RSAC 2024

Interview: How Google Cloud Is Helping Organizations Address The CISO Burnout Crisis

Being a CISO is “a 24/7 job,” says Alicja Cade, Director, Financial Services, Office of the CISO at Google Cloud.

Interview: How Google Cloud Is Helping Organizations Address The CISO Burnout Crisis

We hear a lot about the ‘human element’ in cybersecurity, but this typically refers to the end users who are the target of cybercrime. The cybersecurity world focuses much less on the humans who develop and run the cybersecurity strategies within an organization: the CISO.

Chief Information Security Officers (CISOs) have, perhaps, one of the most stressful jobs in any organization. They are responsible for effectively implementing and managing dozens of cybersecurity tools, ensuring they are configured to suit their specific organization. They must be aware of the latest compliance policies which may differ from country to country. And, of course, they are on the front line if a breach takes place, responsible for managing the fall out and recovery process.

CISOs in the US and UK typically work at least 11-hours per week more than they are contracted. 100% of CISOs describe their jobs as being ‘stressful,’ with 48% of CISOs stating that the stress of it is impacting their mental health. It’s perhaps unsurprising that when asked, nearly a third of CISOs stated that they were considering leaving their current role. The average CISO tenure in an organization is just two years and two months – hardly enough time for someone to plan, implement, and execute an effective long-term strategy for a business.

While at RSAC 2024, Expert Insights spoke to two cybersecurity leaders familiar with these challenges: Alicja Cade and David Homovich. Alicja started her career in Bristol, UK working for PwC as Director of IT Risk and Cybersecurity, before moving to New York and working as a CISO for UBS banks. David started out in Washington D.C., working for Booz Allen Hamilton as a consultant, first for critical infrastructure at the Department of Homeland Security, before working at the Pentagon for several years. He then joined the finance world, working at both Credit Suisse and JP Morgan Chase.

Alicja and David now work at Google Cloud’s Office of the Chief Information Security Officer (OCISO). OCISO was formed to help foster collaboration and communication across the organization, from the board to the CEO, and the CISOs themselves. Alicja and David provide their own expertise and experiences on digital transformation, compliance, strategy, and much more. Both cover the financial services sector, but OCISO covers a wide array of verticals, including telecoms, retail, public sector, and manufacturing.  

Alicja describes herself as a ‘recovered CISO.’ She knows from first-hand experience many of the challenges and expectations that CISOs are under, as well as from talking to Google Cloud’s CISO community. “It’s a 24/7 job,” she tells me. “The defenders have to get it right every time. The attackers, only once. Tremendous pressure builds on that.”

Defining The Role Of A CISO

There are different interpretations as to what the role of a CISO should be, Alicja explains. Some CISOs are sherpas who carry the responsibility for managing cyber all on their own shoulders. Some are facilitators who try to help other departments within the enterprise understand cyber risk. And others see themselves as enablers who want to enable different stakeholders to address threats.

The issue of burnout often comes from the internal structure of an organization, which, overtime, can grind CISOs down. “You can be a wonderful enabler, but if you’re in an organization that treats you as a sherpa, you’re going to get very frustrated,” Alicja outlines. “I think some of the turnover we’ve seen is based on that. It’s a tough job.” And it’s not just the CISO facing these pressures: “It’s not always on one person. We have to remember that the SOC [security operations center] people are under the same kinds of pressures in their duties as well.”

The language used to describe the job of a CISO can also increase the psychological pressure of the role, David explains. “Everything we talk about is very ‘defense in the trenches.’ It’s war related terminology. It’s adding more and more. We actually worked with a psychologist to talk more about how we need to think about the language we are using when talking to cybersecurity professionals to make sure they don’t have this burnout that is constantly happening.”

“And of course, the military language, that’s what cyber methodologies are based on,” Alicja adds. “You can’t eliminate it; this is how we operate. Threat actors, attacks, defense etc. But when you take it into a team meeting and adopt that language in daily interaction, it’s not necessary. It’s an extra pressure builder. I was surprised at how many emotions that discussion brought up.”

Empathizing With CISOs And Boards

Google Cloud’s OCISO aims to help not just CISOs, but other C-level executives and boards to get to grips with some of the issues CISOs are facing. That starts with understanding the challenges the CISOs are facing today, Alicja explains.

“Putting yourself in another person’s shoes really helps. Of course, having been a CISO, it’s easy to go back and think, ‘Yeah, these were the kind of multidimensional challenges I had to deal with.’ Of course, the world is changing for CISOs, but I really understand the complexity of the environment that CISOs deal with.”

Cyber risk sits in all areas of the organization, Alicja explains, but is often placed on CISOs to manage. If cyber risk is present in technology, business, and third-party stakeholder decisions, CISOs should be part of that wider conversation, she argues. Decisions about the remediation of cyber risk should also be “a team sport.” It’s therefore hugely important to foster communication at the board level between CISOs and the very top of an organization, where often CISOs have less of a voice than the rest of the ‘C-level’ team.

“We make sure we foster that [shared responsibility] with boards and CISOs about the ownership of the risk. We help CISOs have effective communication with boards, because that effective relationship drives the culture in the organization. But we also help board members to know what questions to ask about cyber risk, resiliency, and broader information security as well. Because it’s all linked,” she explains.

“We think of it like a roadmap we work on with CISOs and senior members of the team,” David adds. “There are different modules that we can work on with them – one could be risk and compliance, for example.” Often this includes advising teams to focus on strategy and process – not just the latest and greatest tech.

“A lot of the discussions we tend to have, particularly with customers that are just starting their digital transformation, tend to focus on technology solutions. Google has a great portfolio of security technologies, but you [as a CISO] really need to make sure you’re working with the business, that you understand how your tech assets are aligned with critical business processes. We work with them through a set of modules to make sure that they’re thinking through all of the factors they need for their sector.”

“It’s important,” Alicja agrees. “Especially with the technology competition and security innovation moving so fast – and it’s great it’s moving, because the threat world is moving too. But everybody should be thinking “What’s our company’s strategy? What are we driving at? Why should I suddenly be implementing a cloud instance with another supplier elsewhere just to drive my security tools? How is that fitting into our overall strategy? Think about that ultimate goal…and implement change in a secure way. We’ve seen companies who have been very successful at transformation, if those principles are applied, they actually work.”

Building The Foundations For Success

The Google Cloud team is helping to provide security leaders with specific expertise and advice tailored for their industry. Experts like Alicja and David are on hand to use their own personal experiences to foster a genuine understanding of the complex challenges facing CISOs at a turbulent time. To conclude, I asked them both for a single piece of advice for CISOs attending the RSAC conference.

Drawing on her experiences, Alicja recommends that CISOs link with their business. “Think from the business perspective and build relationships with the board members. Don’t go to the board just for the meeting. Make sure you have relationships established and you understand what board members objectives are. And vice versa, they know you. That would be my biggest advice.”

David adds: “If you’re going through digital transformation now, particularly in organizations like financial services, bring risk and compliance along from the start. If you wait until the very end, there can be a lot of challenges, delay, and slow down. Bringing them in at the beginning allows everybody to have that education and can make digital transformation much smoother and happen much quicker.”

About Expert Insights

Expert Insights is a B2B research and review platform for cybersecurity solutions and services. We help over one million IT managers, CISOs, and small business owners find the best cybersecurity solutions every year.