This is why preparedness must go hand in hand with resilience. While resilience is often discussed in cybersecurity, the focus tends to be on governance, technology, systems and processes. Less attention is paid to the resilience of the people doing the job.
There is also a growing question over whether it is even possible to train for every type of incident, given how quickly threats evolve. Cognitive readiness is not about preparing for a specific scenario, but about being ready for any scenario. It is a broader set of capabilities that ensures teams have the skills to respond effectively, regardless of what they face.
Why are so many cybersecurity roles unfilled because of the pressure candidates expect when entering the field?
I do not have statistics to support this, so it is based on anecdotal evidence from conversations I have had.
Recently, I have spoken to a couple of people who are now considering leaving the role because of the level of pressure. There is a significant amount of responsibility placed on them, which in itself is not a problem if they have the authority and resources to act. However, with budgets being reduced and constraints increasing, the role can start to feel unmanageable.
As a result, there are people choosing to leave the industry. It also raises the question of whether others will be willing to take on a role that carries such pressure and responsibility without sufficient support. While I cannot point to firm data, it is understandable to ask why someone would choose to take on that kind of job under those conditions.
What’ s the best way for companies to actually support their CISOs?
From my perspective, it is about giving CISOs and their teams the support they need to understand what is happening to them during an incident.
That is important because it has a direct impact on confidence. I spoke to someone a couple of years ago who was Head of Global Response at a large organisation. During a very public event, something significant happened, and she said that she simply went blank. She had years of experience and knew what to do, but in that moment, she could not act. That response was entirely down to the way the brain reacts under pressure.
When I explained what had happened to her cognitively – and that it is something that can happen to anyone – she said it made her feel much better, because she felt capable again. That understanding is key. If people are aware of how pressure affects their thinking, and can recognise their own pressure signals, they are better able to identify when they are reaching their limits.
That awareness helps people cope more effectively in the moment. It is part of being prepared, but it also goes beyond that. If individuals can cope better during an incident, they are also more likely to recover more quickly afterwards. In that sense, it is as much about resilience as it is about preparedness.
What happens if there’ s a cyberattack outside of normal office hours?
I was speaking to someone only yesterday who had received a call at 10pm the night before. There was an issue coming in from the team on duty, and the CISO had to get out of bed to deal with it. He explained that there is only so much you can do while waiting for more information, but once you are awake, you are not going back to sleep. He was up until two or three in the morning and then expected to go to work the next day. Living like that creates a huge amount of pressure, not just for the individual but for their family as well.
I have also spoken to people who have had to relocate temporarily during incidents, staying in hotels near the office for weeks at a time while everything unfolds. That brings its own pressure, knowing that their family is at home wondering what is happening. In one case, there was a specialist with a particular technical skill who was the only person able to handle a critical task. To enable him to work from home, the CISO ended up looking after his children so he could focus on resolving the issue.
It also means that switching off becomes difficult. People cannot always take holidays without the risk of being called back, and the opportunity to step away and recover is often limited, especially in smaller organisations with fewer resources.
If you compare this to high-performing athletes, they train for peak moments and then have time to recover afterwards. Similarly, military personnel return from operations and are given time to decompress. In cybersecurity, that space does not always exist. It is not just the intensity of a single incident, but the sheer volume and the length of time it takes to recover. In some cases, it can take months to return to normal, and the effects of a major breach can be felt for up to a year afterwards, without the opportunity for proper downtime.
Organisations can put incident response plans in place and rehearse them regularly.
WWW. INTELLIGENTCISO. COM 27