Stress Relief for CISOs: Communicate Cyber Risk in Business Terms

May 18, 2023  Jeff B. Copeland

CISO Stress 2Cybersecurity Leaders Suffer Burnout as Pressures of the Job Intensify,” says a headline in The Wall Street Journal. Seventy-three percent of US CISOs in a survey reported hitting that hopeless state, The Journal reports. The article cites these causes:

  • Relentless cyber attacks
  • Pressure to fix security gaps despite budget constraints
  • Worries about personal liability for cyber loss events after the conviction of the former Uber CISO
  • Excessive expectations from employers, particularly to secure new digital initiatives

And, as cyber risk experts, this one caught our eye:

“'CISOs see resistance to their requests because executives often don’t understand cyber risks sufficiently,' said [former CISO Jerry] Perullo, founder of cybersecurity advisory firm Adversarial Risk Management. ‘Every decision has to be second-guessed and third-guessed, potentially by people with less subject-matter knowledge,’ he said.”

While there is no end in sight to relentless cyber attacks, the other stress factors come down to a problem that can be managed by assessing and communicating cyber risk in the financial terms that the rest of the business understands. At RiskLens, we are advocates for cyber risk quantification with the Factor Analysis of Information Risk (FAIR™) standard – but it’s not quantification that’s the stress remedy, it’s having a defensible rationale for the tactical choices a CISO makes in the face of an ever-changing risk landscape. 

Jack Jones, the creator of FAIR and co-founder of RiskLens, writing about the case of former Uber CISO Joe Sullivan made this critique of the reaction in the CISO community to the case: 

“Many of the security professionals I’ve encountered have the perception that they know what’s best for the business, and when management doesn’t support all their requests, they characterize management as negligent. They don’t stop to think that management needs to balance where to apply the organization’s limited time and money…

“If we are not willing or able to express a cyber risk problem and our security needs in business - i.e., financial - terms, that management can properly evaluate, then we are not enabling it to make well-informed decisions… It is the responsibility of security professionals to get our risk measurement and reporting act together.” 

The mindset Jack observed regarding the Sullivan case, seems to be echoed in this latest analysis of burnout: management’s budget constraints, excessive expectations, second guessing and lack of understanding of cyber risks are the causes. 

Here’s our prescription: Don’t let yourself burn out before trying to introduce cyber risk quantification to your organization. Give yourself the chance to make a risk-based pitch for budget, set realistic expectations for risk reduction for cost vs. benefit, and fully explain cyber risks in terms of the financial impact on the organization. In other words, offload most of that stress to management – they own the risk in the end. 

Read these next: 

Three Ways to Defend a Cybersecurity Budget with Cyber Risk Quantification

How to Use Cyber Risk Quantification for Business Decision Support – A Short Guide