DORA could lead to CISO burnout, says Rubrik

A Rubrik Zero Labs-commissioned survey reveals that 79 percent of CISOs believe the combination of compliance with the European Union’s DORA, ransomware, third-party compromise, and software supply chains has had an impact on their mental health.

The DORA (Digital Operational Resilience Act) regulation takes effect from January 17. It’s intended to improve financial institutions’ cyber resilience so they can operate during cyberattacks and other disruptive IT incidents. DORA specifies standards they need to follow for managing cybersecurity risks, incident reporting, and digital resilience. 

James Hughes, Rubrik
James Hughes

James Hughes, Rubrik VP for Sales Engineering and Enterprise CTO, said: “Given the increasing threat of ransomware and third-party compromise, the implementation of regulations is required and expensive. Understanding what data is the most critical, where that data lives, who has access to it is essential to identifying, assessing, and mitigating IT risks. If good hygiene practices like these are not followed, organizations can now receive fines from the Financial Conduct Authority,” in the UK, for example.

There are 60 articles in the DORA regulations. Article 12 requires secure, physically and logically separated backup storage.

Rubrik provides backup as part of its cyber-resilience suite. Hughes said it has a DORA checklist available for customers. Other suppliers with DORA checklists include Scytale, eSentire, and UpGuard.

The key DORA regulators include:

  • European Banking Authority (EBA): Oversees banks, credit institutions, and payment providers.
  • European Securities and Markets Authority (ESMA): Regulates investment firms, trading venues, and market participants.
  • European Insurance and Occupational Pensions Authority (EIOPA): Supervises insurance and pension companies.
  • The European Central Bank (ECB) will also have a supervisory role for financial entities under its jurisdiction, such as significant banks in the Eurozone.

Each EU member state appoints its own National Competent Authority to enforce DORA at a local level.

DORA regulation concerning backup.

DORA differs from previous regulations of this kind because penalties for infringement apply to an organization’s senior personnel and not just the organization itself. This ups the stakes for CISOs concerned with DORA compliance.

A Gartner study found that 62 percent of security and IT leaders responsible for cybersecurity have experienced burnout at least once, with 44 percent reporting multiple instances. 

Rubrik set up a CISO Advisory Board a few years ago, and says it aims to support CISOs in coping with these challenges in safeguarding organizational data and so contribute to their well-being and effectiveness. It also suggests that initiatives, such as its “Data Security Decoded” podcast series, provide platforms for CISOs to share experiences and strategies for managing the complexities of their roles.

Rubrik is implying that if a CISO uses Rubrik cybersecurity as part of their DORA compliance, their well-being may improve.