Chief information security officers (CISOs) are missing medical appointments and family vacations because their workload is so heavy, according to new research by security company Tessian.
In September, Tessian used third-party survey company Censuswide to ask 300 CISOs in the United Kingdom and United States about their working habits.
Researchers found that a quarter of CISOs had not taken any time off work in the past 12 months and 40% had missed a family vacation due to work. Two out of every five CISOs reported missing out on a national or federal holiday like Thanksgiving because they had to work.
CISOs aren’t just spending more days at work; they are also putting in longer hours. Tessian’s Lost Hours report reveals that CISOs work, on average, 11 more hours than they’re contracted to each week while, one in ten works 20 to 24 hours extra a week.
Working so much is having an impact on CISOs’ health, with only 60% saying that they had enough time to exercise regularly. Nearly half (44%) of the CISOs surveyed said they had missed a doctor’s appointment because they were so busy at work.
Many CISOs (59%) said that they can’t always switch off from work after their working day is over.
Asked how their time is spent, 38% of CISOs said they’re spending too much time in departmental meetings and reporting to the board on cybersecurity, while one-third reported feeling drained by administrative tasks.
Further research, commissioned by Tessian and conducted by Forrester in September, asked 317 security strategy decision makers at organizations in the UK and the US about their working lives.
It revealed that security teams spend up to 600 hours per month investigating and remediating threats caused by human error.
“As security leaders, some of our most exciting stories include pulling all-nighters to defend the organization or investigate a threat. However, we often fail to acknowledge that the need for heroics usually indicate a failure condition and are not sustainable," said Josh Yavor, Tessian’s CISO.
“Like any job function, CISOs have their limits and need to advocate for themselves and time constraints to avoid burnout.”