It doesn’t take a lot of imagination to arrive at the conclusion that being in charge of security for almost any organization is a stressful job. Every day there are more and more headlines about data breaches, the loss of intellectual property, targeted attacks and the list goes on.

While those headlines certainly highlight an outcome every security organization works to avoid, they only represent the surface of the challenges many security organizations face every day. One thing is for sure, being a Chief Information Security Officer (CISO) or security leader is not an easy job. Here are nine reasons why your security leader might just need a hug (or maybe just a thank you to make things a little less awkward).

1. People don’t understand us

Security is difficult, and security people are unique. They have a different way of looking at things. We try to get away from ‘techno garble,’ which isn’t important to the business. The business needs it in black and white, no theoretical things. -Chief Technology Officer, Insurance, 2013 CISO Assessment

For as technically gifted and curious as many in the security industry are, soft skills, like the ability to communicate haven’t really ever shared that same emphasis.  Now, as business is more and more aware and interested in security challenges, they need someone who can plainly explain risks and industry is trying to play catch-up on that skill.  That’s why the security conference scene now also has things like sessions dedicated to communications.

2. Skills and workforce are always changing

Surely in this rapidly expanding industry we have plenty of people with the right skills to match the opportunity of the market, right? Right? No, wrong.

Not only is there a shortage of the specialized skills required to combat today’s threats and effectively staff a security team, the entire industry was deemed not ready for professionalization because the space is changing so rapidly and the skills, requirements and backgrounds of the people you may want on your team are unpredictable in the context of standardization and professionalization.  So, good luck building your team.

3. It’s hard to prove ROI

It’s very rare that I’ll walk into an organization and say, wow, those are some compelling measurements. -Kris Lovejoy

Malware infection rates. The speed at which patches are deployed and how many endpoints they can reach.  These are security statistics that the security team might be very familiar with.  However, security organizations have the difficult task of turning those statistics into something business people understand.

In our own CISO Assessment, we found that 2/3 of security leaders don’t translate metrics into financial impact because, “they either lack resources or the business requirement to do so, or it’s just too complex to calculate.”

It is also very difficult to estimate the overall costs associated with security breaches, but people seem to have settled on the fact that it’s probably a big number.

4. Stakeholders are all over the place

Managing a large and complex organization tasked with a difficult mission is hard enough, but the security team needs the additional skill of being able to influence organizations outside of their direct management, and they need to do it a lot.  In the absence of being able to build one really big cyber wall around your infrastructure, which is of course not possible, it has become increasingly important to embed security into business and IT processes.

Doing so means you have to find a way to compel non-security people to follow security best practices.  Not the easiest task in the world.

5. People don’t want to change

Virtually no one has read the original research that shows why culture — when clearly defined — is so important, how it is formed, and how it changes. -Forbes

Culture change can often be one of the most challenging elements for any business leader to drive within their own team or function.  The security team is challenged with not only building a distinct culture within their own organization, including addressing any challenges like building practices around communications and business metrics, but to drive a more risk aware culture across an entire company.  This is not only a daunting task, but a critically important one given that attackers frequently use spear phishing in the opening activities of their attacks.

6. People (lots of them!) are actively trying to sabotage you

Every organization faces competition, but working in security takes that to another level completely.  Yes, perhaps in marketing one of your competitors is advertising on one of your favorite hashtags (thanks for that by the way), but it doesn’t compare to having to sit down every day and face off against everyone from opportunists, social activists, organized criminals, state-sponsored attackers and even terrorists.

Of course, this doesn’t even cover the people within your own organization, whether they be insider threats or employees who still love to click no matter how many times you tell them not to.  While the latter group might not be actively trying to sabotage you, sometimes it really feels like it, especially when 93% of employees will just admit to violating policies meant to prevent breaches.

7. Everyone hates us

That pesky security team keeps telling us about security!

It’s no surprise that the biggest inhibitors to cloud and mobile technology continue to be risks associated with data loss and information security, but that’s really only the start of it.  Employees don’t like mandatory training, they don’t like being told they can’t do things they want to do and it’s not like anyone ever has a sense of patience about these topics either.  Security is a big hassle to everyone who doesn’t do security for living.

And of course the irony is that these are the good times.  When something goes wrong, all those people who willfully admit to doing the wrong thing from a security perspective, well you know who they’re going to blame.

8. You can never win

What have you done for me lately?

Sure, almost every organization has some element of this mentality as teams focus on the next thing, the next product, the next quarter.  But is there any other profession where the possibility for day-to-day change in perceived job performance is more potentially acute?

Of course, this situation assumes you have had the good fortune of detecting the person or organization infiltrating your systems, which, according to research (here, here), is not necessarily given at all!

9. Nothing can ever go wrong

This isn’t even as self-explanatory as it seems because the problem isn’t just security incidents.  Try blocking revenue traffic and see what that response is like.

Everything is Terrible… But We Love It

At the end of the day many of the reasons why working in security is so challenging are also why it’s so rewarding and why the community is so close.  There is no expectation that any battle will ever be done.  There will always be a thin line that must be held between us and them.  The skills and workforce are changing all the time, but the people are passionate and when they come together it’s “what every family reunion should be like.”

So while it might be nice to give your CISO, or anyone on your security team a hug (please comply with all workforce policy regarding hugs), there’s also a pretty good chance that they love what they do and wouldn’t have it any other way.

Except maybe they’d like some more budget.  And a week more vacation.  And if skills are so hard to find, about that raise…

Download the full IBM Report: Cybersecurity perspectives from the boardroom and C-suite

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…