Expert Panel | CISO Burnout Series | Part 2
Topic "CISO Burnout Tips: Addressing Through Organizational Culture and Cyber Maturity"
About CISO Platform
CISO Platform is the world's first online community solely dedicated for information senior security executives (CISO/CIO/CSO/CTO/Directors IT etc). The vision of the platform is to enable the senior security executives to share, learn and network with other peers.
- Session brief
- Watch Panel video (on-demand)
- Executive Summary
Session Brief :
CISO Role increased strain impacts tenure of CISO, lower engagement with other executives, less capacity to drive his/her team. Crucial areas like hiring, customer communication, professional development get hindered and ignored
Our panel speakers are
* Jim Routh - Former Head Security at JP Morgan and Chase; Former CISO (6X), Board member, Advisor, Investor & Faculty member
* Renee Guttman - Former CISO at Coca-Cola; Advisory Board Member
* Jitendra Joshi - Cybersecurity Director at Grant Thornton LLP
* (moderator) Bikash Barai - Co-founder FireCompass; Advisor CISO Platform
Session Keypoints :
- Can organizational culture impact and solve this problem ?
- Why are we expected to be 'always on' .. can organization culture fix it ?
- How can cyber maturity be best set to make a CISO worry free ?
Expert Panel (On-Demand) :
Executive Summary & Pointers From The Discussion :
PART 1.What Are Some Of The Causes ?
- Writing down what causes you stress helps
Culture..,sometimes it’s harder to tell the mind to wait. So writing it down helps
- Be there for your team. Help them get time to take care of their families in Covid (whoever needs)
Many people have felt the stress in covid like caretakers. In security, CISO's are the 1st responders. People in covid were going out on long time leave. This was a big issue. Helping them get time off and leading them is part of a CISO's role. Part of the stress is being there for your team.
Stress is not bad but it can have some negative impacts. So we must learn to tackle it better.
The stress of 24*7 is very high. I can feel the difference in my life now. Stress is not bad but it can have some negative impacts. So we must learn to tackle it better.
I had to teach my team how to do incident response. Being a new CISO, you have to lead and teach. You can influence some culture and some crucial parameters. You can’t lead every incident. You have to teach some habits, culture. Develop a team with the right set of behaviours, then give them the opportunity to make some mistakes. You have to be an educator, it’s not feasible to be the incident responder every time. Not a sustainable model. Be the educator. Bring talent. Right culture.
Key is to understand which incidents are really urgent and need to jump in. For the rest they should get int your later bucket and take a look at it once you’re back at work. You should model behaviour that your team can follow. Otherwise you will burn out
Set your expectations right
It comes back to how we set our expectations with ourselves and the team, stakeholders. What is the realistic expectation ? You can’t be always on or you won’t be effective. What expectations do the team members have ? How to we understand ‘risk management’ and ‘security management’. It comes down to expectation management. You can be more resilient but not try to be a defender every hour, every moment.
There’s never enough data. Don’t overwhelm yourself to try to solve it right away. Be mindful of where you are and be hopeful that you will solve this. Just for with the team
Reference - Stock wheel paradox
PART 2.What Can We Do Better Operationally To Manage Stress Better ?
- Measure stress by asking yourself "Can I Take 4 Vacations In A Year Without Any Disruption ? "
This is a strong question. This forces me to put the deputy in place. Set the parameters and guard rails.
It's really helpful to do the security drills. It sets the expectation with management that breaches can happen. It also drives much better ownership
- Look for a backup first thing. Empower them, give them authority, announce to the management
I look for my backup. I would quickly look for that person and give them the same authority.
I think we also need to have clear priorities and keep teams focused. We also need to enable our teams, help them solve their challenges and be heard.
- As a leader..be real, be vulnerable
Take any online model….One important thing which is missing on the models is the lessons learnt. You need this data on which ones work, which don’t. Incidents give you the best opportunity to learn what really works. Incident is the opportunity, learn from it and harvest it. Build resilience. Every small or big company has incidents every day. So learn from it and use it for the future incidents
I treat 3rd party the same way specially in incident response. I make sure they knew and follow the method. If they didn’t follow, I would have to replace them since it will impact our organisation.
In case we realised the incident response would go beyond 12 hours, we would have a backup team to fill in and let them swap to give them some break. And most incidents take 6-8 weeks in general. Backup teams are a must so your team is not physically and mentally exhausted
[Reference - CERT model]
- Comes down to what data do you have ? Incidents are a goldmine. Are you using your data from previous incidents to prevent future incidents ?
Comes down to what data do you have ? Incidents are a goldmine. Data is your friend. It helps us become resilient. Decide how to arrange it. Good hygiene will allow you to have consistent recovery and restoration.
What we do with the 3rd party is so important. It’s an opportunity to work with them to have a strategy, plan, story around it. Help you have a story ready and helps tackle in real
PART 3.What Can We Do Physchologically ?
- Finding vulnerabilities is like finding flaws. We must take conscious steps to think about positive things in life
We look for incidents at all times, so this a direct contrast to being happy. .We get used to a negative psychology which makes us better at being a CISO but we must also incorporate some positivity in our routine. We need to re-train our own spam filters.
One incident - We were doing a kid’s training program in a school. We saw a CISO very stressed. Then post the training, he was full of smiles and joy. And he said sometimes giving can help you feel fulfilment.
We as a cyber security person have been trying to protect even before NIST was here. It was extremely stressful. I tried to work out how to stop stress. And I learnt it is important to detect stress quickly and respond.
[Analogy] SOC = data + rules. Our mind needs to act like the mind SOC. The ability to detect stress fast and take action, this helps. It doesn’t eliminate stress but it helps in detecting quickly. This is one very powerful tool for me. Stress management -> happiness -> awareness
- Please don't clear you emails on friday and send work over to people before their weekend. Send it on monday or sunday late night
I keep saying don’t use Friday to clean up your mailbox and send stress to everyone. Don’t clean your desk on Friday. Rather send across a few thank you mails. Right now, it seems like many CISOs are giving back to the community which is great.
I used to have the conversations with the board and share it with your peers. Contribute to your network. That’s how you are an asset for the network and keep getting back from the community. Don’t keep taking only.
- In work-from-home, we starting using commute time for work and forgot to take a break. This is not sustainable..stop this as a leader
When we went into Wfh, we really thought the infrastructure wouldn’t hold up. We adding our commute time and invested it in work. It’s not a sustainable model. People fail in this model. We can’t have a business without people. As a leader we learnt we must demonstrate a sustainable work from home routine
I would first ask every time
-(self) to figure out what you must do to be healthy yourself
-(dependents) people around you come second. Their needs must come in daily
-(work) third is your work activities
We’ll give you the flexibility for you. Since this is the flexible model. Healthier practice in the long term
- Gratitude and giving back is so important
Gratitude and giving back is so important. It’s also highlighted much more in last 2 years. You have to attach value to yourself and things that are meaningful for you. Find that happy space everyday. It has a huge projection in your entire day. Then the sharing you do is much deeper because you’re coming from a happier place
It’s a process. It takes time to become self-aware. It adds great value but have patience it takes time to develop.
Back we had a mindset we must have very high control. Now there is shift in risk appetite, controls, assumptions.
Top 5 Take-aways :
- Setting expectation is key
- Hire the Right talent
- Set the right Culture
- Learning from incidents and using it to prevent future incidents
- Gratitude is a must
- Embrace ourselves (accomplishments)
- Power of giving can do wonders