Mounting personal liability, regulatory complexity and chronic burnout are creating an exodus of experienced cybersecurity leaders. This brain drain threatens to leave organizations vulnerable at a time when cyber threats are reaching critical levels.
While CISO burnout is not a new crisis, in fact it has been a hot topic globally for many years – the crisis has escalated and the high number of departing CISOs are leaving a widening experience gap.
A dangerous concoction of personal liability, mental health strain and intensified regulatory pressure has made the CISO position untenable for many seasoned experts.
The Personal Liability Crisis
With US SEC enforcement actions against CISOs at major corporations like Uber and SolarWinds in recent years, the UK market is experiencing the ripple effect, and cybersecurity professionals are abandoning CISO roles.
According to research, 72% of security leaders are now taking out personal indemnity insurance to protect themselves from potential litigation – a stark indicator of the profession’s perceived risk.
Industry research also shows that 90% of CISOs express concern about stress and burnout affecting their teams, with 84% of cybersecurity workers experiencing mental fatigue.
A 600% increase in cyber threats since COVID-19 has pushed professionals beyond their breaking point, with enterprises losing approximately $626 million in productivity due to security practitioners’ declining mental health.
Regulatory Pressure Intensifies
Since the implementation of enhanced cybersecurity frameworks after Brexit, UK CISOs face a complex regulatory landscape. New incident reporting requirements now mandate faster breach notifications, including attempted attacks on critical systems, adding to the compliance burden. The UK’s Cybersecurity and Resilience Bill is likely to impact executive accountability, much like the EU’s NIS2 Directive which imposes direct liability on senior management, so the pressure is set to increase still further.
The Expanding Experience Gap
These ever-increasing pressures have led to the numbers of experienced cybersecurity professionals stepping down and being replaced by those with far less experience.
Although 93% of organizations have introduced policy changes specifically to address CISO liability risks, these measures may not be enough to retain the invaluable seasoned professionals who hold a deep understanding of the delicate balance between security imperatives and business operations.
This is the area that causes me the greatest concern when thinking about the future of our industry. There is no shortage of young professionals who aspire to have the CISO title, but I believe the majority will head for more niche areas where the burden is lighter. A good CISO must be willing to make difficult decisions and take responsibility if and when a breach does occur.
The ongoing CISO exodus also means many organizations are introducing more rigid, business-inhibiting security approaches to reduce risk in the absence of expert insight and guidance.
Plus, there is a serious reduction in organizational resilience when it comes to sophisticated threats, as those with roles in cybersecurity lack vital experience. This leads to increased vulnerability to state-sponsored attacks and supply chain compromises
“Arguably the most concerning factor in all of this is that it could take years to fill the current and projected skills gaps.”
Arguably the most concerning factor in all of this is that it could take years to fill the current and projected skills gaps. The task is, urgent, therefore, for those organizations that have not yet lost their most valuable, experienced CISOs. They need to implement actionable strategies to retain cybersecurity leadership.
This could include introducing enhanced executive indemnification policies, to protect CISOs from personal liability as well as investment in automation and AI wherever possible, to reduce operational burden and help to combat AI-powered threats.
Encouraging cultural shifts towards economically sustainable work practices is another area that could tackle the issue. For example, integrating cybersecurity throughout an entire business and accepting that it is everyone’s responsibility rather than it sitting on the shoulders of one team or one individual alone.
Many larger businesses, especially those with clearly defined business units, are introducing a Business Information Security Officer (BISO) for each area, to be overseen and managed at the top-level by the Chief Security Officer.
Building career development pathways that will increase internal expertise is another consideration. Many businesses find younger cybersecurity employees are excited to take on the role of a TV superspy, but there are much more mundane elements to the role including regulatory compliance, understanding needs of the business and weighing risk and these require suitable training and continued professional development.
At FICO, I am involved in major business decisions from the get-go. I play a part in strategic decisions as they are made, rather than being brought in downstream to figure out how to secure a decision that’s already been made. That represents a major cultural shift for most organizations.
The upper end of medium-sized organizations can be seen to be grasping the value and the potential of this approach, but it seems the larger ones haven’t quite got there yet, and the smaller firms still tend to keep the cyber function in a silo.
As cyber breaches become a common occurrence across business, now is the time for organizations to fully recognize the pressures that cybersecurity leaders face. Otherwise, we are at real risk of losing critical expertise before a new generation is fully trained.
