Great West Life Europe
Head of Cyber
Department for International Trade
Across industries, Chief Information Security Officers (CISOs) are routinely championed as ‘silent warriors,’ courageously defending their companies against an ever-evolving cyber threat landscape — all whilst seeking little recognition.
However, with broadening attitudes around subjects like mental health and wellbeing, entrenched notions about what it truly means to be an effective and resilient leader are being placed under greater scrutiny – and the CISO role is no exception.
It is clear that CISOs are under immense stress and pressure – and this is only rising. According to a 2022 survey of over 1,000 cybersecurity professionals, 64% of respondents say that their work impacts their mental health. Another recent survey of more than 1,000 professionals from security teams reports that half (50.8%) had been prescribed medication for their mental health. Undeniably, this is an extremely prevalent issue which cannot be overlooked. This issue was also a hot topic among CISOs in Evanta communities, who wanted to discuss it on program agendas this spring.
At one of the most popular sessions of the UK & Ireland CISO Executive Summit this June, entitled ‘CISOs, How Are You Feeling Today?’ CISOs from within this community came together and explored the impact of the CISO role on their mental health and emotional wellbeing, as well as strategies to support one another.
Here, some of the discussion leaders and participants share their key ideas around the topic.
Why is it important for CISOs to openly discuss the human side of cybersecurity?
“In short, because we are human,” responds Simon Hodgkinson, Board Advisor, Guest Speaker. “There are two aspects to this question, one is about helping people manage cyber risk, and I’m a big believer in human-centric security to protect people from making mistakes… The second aspect is health and wellbeing. It is critical that this is an active conversation led from the very top of any organisation. Mental wellbeing is something we all experience – we all have highs and lows.”
Building on this, Jane Corr, CISO Europe, Great West Life Europe adds, “I do not think anyone truly understands the demands of the role and just how many stakeholders one person is trying to satisfy. Nobody sets out to break the CISO, but that is what can happen if they do not get the support they need. Talking about the challenges they are facing is the only way to change this.”
“The CISO role can be so much more than the stress-filled, poisoned chalice of the last few decades,” remarks Don Gibson, Head of Cyber, Department for International Trade. “Talking about mental health removes the stigma around it – we are talking about other stigmas, such as education requirements in recruitment, unconscious bias in languages, and ageism – this is just another step on the journey to get a diverse, strong and resilient capability.”
It seems that conventional assumptions around CISOs’ resilience to everyday stressors are derived, at least in part, from their implicit role as ‘protectors’ within their organisations. “We, generally, are protectors by nature. But who protects us? We need to protect each other,” claims Gibson.
Clearly, the conversation around the impact of the CISO's role on mental health is long overdue. Nevertheless, the question remains as to how CISOs can come together to address and overcome these issues.
What steps can CISOs take to support each other’s wellbeing and alleviate stress levels?
Foremostly, it is essential to “recognise that (while) everyone is different, they will experience highs and lows” argues Hodgkinson. Ultimately, while the particular coping strategies might vary across individuals, it is crucial to “be there for your peers, ask if they are OK – but do not force the discussion.”
Echoing this view, Gibson claims that the primary steps to support each other include “being open and honest with ourselves, our teams and each other. Let people know that your electronic door (or physical one), is always open to them.” It is important to “have some people we know and trust, a peer network that knows what we have faced, could face and have survived the worst.”
Developing this point, Corr suggests that CISOs should strive to “build a network of CISOs that you can talk to, ask questions of and run ideas past… It can be a place to share information, discuss challenges, run through plans and build a little cybersecurity community of people who have your back.”
Elaborating further, Corr claims that it is “important for CISOs to take the time to participate in webinars, round table discussions and conferences… Be honest about the issues you are facing. You will be relieved to find that plenty of other CISOs have experienced the same issues.”
Overall, it is evident that establishing a foundational support network is of the utmost importance for CISOs seeking to support each other’s wellbeing. While the exact scale of this network is a matter of personal preference, the message at its core is clear: as Gibson puts it, “check in with your friends. If you see that someone you know has hit the news, reach out to them. Trust me when I say they will appreciate it.”
While it is important for CISOs to openly discuss the human side of cybersecurity and support each other in doing so, we must also consider what organisations can do to support their CISOs and cyber-teams.
What can organisations do to support their CISOs and cybersecurity teams?
Recounting his own experiences as CISO at BP, Hodgkinson notes that “mental wellbeing was an active conversation and the support structures were amazing. This was led from the very top of the company.”
Having a holistic support framework requires engagement across all levels of the organisation – from the C-suite down through middle management to individual employees. While some organisations are certainly making the effort to establish their own holistic support frameworks, there is still work to be done to ensure this becomes the standard across industries.
Hodgkinson continues, “I heard from a friend [who works for a major financial organisation] who had a family trauma, and the response was awful – no empathy at all. I was shocked and saddened that in 2022 we still have leaders and managers who are not able to help people through these challenges. This suggests more work is required to raise awareness of mental wellbeing in all organisations.”
Corr offers a few suggestions for how organisations can effectively support their CISOs and cyber-teams:
Set cybersecurity and risk performance management goals for senior leaders within the organisation.”
Identify a sponsor and senior supporters that will look out for the CISO, articulate the good work they are doing and how they are supporting the organisational strategy and goals.”
Pay for executive coaching. This could really help CISOs to develop the broad range of skills they need to do the job. It can also be someone to turn to when they start feeling the pressure.”
Fund education, training and conferences for cyber teams.”
Hopefully, as organisations continue to incorporate novel methods to support their CISOs and cyber-teams (such as those outlined by Corr), this will gradually raise the industry standard, resulting in greater levels of mental health and wellbeing across the enterprise.
In the UK & Ireland CISO Community, we will continue to create a safe and open space for CISOs to share their personal stories of mental health and wellbeing within the industry, bringing the community together to discuss new ideas about how to support one another and raise awareness of these key issues.
If you have a story you would like to share, please contact Sam Lincoln, Content Manager firstname.lastname@example.org. You can share your perspective with the community via our in-person and virtual gatherings such as our Summits, Virtual Town Halls, Virtual Boardrooms and also through content pieces like this.
Explore more key topics like mental health and wellbeing by joining the UK & Ireland CISO Community of like-minded CISO peers. Members of the community come together several times a year to connect, exchange ideas and experiences, and validate strategies and solutions.
Content adapted from the UK & Ireland CISO Executive Summt. Special thanks to all participating companies.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.