As organizations continue to grow their digital footprint in the wake of the pandemic, they need to start taking care of the employees who make it possible.
Forty-two percent of chief information security officers — more commonly referred to as CISOs — have missed major holidays like Thanksgiving due to work demands, according to data from software company Tessian. But it’s not just holidays: 44% have missed a doctor’s appointment in the past year due to work, and 40% have missed a family vacation due to professional obligations.
These employees are responsible for developing and implementing information security programs, which include procedures and policies designed to protect company communication, systems and assets from both internal and external threats. Because of their importance to day-to-day operations, these work-life imbalances aren’t necessarily linked to the pandemic, says Josh Yavor, CISO at Tessian.
“The problem has always been there,” Yavor says. “Part of our job is to anticipate and be prepared for unpredictable situations where we have to have timely and immediate responses that are also sustainable. And that’s one of the takeaways from this, it’s that we’re not doing a great job as an industry in achieving that sustainable part.”
Read more: COVID isn’t the only virus employees could be bringing back into the office
A quarter of CISOs have not taken any time off work in the past 12 months, working on average 11 more hours than they’re contracted to each week, while one in 10 works 20 to 24 hours extra a week. Twenty-five percent of security leaders said they spend 9 to 12 hours per month investigating and remediating each threat caused by human error — which includes when employees click the wrong link, install malware or give up a password — and more than one-third of CISOs reported spending excessive time on triaging and investigation, the report found.
The solution, according to Yavor, lies in creating balance between what a company needs and what an employee needs — and not letting the scale tip too much either way.
“First and foremost, it’s about recognizing that we can’t control or predict everything,” Yavor says. “We know that [crises] are going to happen to someone in the security space. And the most important thing for us to do is not pretend that this isn’t. We [should] start with the expectation that we must be prepared for this and focus instead on what are the outcomes and experiences that actually matter.”
Although the safety and cybersecurity of a company is critical and often demands that CISOs and their team work extended …….