Overworked CISOs may be a security risk.
N2K logoOct 11, 2022

Tessian released a study of CISO burnout and the security risk it poses.

Overworked CISOs may be a security risk.

Tessian released a blog today, detailing the results of its study of overworked CISOs, and how fatigue and burnout pose a security risk to their companies.

CISOs are overworked.

Results found that CISOs are working significant amounts of overtime, upwards of two extra days a week, working, on average, 16.5 extra hours a week. This is an increase of 11 hours over the past year. On top of that, three quarters of CISOs report not being able to “switch off” from work, with 16% saying that they never “switch off.” Many CISOs are missing important facets of their life as well, such as holidays, vacations, and even doctor appointments.

Company size is important.

Survey results show that the larger the company, the more overtime for the CISO. CISOs at companies with 10-99 employees work an average of 12 extra hours a week, while their counterparts at large companies (1,000+ employees) work an extra 19 hours. It was also found that work-life balance, despite the lower number of excess hours, is harder for CISOs at small companies. 20% of CISOs from small companies report being able to always “switch off,” while 31% of their counterparts at large companies say the same.

Stress and burnout a security risk.

The study found that 47% of employees report distraction as the main reason for falling for a phishing scam, with 41% citing distraction as the reason for sending an email to the wrong recipient. These incidents contribute to CISOs work time, with reference to a separate survey by Forrester, which found that security teams can spend up to 600 hours per month on threats caused by human error.

What can a burned out CISO do?

Tessian provides ideas for overworked CISOs to help themselves, suggesting that they lean on their team, set boundaries and enforce them, and unplug and take time for themselves.

Encouraging counterpoint: another study shows a record of CISO success during the pandemic.

Deloitte released a study on a related topic, the relative positions CISOs have achieved in organizational hierarchy and influence. “State Cybersecurity in a Heightened Risk Environment," concludes that US state CISOs have gained strength and authority following their work in migration of government services and operations to the virtual landscape. Their work during COVID-19 in particular should be counted a success: it gave state agencies the ability to maintain a high level of service amidst a pandemic.