In cybersecurity, resilience is preached as a necessity, the backbone for leaders confronting constant, high-stakes pressure. Yet, for many chief information security officers (CISOs) and security directors, resilience often feels more like a myth than an achievable state.
Three cybersecurity veterans shared how state-backed threats, public-private distrust, and personal loss are pushing leaders to their breaking point.
Amy Bogac, CISO of Elevate Textiles, knows what it’s like when resilience slips away. While handling a major cyber event, she was also reeling from the recent deaths of both her parents.
“You just get to a place where there is not enough emotional intelligence in the world for any one human to be able to move forward without taking a break and stepping away,” she said.
Bogac’s story exposes the stark truth about what leaders endure—cybersecurity may be technical work. Still, it’s people who absorb the hits, and people who break when resilience becomes an impossible standard.
SC Media caught up with Bogac and others interviewed for this article at the CyberRisk Alliance InfoSec World 2024 conference this past September. Here, several seasoned cybersecurity leaders opened up about the staggering personal toll of defending against relentless, state-backed cyber threats.
Their stories reveal a hidden truth: Resilience has its limits.
(See Related: CISO stress levels are out of control)
The Emotional Weight of 'Just Business'
For Bogac, resilience isn’t just a demand of her role—it’s a haunting reminder of everything she’s expected to withstand. She spoke of how cybersecurity leaders, especially those protecting legacy brands, feel a sense of duty not only to their teams but to the histories of the organizations they represent.
“When you step into a CISO role ... you feel an obligation to protect that legacy,” she said. Yet that obligation comes at a cost. The reality for cybersecurity leaders is no longer a one-off incident that’s handled and forgotten; today’s attacks are prolonged, with repercussions that require leaders to stay vigilant for weeks or even months.
(Watch the interview: Amy Bogac, CISO of Elevate Textiles talks about “Human Resiliency through the perfect storm of CISO & Individual life realities” on Cyber Risk TV. Duration: 17:06 minutes)
In Bogac’s words, leading these responses can force you to take care of your people at your own expense. The self-sacrifice baked into the job only reinforces the myth of resilience. It implies that leaders like Bogac should hold themselves together, no matter what. But as she and others admit, that model is wearing thin. Cybersecurity leaders are human, trying to keep a personal foothold as attackers test the seams of resilience every day.
Fragile Trust and Broken Alliances
If cybersecurity resilience is at a breaking point on the personal front, the collective state of resilience isn’t faring much better.
Parham Eftekhari, chairman of the private sector non-profit think tank Institute for Critical Infrastructure Technology (ICIT), calls out a grim truth: “Eighty to 90% of critical infrastructure in the U.S. is privately owned.” This makes partnerships between private companies and government agencies indispensable, yet trust between the sectors remains precarious.
Eftekhari pointed to the skepticism that has made true collaboration difficult, even in the face of nation-state-backed threats that are testing the limits of both sectors.
“Policy makers rely on organizations like ICIT to provide objective information,” he noted, underscoring ICIT’s efforts to facilitate public-private partnerships without the friction of political agendas.
(Watch the interview: Parham Eftekhari, chairman of the private sector non-profit think tank Institute for Critical Infrastructure Technology talks about “Why Public & Private Sector Collaboration Matters” on Cyber Risk TV. Duration: 14:36 minutes)
But as Eftekhari admits, deep-rooted distrust between these sectors leaves infrastructure exposed. State-backed adversaries are sophisticated and relentless, while the defenses meant to hold them back suffer from fragile alliances. This broken resilience in partnerships leaves both sectors and their leaders increasingly vulnerable, caught between rising threats and dwindling trust.
The Psychological Toll of Cyber Warfare
For Glenn Corn, former CIA executive and ICIT’s senior director of geopolitics and global threat assessment, today’s cyberwarfare landscape is more brutal than many are prepared for.
Corn describes the current geopolitical tension as “Cold War 2.0,” where digital assaults have become weapons of choice for state actors like Russia and Iran. Citing the severe toll cyberattacks have taken on Ukraine’s infrastructure, Corn warned that the U.S. could face similar circumstances.
“Eighty percent or more of Ukraine’s critical energy infrastructure” has been destroyed by Russian cyberattacks since early 2022, he said.
(Watch the interview: Glenn Corn, former CIA executive and ICIT’s Senior Director of Geopolitics and Global Threat Assessment talks about “Ex-CIA Exec Reveals Global Cyber Threats & Cold War 2.0” on Cyber Risk TV. Duration: 15:26 minutes)
The cyber warfare leaders are preparing for is not about a single point of failure; it’s an endurance game. Corn’s message is clear: Resilience in cybersecurity has become a precarious balancing act where even the smallest crack can lead to catastrophic consequences.
As nation-states perfect tactics in foreign battlegrounds, the pressure mounts for U.S. cybersecurity leaders who know the threat is already knocking at their door. For leaders like Corn, resilience isn’t about bouncing back but holding on as the stakes climb higher and higher.
Breaking Down the Myth of Endless Resilience
What Bogac, Eftekhari, and Corn make painfully clear is that the resilience cybersecurity leaders are expected to uphold is far from limitless. Each leader has felt the strain and seen resilience buckle under the demands of an increasingly complex and hostile digital world.
For Bogac, staying resilient has meant using wearables to track her stress levels, a necessary tool as she balances a life at the edge of burnout. “I’m a huge fan of the wearables,” she said, but even technology can only do so much when the attacks don’t let up.
For Eftekhari, resilience on a national level requires a level of trust between public and private sectors that isn’t yet a reality. Without it, critical infrastructure—our water, energy, and transportation systems—are left without a unified defense.
And Corn’s perspective, looking at state-backed aggression on a global scale, only adds urgency to the question of how long resilience can hold out against unrelenting threats.
Redefining Resilience in Cybersecurity
If resilience is a myth, then cybersecurity needs a new mantra—one that doesn’t demand impossible endurance from its leaders.
For resilience to be sustainable, it must be supported, not assumed. These leaders illustrate that real resilience isn’t just about grit but about having a foundation of trust, support, and recovery that strengthens the people behind the defenses.
The cyber battlefield may seem virtual, but the toll it takes on human resilience is very real. As the demands on cybersecurity professionals intensify, the industry will need to confront the reality that endless resilience is unsustainable.
(Editor’s Note: A portion of this content used a large language model to distill a single source of original content, such as a transcript, data, or research report. This content was conceived, crafted and fact-checked by a staff editor, and any sourced intellectual property used is clearly credited and disclosed.)
