By Andrew Rose, Resident CISO at Proofpoint.
In coffee bars at security conferences and leadership dinners, one topic meets with almost universal agreement—the CISO role in the UAE is increasingly tough. Despite pay and resource increases, this trend continues to accelerate, pushing security leaders to experience elevated levels of stress and burnout.
There are multiple causes for this increasing pressure. One is that the role is ‘snowballing’—many senior leaders started in IT security; which grew into information security; then into ‘cybersecurity’—each with a growing scope and set of responsibilities. Another reason is the environment in which CISOs operate, which is driving a trend toward chaotic, unpredictable system behaviour. The result is a delicate, fragile society that is increasingly vulnerable to system failure.
In the UAE, ransomware headlines have largely increased cyber risk awareness among the C-Suite and driven strategy shifts. Recent high-profile attacks have pushed ransomware to the top of the agenda for organisations, with Proofpoint’s 2022 Voice of the CISO report showing that 41% of CISOs in the UAE had purchased cyber insurance and 53% CISOs were focusing on prevention over detection and response strategies. This isn’t surprising as CISOs are facing potential legal penalties for their actions—including the prospect of years in prison and hundreds of thousands of dollars in fines.
Is it any wonder that many CISOs now talk about their desires to step away, and how an increasing number of staff have already made it clear that the ‘top job’ is not for them? Many believe they can tolerate the stress of the role; however, burnout in the form of chest pains or panic attacks is very real. Burnout happens suddenly when an often-inconsequential event becomes the step too far, causing a catastrophic breakdown.
And stress can undermine our ethics. The option to overlook a data point or create a small misrepresentation of a risk or action may be tempting when the outcome might prevent you suffering additional pressure and stress at the next Board meeting. However, this can lead to a series of poor choices, each seemingly in alignment with a company culture, but each also eating away at your personal integrity, with potentially catastrophic personal consequences.
So how can CISOs triumph with both their mental health and ethics intact?
It’s not simple. In fact, the genuine answer is annoyingly vague—simply put, everyone needs to find their find their own path as people have different ways of coping. Coping mechanisms work much better when people are cognisant of them and can double down on those that are positive and minimise those that are negative. Consider creating boundaries and rules that both you and your team respect. One CISO insists on five-minute breaks between meetings to step back, breath, and reset before the next challenge. Be selfish. Reserve time for yourself.
CISOs also have a responsibility to ensure that the problem does not impact the people around them, like their staff. Even though organisational cyber preparedness has greatly improved, with Proofpoint’s Voice of the CISO report showing that increasing familiarity with the post-pandemic work environment, has left CISOs feeling better equipped to deal with cyber threats, it’s never a good idea to get complacent.
Creating a culture of caring for those around you by looking for signs of stress is a great start. Finally, recognise that the efforts your staff put in are the tip of the spear. Behind each is a family willing to support and encourage them, to forgive them for late nights and weekend work. Remember to reach beyond your staff to say thank you directly to their support team for the effort and sacrifices they have made to keep your function running at top performance.
In terms of ethics, it is essential to run teams where doing the right thing is the only way to act. We all have our own goals, objectives, and ambitions that drive our actions and shape our personality. However, in times of stress, it’s easy to lose sight of these and focus merely on the problem in front of you. Write down your personal principles and have them with you always as a touchtone to ground your actions. If your role is steering you to make decisions you recognise as ethically unsound, ask whether it is time to exit that role. Recognise that, as security leaders, we have a massive safety net, and that with your ethics and reputation intact, you will always find employment. Without your ethics, however, that safety net withers away to dust.