How can CISOs avoid burnout in the face of ransomware?
Ransomware attacks show no sign of slowing, with one-third of organisations currently experiencing a ransomware attack at least once a week and one in 10 experiencing them more than once a day. This is according to research we commissioned among senior security professionals in the UK and the US.
The mass shift to remote and hybrid forms of working over the past couple of years has expanded the attack surface of organisations, with employees and businesses still adapting to a model that means the growing use of SaaS apps and working most of the time in the web browser. This creates a host of new vulnerabilities, attack vectors and entry points for threat actors.
There's the risk that employees could simply work around security processes and procedures. In addition, many organisations are faced with what we call shadow IT. This is the use of information technology systems, devices, software, applications and services without IT department involvement or approval. This isn't typically done maliciously but rather as something employees use to get their jobs done.
According to our report findings, nearly half (46%) of senior security professionals say they worry about employees ignoring corporate security advice and clicking on links or attachments containing malware more than anything else. In fact, they worry more about this than they do their own job security, with just a quarter of respondents worried about losing their job.
CISOs' fears today are multi-layered, with many of them concerned about ransomware attacks evolving beyond their own team's knowledge and skillset, as well as the company's security capabilities.
There's also a real sense of frustration over the challenges that the industry faces when it comes to protecting businesses and employees against ransomware. This ranges from increasing ransom demands to the growth of ransomware-as-a-service (RaaS) and even a feeling that government authorities are not treating ransomware seriously enough.
Avoiding CISO burnout
At the forefront of many of the technology changes in recent years and responsible for driving the company's security strategy, there's the risk that security professionals are becoming overloaded and worrying about too many things, some of which are beyond their control. It's no surprise we're seeing more examples of CISO burnout and a much higher churn rate in the security industry.
Certainly, the shift to where and how we work has been a blessing and curse for CISOs. On the one hand, it's provided a new level of flexibility that no one could have expected two years ago, but on the other hand, it's expanded the attack surface and fuelled a rise in web-based attacks. Ranking their top three ransomware attack vectors, half of survey respondents identified the web browser – just below email as the number one attack vector.
CISOs may be experts in handling breaches while remaining calm, but it's important to remember that, just like anybody else, they are susceptible to stress. Between mitigating a growing number of attacks and constantly worrying about the impact a breach could have on the organisation, the CISO role is a challenging one.
According to Dr Christina Maslach, pioneer of research on the definition and predictors of burnout and creator of the Maslach Burnout Inventory, the most widely used instrument for measuring burnout, the human mind wasn't designed to push through chronic stress without recovering. Too much stress without time and space away to recover can lead even the most seasoned CISOs to get burned out. Burnout is serious and can put you at greater risk of heart disease and mental health disorders like depression and anxiety.
To avoid this, there are some practical steps to follow:
1. A CISO's time is important, and attending every meeting you are invited to is not sustainable. Determine which meetings need your attention and which don't, and block out time in the calendar so the team knows you are busy. It's important to create boundaries around time and then respect them.
2. Regularly setting aside some time to ask yourself how you are feeling, physically and mentally. This goes a long way to mitigating the chronic stressors of the role. It's not enough to assume that you are naturally aware of your mental state.
3. Be clear about who can help you get what you need in order to do your job. If you don't know who to go to when you need resources, you won't be able to gather all the tools you need so you can take ownership over security strategy. This also means garnering executive support so that the Board is on your side.
4. Have a plan, and don't rely on experience alone to get you through a breach. This seems obvious, but given than less than half of our survey respondents say they implement a data backup or recovery plan as the first step in the event of a ransomware attack, so this needs to be stated.
5. Have a clear strategy when faced with a ransomware demand. Paying it depends on your level of preparedness – do you have the right processes and strong backup in place? If so, you won't need to pay it. But if your organisation is unable to function as normal, access data, or the damage is likely to bring down the business, you need to re-evaluate your options.
But remember, no one size fits all. Every organisation – and its security team – is different, so pick your battles and take small, purposeful steps to make sure your job doesn't dictate your mental health.