A career in Infosec can be demanding. And as recent headlines have shown, the stakes have never been higher as Chief Information Security Officers (CISOs) are charged with keeping all facets of their organization protected online. This constant vigilance also results in security pros regularly working extra hours and overtime, and even missing holidays, to keep the company secure.
We recently took an updated look at how overworked and stressed CISOs are in 2022, following our inaugural CISO Lost Hours report last year. This year, we learned that CISOs are working more than ever which is contributing to stress, fatigue and feelings of burnout: 18% of security leaders work 25 extra hours a week, which is double the amount of overtime that they worked in 2021.
Some overtime or extra hours worked can be unavoidable, but the consequences of habitual overwork are real. Our recent study shows that employees are more likely to make mistakes when they’re tired or stressed, which could have serious consequences for security pros.
Here are the highlights:
CISOs are working overtime and can’t always switch off from work
The demands of the CISO role mean they are putting in significant overtime – about two extra work days per week. The study found that on average, CISOs work 16.5 hours over their contracted weekly hours, an increase of 11 hours from last year. What’s more, many have adopted an “always on” way of working. Three-quarters of security leaders report being unable to always switch off from work, while 16% say they can rarely or never switch off.
Last year, we learned that CISOs were missing out on important personal and social events outside of work like holidays, family vacations and even workouts and doctor appointments due to the nature of their role. Even if security leaders are able to attend these events, the “always on” mindset takes away from being fully present during these moments.
The size of the company makes a difference
The survey also found that security leaders at larger companies are putting in more overtime. CISOs at smaller companies (10-99 employees) report working an average of 12 extra hours a week, whereas those in the same role at a company with 1,000+ employees report working an extra 19 hours.
On the other hand, security leaders at small companies say they have more difficulty creating boundaries between work and home life. Twenty percent of CISOs at these companies say they can always switch off from work, compared to 31% of those at larger companies.
Overworked employees make more security mistakes
Many overworked and burnt-out employees are finding resolve in “quiet-quitting” where employees do the bare minimum of their job requirements. However, CISOs don’t have that luxury. They’re putting in more hours and can’t switch off from work just to keep up with the demands of the job.
Unfortunately, the Great Resignation has impacted the IT industry, with IT employees being the most likely to look for a new job, according to another Tessian data report from earlier this year. We’ve also learned that employees are more likely to make security mistakes when they’re tired or stressed. In fact, 47% of employees cited distraction as the top reason for falling for a phishing scam, and 41% said they accidentally sent an email to the wrong person because they were distracted. While accidentally sending an email to the wrong person might seem small, mistakes like these can lead to serious cybersecurity incidents like data loss or a breach.
While no employee should ever be shamed or punished for making a security mistake at work, it’s mistakes like these that can contribute to the extra time CISOs are putting in at work. According to a separate survey conducted by Forrester and commissioned by Tessian, employee-related security incidents take up a significant amount of CISOs’ time. In fact, the survey found that security teams spend up to 600 hours per month investigating and remediating threats caused by human error – the equivalent of nearly four employees’ full-time workloads.
So what can CISOs do to create a better work / life balance?
Lean on your team: While CISOs are the Head Honcho within IT and security teams, that doesn’t mean they have to do everything. It’s okay to ask for help, prioritize, and then divide and conquer. Beyond their immediate team, CISOs can also work closely with other members of the C-Suite – like the CFO – to adopt new tools that automatically prevent threats and give CISOs some time back in their day.
Set boundaries and stick to them: It can be difficult to establish a division between work and life. With mobile access to Slack, email, and Google Docs, “work creep” can seem inevitable. Similarly, if you’re working from home, personal tasks can take up mental space that could compromise your productivity. That’s why you need to define your work space and working hours, and try to create healthy habits that give you a chance to recharge. For some it might be a walk or making time to connect with kids during a lull in active work. These mini breaks can also make a big difference in recharging your battery.
Unplug: This is easier said than done, especially when CISOs are considered the superheroes of any organization. “When duty calls”, right? Yes and no. If you don’t take time for yourself, you won’t be up for the job. You also won’t model the kind of the habits that will help up-and-comers in your organization to see a path to balanced work and life if you don’t figure it out for yourself. Consider mindfulness apps for day-to-day relaxation, and limit the number of people who have access to you while you’re OOO.