Tessian: 99% of CISOs work overtime due to heavy workloads

Security leaders are working an average of 11 hours extra per week, according to new research from Human Layer Security company Tessian. Nearly one in 10 CISOs work between 20-24 hours extra per week and 59 per cent struggle to switch off from work when the working day is over.

As a result of demanding work schedules, 44 per cent of CISOs admitted that they have missed a doctor’s appointment, 42 per cent have missed national holidays like Christmas, 40 per cent have missed a family holiday and one in four haven’t taken any paid time off in the last 12 months. A third (33%) said they have been unable to exercise regularly due to work commitments.

When asked which tasks take up their time, nearly two-fifths of CISOs said they are spending too much time on attending departmental meetings (38%), reporting to the board (37%), and delivering security awareness training for employees (35%).

Just over a third (34%) said they spend too much time investigating and remediating threats, including employee-related security incidents. In fact, a report recently conducted by Forrester, commissioned by Tessian, found that security teams spend up to 600 hours per month investigating and remediating threats caused by human error - the equivalent of nearly four employees’ full-time workloads. A quarter of security leaders said they spend up to 12 hours per month looking into each threat caused by human error, while one in 10 spend over a day.

Tessian’s report reveals that by using security solutions which automatically prevent threats caused by human error, enterprises with 1,000+ employees could save over 26,000 hours in a year by freeing up security teams’ time and resources dedicated to investigation and remediation, policy management and security awareness training.

When CISOs were asked what they would do with extra time back in their diaries, spending time with family and friends, looking for ways to improve business strategy and resting ranked top. CISOs also revealed that they feel they are currently spending too little time on their own career development (38%) hiring talent for their team (36%) and researching new industry updates and trends (36%).

Josh Yavor, CISO for Tessian, says: "There is this unfortunate trend of heroism in the security industry. As security leaders, some of our most exciting stories include pulling all-nighters to defend the organisation or investigate a threat. However, we often fail to acknowledge that the need for heroics usually indicate a failure condition and are not sustainable.

“Like any job function, CISOs have their limits and need to advocate for themselves and time constraints to avoid burnout. As leaders, it’s critical that CISOs are able to lead by example and to set their teams up for sustainable operational work. Heroics are sometimes unavoidable, but we should be accountable for ensuring they are not the norm."

Tessian surveyed 300 CISOs in the US and UK using third-party survey company Censuswide in September 2021. Survey participants included decision-makers in IT, security, and compliance/risk management.