At least, that's what it seems like. Reports of cyber incidents, including data breaches, come so frequently that consumers, employees and even IT teams just shrug them off.
When notified of a breached domain, only one-third of users changed their passwords, according to a Carnegie Mellon study released in 2020. Of those who did change their passwords, most took several months to do so.
It's one thing for the average consumer to suffer from data breach fatigue. But CISOs can't afford to have data breach fatigue, according to Dave Stapleton, CISO of CyberGRX. That, however, doesn't mean it's easy for CISOs to avoid.
Data breaches impact multiple areas of the organization, so CISOs are hearing about them from others in senior leadership, from HR, from legal. Thousands of alerts per day force security teams to constantly monitor for the alerts. And they can’t even escape them when they are relaxing, as news about data breaches has gone mainstream.
But even if they do find themselves suffering from data breach fatigue, CISOs can’t fall victim to it.
Luckily most CISOs are resilient, having developed mental filters to help avoid panic after yet another data breach, according to Lenny Zeltser, CISO at Axonius.
Keeping an eye on the right issuesFatigue stems from the desire to keep up with every bit of information that flows through the network and across social platforms. Many CISOs feel like they have to pay attention to everything, just in case it does become relevant. Learning the difference between what is valuable information and what is noise can help dissuade fatigue.
Usable information centers around the "crown jewels" of the company — data, identities, even physical assets.
"We cannot hope to provide adequate security without keenly understanding what our crown jewels are, where they are located and how they are accessed," said Stapleton.
While following the information flow that involves the company's key assets is vital, what is considered noise is more individual to the leadership and the organization. How they filter between noise and crucial information depends on their priorities, the industry and existing knowledge about your system.
"Given the volume of information and news that has some security relevance, rather than deciding what to ignore, it might be more productive to decide what to pay attention to, treating everything else as low-priority noise," said Zeltser.
Avoiding fatigue in an industry that moves quicklyBusinesses task CISOS with ensuring the ever-changing technologies are secure as they are introduced into the environment. Threat actors, however, might operate even faster than technology, or at least it seems that way.
It's hard for CISOs and security teams to be on the offense because just as soon as they catch up on a new threat, the bad guys have shifted to something new. This pace can be exhausting; it can also lead to data breach fatigue.
Get Cybersecurity news like this in your inbox daily. Subscribe to Cybersecurity Dive:
Email: Sign upIn some situations, avoiding fatigue requires developing new approaches to how you focus attention. CISOs are dealing with many of the same issues, so it helps to rely on curated recommendations from those leaders and organizations you respect, according to Zeltser. That could be talking to other leaders about concerns they've seen or taking dedicated time out of each day to read trusted news sources.
It also helps to take care of mental and physical health in order to avoid data breach fatigue and job burnout. COVID-19 increased stress levels and shifted work hours, and that is impacting mental health, according to a study released in 2021 by OneLogin.
"For me, personally, I like to exercise four to five times a week, hiking and getting outside into nature, yoga, meditation and sleep, and sometimes there are weekends where I just need to be on the couch and watch mindless TV or movies I've seen four times before," said Vanessa Pegueros, Chief Trust and Security Officer at OneLogin.
When fatigue consumes a CISO, they become convinced the job they're doing isn't valuable and that a loss of confidentiality, integrity or availability is a foregone conclusion, according to Stapleton.
"Sure, there will be losses (and wins), but that in no way means that we stop fighting," Stapleton said.