Global
Resident
Chief
Information
Security
Officer
(CISO)
for
Proofpoint.
getty
The
past
year
has
been
another
challenge
for
organizations
as
threats
continued
to
escalate
while
the
cybersecurity
workforce
shortage
stretched
security
operations
teams
beyond
capacity.
In
the
high-pressure
cybersecurity
environment,
the
CISO’s
role
was
always
stressful.
But
growing
job
demands,
expectations
and
regulatory
scrutiny
create
much
higher
levels
of
burnout
and
stress.
When
the
role
of
security
leaders
is
more
important
than
ever,
recruiting
and
retaining
a
highly
skilled
CISO
is
a
tough
challenge.
Fifty-three
percent
of
CISOs
have
been
in
their
role
for
two
years
or
less,
and
this
high
turnover,
coupled
with
the
talent
shortage,
puts
organizations
at
high
risk
of
cybersecurity
failure.
This
untenable
situation
requires
a
concerted
effort
by
the
board
of
directors
and
executive
team
to
ensure
their
CISO
is
resilient
and
has
the
tools
to
succeed.
An
overworked,
overwhelmed
and
stressed-out
CISO
simply
cannot
effectively
defend
and
protect
the
organization.
CISO
Pressures
Grow
The
pandemic
put
the
spotlight
on
mental
health
in
the
workplace,
and
the
cybersecurity
industry
was
no
exception.
Job
burnout
and
stress
are
now
prevalent
in
the
CISO
community,
but
boards
may
not
be
aware
of
the
CISO’s
mental
health
concerns
because
the
conversations
take
place
mostly
in
private.
MORE
FOR
YOU
One
area
that
adds
to
the
stress
is
the
increased
regulatory
scrutiny
of
security
leaders’
roles.
The
Uber
case
in
U.S.
federal
court,
in
particular,
is
troubling
for
CISOs
because
it
sets
a
dangerous
precedent
for
placing
personal
liability
on
them
for
cybersecurity
incidents.
Many
CISOs
may
not
know
that
a
potential
solution
for
them
is
directors
and
officers
(D&O)
insurance,
which
covers
diligence,
loyalty
and
obedience
duties.
While
not
the
only
answer,
organizations
should
especially
consider
“Side
A”
D&O
insurance,
which
protects
officers
and
directors
in
those
situations
when
the
company
does
not
indemnify
them.
The
much-needed
proposed
U.S.
Securities
and
Exchange
Commission
(SEC)
rule
to
increase
transparency
around
cybersecurity
risk
management
and
governance
has
also
created
some
trepidation
in
CISO
and
board
of
directors
circles.
They
are
uncertain
what
this
means
for
the
relationship
between
security
leaders
and
board
members—and
these
relationships
are
strained
as
it
is.
These
emerging
developments
ratchet
up
the
pressures
CISOs
already
face
daily,
including
the
widening
talent
gap
and
the
unrelenting
threat
of
ransomware
and
other
cyberattacks.
Just
like
the
CISO,
the
entire
cybersecurity
team
is
burned
out
as
their
ranks
are
dwindling,
and
they
must
fight
mounting
threats
with
fewer
resources.
Forrester
even
predicts
that
this
year,
the
cybersecurity
workers’
long
hours
will
cause
a
whistleblower
to
expose
unsafe
work
conditions.
Overall,
Forrester
expects
another
rocky
year
ahead
for
CISOs—as
challenging
as
the
CISO’s
job
is
now,
tougher
times
are
ahead.
Boosting
Your
CISO’s
Self-Resilience
CISOs
fight
an
uphill
battle
when
they
do
not
have
support
in
the
boardroom.
One
of
the
best
things
boards
can
do
to
empower
their
security
leader’s
resiliency
is
to
bring
in
cybersecurity
expertise
on
the
board.
Experts
who
understand
what
the
organization
and
the
cybersecurity
team
grapple
with
are
powerful
CISO
allies.
They
help
bridge
the
gap
in
the
directors’
understanding
of
how
cyber
risk
translates
to
business
risk—so
they
can
ensure
their
CISO
has
the
requisite
resources
to
mitigate
that
risk.
Establishing
a
cybersecurity
or
a
technology
risk
oversight
committee
is
a
great
way
to
strengthen
the
board-CISO
relationship.
In
the
typical
organization,
cyber
risk
falls
under
the
audit
committee,
composed
mostly
of
accounting
and
financial
experts.
Yet
financial
experts
do
not
really
understand
cybersecurity
and
its
ramifications
on
risk.
To
them,
cybersecurity
is
simply
an
operational
expense
rather
than
a
strategic
consideration.
A
cybersecurity
oversight
committee
would
be
able
to
truly
interpret
cyber
risk
and
how
it
affects
the
broader
business
goals
and
the
valuation
of
the
organization.
Creating
such
a
committee
aligns
with
the
proposed
SEC
rule,
and
there
is
wide
sentiment
in
the
CISO
community
that
this
change
would
have
a
positive
effect.
One
of
CISOs’
biggest
frustrations
is
the
feeling
that
nobody
is
listening
to
their
concerns.
Having
an
oversight
committee
and
more
experts
on
the
board
paves
the
way
for
honest
and
transparent
conversations
about
cyber
risk.
But
boards
should
not
stop
there.
They
must
work
on
expanding
every
board
member’s
understanding
of
the
threats
their
organization
faces,
as
well
as
what
their
security
team
goes
through
to
fight
those
threats.
All
these
steps
will
help
the
board
prioritize
cybersecurity,
which
ensures
the
CISO
has
the
resources
to
help
ease
some
of
the
job
burdens.
As
leaders
who
drive
the
business
agenda,
directors
play
an
important
role
in
their
organization’s
cyber
preparedness.
Understanding
the
impact,
stress
and
pressures
their
CISO
and
security
team
face
every
day—and
arming
them
with
the
resources
to
handle
them—will
strengthen
the
resilience
of
both
their
CISO
and
their
organization.
Forbes
Technology
Council
is
an
invitation-only
community
for
world-class
CIOs,
CTOs
and
technology
executives.
Do
I
qualify?
About Author
