New research from BlackFog indicates that cyber leaders are struggling to cope with the stress and demands of their roles. Dr Darren Williams tells us how companies can assist.
Yesterday (15 October), global cybersecurity company BlackFog released new research looking at the state of job satisfaction among IT and cybersecurity leaders.
The report, titled Managing Expectations and Job Satisfaction for IT Security Leaders, consists of an online survey of 400 IT decision-makers in companies with more than 500 employees across the UK and the US, which was completed between July and August of this year.
The results of the survey highlighted the high stress being experienced by IT and cybersecurity leaders, with nearly one in four (24pc) chief information security officers (CISO) and IT decision-makers stating that they are actively seeking a new position in a different company, while 54pc of respondents are open to new opportunities. Of those considering leaving their role, 93pc say that stress and job demands are major reasons for leaving their roles.
98pc of responding security leaders report working an average of nine extra hours beyond their contract per week, while 15pc say they work more than 16 extra hours per week.
The number of extra hours worked also depends on the type of industry, as security leaders working in the transport, utilities, and telecommunications sectors report working an average of 13 hours’ overtime per week.
AI-related stress
Among the top concerns of IT and cyber leaders are attack methods such as malware, phishing and supply chain attacks, as well as considerable worry about the use of AI by cybercriminals.
“With the advent of AI these days, what we’re seeing is a much higher amount of data exfiltration than we’ve probably ever seen,” said BlackFog founder and CEO, Dr Darren Williams, speaking to SiliconRepublic.com about the report.
“While you can use it for good, like any great new technology, you can also use it for evil. And I think that’s what one of the things we’ve been noticing is that sheer increase in amount of successful ransomware attacks, and that’s obviously increased the job stress.”
Fears over AI in cybersecurity have been growing recently, particularly due to the fact that AI technology can help reduce the barrier to entry for cybercrime. “The barrier to entry is low, and let’s face it, it’s a very low risk for a cybercriminal.”
Williams referenced the latest iteration of ChatGPT, stating that the difference in capabilities compared to previous versions is “dramatic”, and that cybercriminals are leveraging this technology to create advanced phishing attacks. He explained that with the rise of these advanced technologies, including deepfakes, threat actors can craft believable cyberattacks that, with enough careful preparation, could even fool experts in the field.
“It’s scary the sort of environment we’re in right now,” he said. “But there are things you can do right. You just have to be aware and have the right systems in place.”
Liability and budgets
Another concern for cyber leaders highlighted by the report, especially relevant to the US, is the growing trend of prosecuting individual security leaders for their personal culpability in cybercrime incidents. Last year, the US Securities and Exchange Commission brought charges against software company SolarWinds and its CISO, Timothy Brown, for “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities”. Major parts of this closely watched lawsuit were ultimately dismissed by a New York judge, including claims that Brown misled investors about its cybersecurity practices and known risks.
According to BlackFog’s report, roughly half of respondents believe that personal liability improves accountability for security leaders, while the other half worry that it will “deter motivated and competent people from seeking leadership positions altogether”.
“Basically, they’re saying that, why would I want that top job anymore when they can come after me individually, just for doing my job?” said Williams. “That’s really unheard of. I mean, C-level executives, I sort of get that to a certain point they’re culpable. But once it’s security people, that seems a little rich.
“Normally, a company would be expected to provide some sort of liability insurance or protection for that sort of role, but they’re not doing that.”
According to the report, blame can sometimes be directed entirely at a security leader even if the incident could have been mitigated with technology that the leader requested, but the company denied.
This highlights another major concern for security leaders: budget constraints. 41pc of respondents stated that they want bigger budgets so that they can acquire the tools necessary to address cybersecurity threats. “We often see that that companies are not treating cybersecurity as seriously as they probably should,” said Williams.
In particular, he said that small and medium-sized companies are going to be more “cyber challenged” as they neither have the budget capabilities nor the focus on cybersecurity.
Coping mechanisms
The consequences of high amounts of stress in this industry are troubling. According to the report’s findings, while many IT and security decision-makers are turning to hobbies and sports activities, 45pc claim to have turned to drugs and alcohol to deal with stress. Some have reported self-isolating from social activities.
With a workforce that is struggling under the pressure of today’s threat landscape, how should companies and organisations react?
“Supporting our workforce is critical here,” said Williams.
He said that along with having counselling services and an appropriate support infrastructure, businesses should consider maintaining a flexible working environment. “I think being flexible as a business gives employees a sort of peace of mind that they can do the job [how] they want to do it and make their life a little nice,” he said. “Sometimes you just want to get out of the house and go to an office space. Sometimes you just want to be in the house.”
He stressed that companies also need to ensure that their cybersecurity professionals have the appropriate resources and education.
“Let’s keep the guys we’ve got, if we love who they are, let’s help them get better at their job and prepare them by making sure they have the right tools to do their job, such as looking at different techniques and educating them.”
He also said that employees need to be assured that they have the support from their company.
“If you feel like you’re in the boat and you’re the guy who has got no support from the rest of the team, I think it becomes a bit more stressful, frankly. But if you feel like you’re part of a larger community and you have the support from the company, I think that goes a long way to say, ‘hey, you’re a valuable member of our team’.”
Williams stressed that companies need to have a plan in place, including a broader company strategy that incorporates multiple vendors and products. “Otherwise we get into a situation like we were with CrowdStrike in the last couple of months, where companies were reliant on a single vendor. Even the big vendors are not immune to bad processes and outages like this. Now, if they had have had multiple products in place, they may not have had this problem, because they would be still protected.
“Build a plan, fund it well, so that you can actually buy the tools to provide [the right] level of protection. This is not difficult. I mean, it’s just recognising you’ve got a problem to begin with, just like in any disease, recognise you’ve got a problem and have a plan to deal with it.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
