

So, when asking an organization how big is your security team, the response shouldn’t be four or five – it should be the whole organisation. Security is a group effort.

However, what’s interesting in the Goldsmiths research is that it highlights how the tools and systems designed to help protect the enterprise are increasing stress which is absolutely the case. Using tools that are too complex lead to staff bypassing processes which can only heighten the stress levels of a CISO and leave the organisation more vulnerable to attacks.

Security therefore needs to be viewed as an enabler and a responsibility shared across the whole organization rather than something that rests purely in the CISO’s lap. This is a message that we at NTT Security continue to promote.

 Here’s what organisations can do to support CISOs:

  • Make cybersecurity a company-wide responsibility – establish a culture of security awareness as a mode of operation and a mindset. And make it an everyday practice.
  • Heighten the awareness of cybersecurity across the company – this means more than just providing PowerPoint slides or training videos. Awareness is a continual process of constant improvements and adaptation. See these useful steps.
  • Ensure the tools that are in place are easy to use and don’t serve as a hindrance – adopt new training tools that provide specific direction on best practices.
  • Ensure the CISO is visibly supported from senior level management – put security on the boardroom agenda and ensure that appropriate executive ownership and resources are made available to manage security and risk effectively.
  • Develop a proactive incident response capability – this means preparing an incident response plan but also having the resources to execute it. At a high level, GCHQ’s National Cybersecurity Centre provides a guide to incident management.
  • Identify your crown jewels and develop mitigation strategies around them – only by knowing your business critical data and assets – and building the right plan to protect them – can you focus on looking ahead. 
  • Plan a multi-layered approach to cybersecurity. Think strategic, operational, and tactical planning as explained in a previous blog post here.

The bottom line is that the execution of cybersecurity strategies must improve now – otherwise business risk will only escalate for the organisations concerned.