Expectations rise in line with budget increases. The problem is that it takes time to do due diligence to bring in the right tools and the right skill sets. But if the budget hasn’t been used up in a certain amount of time, executives might reallocate it to other areas once the intense, post-incident focus has faded.
This puts CISOs in the difficult position of having to explain to the board and other executives what the loss of funding means, when many would rather focus on metrics and improvements. “CISOs may talk about risks and progress made against the incident, but not talk about, potentially, how budget and positions are being taken away,” he says.
8. You must look after yourself at all times
If there’s one common, overarching lesson for CISOs, it’s that you must look after yourself, legally, professionally and mentally throughout your tenure in the industry.
With burnout, high stress and increasing responsibilities, many CISOs are feeling the pressure of the role. Incidents add to these stressors, but they’re becoming more commonplace as the frequency of attacks rises.
“Incidents are commonplace, unfortunately; it’s part of the job,” says Thorsen.
Brown encourages CISOs to recognize the potential health impacts of high-stress roles and establish the right support system, which will be vital when an incident occurs. And not to underestimate how stressful being in the eye of the storm can be on your coping mechanisms.
“One of the big messages is although you might think you’re managing stress, you might not be doing it well,” Brown says. “CISOs jobs are hard enough, so people have to find an outlet. But during an event, it gets even worse. Acknowledge this and build a personal plan for yourself, because one approach doesn’t suit everyone for this type of thing.”
