Pressure hurts

Welcome to the new 58 cyber warriors who joined us last week. 🥳 Thanks for subscribing!

Get weekly wisdom from the Black Hat MEA community in your inbox – including exclusive interviews and key moments from the #BHMEA22 keynote stage. Subscribe now

📣 This week we’re focused on…

Pressure.

Why? 🤔

Because of something Tim Brown (VP and CISO at SolarWinds) said at Black Hat MEA 2022:

“You’ll get outnumbered. When the press of the world is after you, you can’t really do much.”

He was referring to the media machine that was set in motion after the 2020 SolarWinds hack.

“From a CISO perspective, going through this, we talk about being fired,” Brown added. “I gave myself a 50/50 chance of being there. If the general sentiment of the world was ‘hey, we have to have somebody to blame’, I knew that probably needed to be me.”

Cybersecurity pros face a wide range of pressures ⚠

We’ve talked about mental health in this newsletter before. But we’ll talk about it again: because it’s an important (and growing) problem in the cybersecurity industry. And when mental health suffers, security suffers too.

Coming into the firing line of the world press and company board members is a very specific kind of pressure – and one that every CISO might have in the back of their minds as a perpetual possibility.

But even putting that very dramatic pressure aside, professionals in the industry face other pressures every single day. And as time goes on and organisations become more complex, it’s only getting harder.

Challenges include (but absolutely aren’t limited to):

☣ Not enough workers. In 2021 the cybersecurity skills shortfall was counted at 2.7 million workers globally, and research shows that 67% of security leaders feel they don’t have enough talent on their team.

☣ The money that’s at stake. The average cost of a data breach was USD $4.35 million in 2022, and projected to reach $5 million this year.

☣ On-call requirements. Cybersecurity doesn’t sleep – so cybersecurity people don’t really get to sleep either. A survey by Ponemon found that 71% of security employees say they’re on call 24 hours a day, 365 days a year. And every false alert causes additional stress.

☣ Overwhelming workloads. Ponemon found that 73% are suffering burnout due to a workload that just keeps increasing. SOC analysts are especially likely to experience severe overwhelm, which is a key reason why 65% of them have considered changing jobs.

☣ Being responsible for security during big transformations. Research by ESG found that securing new IT initiatives is a big stressor for 40% of cybersecurity professionals. Controlling security at speed, while innovation picks up pace exponentially, is an exhausting challenge.

And 39% of pros are irritated by the unpredictable requirements of securing tech projects when they’ve been launched without any input from cybersecurity experts. Actually, that ESG survey was way back in 2018 – so the speed of projects running to market now is even faster, and this problem is likely to be hitting security teams much harder.

Pressure gets passed on

Security is the responsibility of cybersecurity teams. But that responsibility is clouded with unpredictable circumstances, insufficient support, and very little time to sit back and take a deep breath or stroke a cat.

So responsibility is experienced as immense pressure.

And what’s the easiest way to handle pressure when you’re tired, stressed, and need a break?

Give it away. Pass it on. Blame someone else.

Also at BHMEA22, Ira Winkler (CISO and VP at CYE) said:

“If a user is doing something on your system, they’re only doing it on your system because you gave them that data, and then you gave them the ability to activate that data. You give them the ability to do things. And if they’re doing anything you don’t like, that’s on you.”

The point was that cybersecurity professionals should not be blaming the user when they make a mistake on a system. Because a user error is just a symptom of a deeper problem.

But we want to take this a little deeper still, and ask another question:

Why are cybersecurity pros blaming the user? Could that be a symptom of stress that needs to be addressed?

We see you 🧐

The average job tenure of a CISO is reportedly only 18-24 months – compared to the average of 8.4 years for CEOs.

A major global study of senior cybersecurity professionals by Nominet revealed that a quarter of CISOs suffer from stress-related poor health, and nearly a third fear for their jobs.

Cybersecurity people are under pressure. We see you. And we want to help.

📰On the blog this week:

Tim Brown on why cybersecurity professionals should practise public speaking

Ira Winkler on why human error is only 10% of the problem

Do you have an idea for a topic you'd like us to cover? We're eager to hear it! Drop us a message and share your thoughts. Our next newsletter is scheduled for 21 June 2023.

Catch you next week,
Steve Durning
Exhibition Director

P.S. - Mark your calendars for the return of Black Hat MEA from 📅 14 - 16 November 2023. Want to be a part of the action?