COMMENTARY: A recent study by ISC2 reveals that 73% of Chief Information Security Officers (CISOs) in the U.S. reported experiencing burnout over the past year. According to this Voice of the CISO report, 61% of CISOs said they face excessive expectations from their employers. Additionally, owing to the cybersecurity skills gap, many CISOs must continue to defend their companies with incredibly stretched resources and a mounting list of tasks that fall at their feet.
A lack of resources and skills was highlighted in a recent Xalient research report: Why SASE is the Blueprint for Future-proofing Your Network in 2025 and Beyond, which polled 700 organizations that had already implemented a SASE solution. We found that 82% of research respondents said finding, recruiting, and retaining the specialist security skills they need to protect their organization from new and growing threats that impact the network is a major challenge. This is all contributing to additional pressure being placed on already strained security teams and CISOs.
MSSPs offering SASE solutions and services can point to these challenges -- as well as challenges with regulatory compliance, liability fears and burnout -- to help sell their services and grow their businesses while helping CISOs defend against cyberthreats.
The Pressure of Personal Liability
To add to this, growing regulation and legislation means cybersecurity leaders are becoming more concerned about personal liability, particularly since the criminal case against Uber Technologies’ former security chief. Uber Technologies was involved in several criminal cases, including a data breach and a former Chief Security Officer's conviction for obstructing a Federal Trade Commission (FTC) investigation.
Hacks on companies’ IT systems often come with business disruptions, reputational damage, regulatory investigations and lawsuits. CISOs must manage cybersecurity risks and, at the same time, educate C-suite colleagues and the board about the ramifications. All these pressures put CISOs at risk of quitting their jobs. In fact, 50% of current CISOs are expected to change jobs by 2025, according to a Gartner study.
Burnout Due to Relentless Change
There are several other contributing reasons that mean many CISOs are looking to walk. First, the complexity of IT environments and architectures means there’s a larger number of threats that CISOs need to address, which all require their own specific strategies, objectives, plans, and projects in place to manage. The new ‘work from anywhere’ paradigm also adds to this complexity and has expanded the threat surface, as CISOs must ensure that remote employees can access their systems the same way they would if they were in the office.
Second, criminals’ methods of attacking organizations are becoming increasingly sophisticated, and the advent of cloud and multi-cloud environments has created a challenging landscape for CISOs to protect. As the adage goes, threat actors only need to succeed once, while CISOs have to protect data 100% of the time. Advances in AI and generative AI, in the hands of cybercriminals, make the threat landscape even more challenging and, according to Deloitte’s eighth NASCIO Cybersecurity Study, as the attack surface expands and new cyber threats emerge, this brings substantial risks to organizations’ data security.
Xalient’s research found a staggering 99% of organizations experienced a security attack in the last 12 months, with 44% of respondents saying a recent breach had originated via a remote or hybrid worker. Organizations are under constant attack, and CISOs cannot let their guard down if they are to protect their corporate assets. The job is never truly finished.
Speaking the Right Language
CISOs need to translate technical information on security and threats into business conversations or impact statements that CEOs or CFOs might better understand. However, CEOs are demanding more updates from senior security leaders, and the expectation to demonstrate ROI on security spending appears to be still hit or miss. That said, cybersecurity leaders who can calculate and communicate ROI on key cybersecurity projects, initiatives, and operations are better able to effectively navigate budgeting decisions.
As outlined above, the skills shortage is also exerting pressure on CISOs. Sometimes, teams have to manage on very tight budgets with few resources, and that’s especially true in relation to security specialists across every layer and into senior levels. In parallel, CISOs are under pressure to adapt to new regulations, such as those from the U.S. Securities and Exchange Commission (SEC), the EU NIS2, and DORA, which all have cybersecurity disclosure requirements as authorities seek to elevate cybersecurity performance, gain an accurate picture of risk and tip the scale in the defenders’ favor. Meeting these new regulations and being compliant will involve more auditing and reporting, which will require more skills and more resources.
How SASE Solutions Reduce Pressure on CISOs
With these regulatory obligations and government oversight of cybersecurity on the rise, CISOs need vendors, MSSPs and partners they can trust and who can provide solutions to all these challenges. This is one of the reasons we are seeing a marked uptake in the adoption of SASE. In fact, according to its 2024 CIO and Technology Executive Survey, Gartner expects that 60% of enterprises will have clear-cut strategies to adopt SASE by 2025. Why is this the case?
SASE creates a single network for all an organization’s data centers, offices, and remote workers. It simplifies access rights by utilizing unique user identities and policy definitions. A secure network infrastructure typically requires multiple solutions and can become unmanageable due to significant administrative overhead, resulting in poor performance. SASE provides robust security features in a simple package that doesn’t impact the network's speed and is a natural progression of security for a workforce that’s ever more geographically distributed, where traditional network infrastructures struggle to manage increasing numbers of remote workers. From the security team’s perspective, key drivers for adoption include secure remote access, fear of breach – including the regulatory, reputational and financial impacts - and the rising costs of traditional network infrastructure.
While SASE certainly isn’t the silver bullet to alleviate all the pressures CISOs are under right now, it can help to overcome some of the stresses around skills, lack of resources, costs and performance while providing a more secure environment. Perhaps this is one of the reasons that Gartner is predicting such impressive market adoption in 2025 and beyond.
In conclusion, SASE brings CISOs innovation and resilience. It’s cutting-edge technology that protects data and safeguards the well-being of those on the front lines of cyber defense while enabling organizations to improve network performance and reap the benefits of the cloud. As the digital battlefield intensifies, SASE offers a path to both enhanced security and reduced burnout for CISOs.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].
