- Session brief
- Watch Panel video (on-demand)
- Executive Summary
Session Brief :
In this panel, industry experts discuss the growing need for 'The challenge of CISO burnout'. CISO is an operation extensive role, it gets harder with the rapid evolving vulnerability and solution landscape along with industry-specific skill-gap.
CISO burnout is a serious issue and through this discussion, we try to find out the impact of this issue on organizations and individuals. CISOs are, on average, working 11 more hours than they’re contracted to work each week, with 10% working 20 to 24 hours extra a week. (References in blog here). CISO Role increased strain impacts tenure of CISO, lower engagement with other executives, less capacity to drive his/her team. Crucial areas like hiring, customer communication, professional development get hindered and ignored.
CISOs are overstretched (over-stressed hours per week, missing holidays etc). The staffing shortage and skill gap makes it harder. The ever-increasing threat and solution landscape make it harder to keep up and evolve infrastructure accordingly. Crucial areas of impact - tenure of CISO, lower engagement with other executives, less capacity to drive team. Crucial areas like hiring, customer communication, professional development get hindered and ignored
Session Keypoints :
- What causes stress
- Better stress management
- Better psychology. How do we manage our work better to reduce stress ?
Expert Panel (On-Demand) :
Executive Summary & Pointers From The Discussion :
PART 1.What Are The Causes Of Stress ?
- Stress happens because we have expectations and it doesn’t match reality
Stress is what happens when expectations don’t match reality. CISO C-Level is to know whether you’re in the room when the board makes a decision. We believe security is a core function. We expect to be prioritised but in security most decisions are already made ahead. So for CISOs, there’s lots of re-work on decisions that were already made. It could be better if the input could be given much earlier.
[Reference example from Hierarchy of needs]
- Tools can help
As a ciso, I went from 200 employees to a large company. Company newly went to IPO. You have to adjust to ‘something unexpected will happen’. It takes time to get the brain prepared for this type of environment. For Operational management - setting expectation and goals with team and board helps. Not done rightly, these can lead to more causes of stress
Fear of unknown
As a CISO, you have to look at it, people will come in. Fear of unknown. Groomed in maturity
Manage Stress through 'Expectation Management' and 'Work Management'
Be Proactive with expectations. Reactive with non-expectations. With more to do and less time....we must prioritize
Think eachtime an incident happens - Do we need to react or be proactive about it ?
You have limited resource - budget, team, skills. In this resource you have to do best to protect the business. You have to pass on the big picture down the team, so everyone owns and understands their part in the ssecurity strategy. Not just be tactical players. Goal is not to tick the activity checkbox & react but to know it happened and handle it and not be panicked about being fired etc. Goal is to protect company and keep business running. Setup process to report incidents and set exercises to handle them.
PART 2.How To Manage Stress Better Through Work Management ?
- Effective work ! Better editing. Remove fluff and focus on the most important thing
For example 3rd party risk management .. How much time does the team spend on reading questionnaires and eventually never really ask what risk do they really add to the company ?
Focus on effective work. What is the minimum thing to give the maximum safety to the company (given budget and resources) ? What is this thing that is giving me stress and I am ding doing anything about it. Is anything else is more important than the things I am currently working on? If not, that’s gotta change. If there’s a conflict with the board or budget, address it, try to change it. [Reference book - start with a why]
- Set expectation with the management. Be aligned to the senior management. Be transparent. Take feedback. Re-prioritize if necessary.
Setting the right expectations (goal and objective) with the senior management. Sometimes we have a roadmap and things are dynamic. Sometimes it’s okay if some initiatives in the roadmap isn’t done. We are here to support the business and want to help the business succeed. So it’s okay sometimes if we re-prioritize and get some other things done. Senior management is happy if they have the right partner (CISO). Always be transparent. Constantly report the security status to yoru board
- As a leader..be real, be vulnerable
Be vulnerable. Be real. You can’t be setting a bar of 18 hours everyday..don’t set unrealistic expectations
Lots of frameworks out there. For tactical things, use the frameworks. You need to setup your process, so you’re covered around the clock. Get services if you cannot setup the infrastructure. Marry the devsecops mentality. I fyour processes are right, you can handle it, you’re ready when the breach happens. Being prepared allows you to be calm. Make sure your staff takes credit for all success and you take the fall. It breeds loyalty, inspiration.
- Gather the expectation from implementors and architects. Take valuable insight down the team.
So there’s realistic expectation that you pass on to the management. Involve your team, so they have an understanding of the big picture. That’s how you retain talent and skill. CISOs work is to protect against breach. Our job is to help our team, empower them or we’re slowing down the efficiency of labour. Our core job in infrastructure to to help people do their job better. If we marry this concept of protecting and helping people do their job much better..it gives us less resistance and get more done.
PART 3.Better Psychology. How Do We Manage Our Work Better To Rediuce Stress ?
Analogy - not having pain can be fatal too. Patients who can't feel pain might die due to something like excess bleeding (since they wouldn't feel pain, they wouldn't know the severity). Stress might look as an enemy. Let's see if we can look at it positively ?
- Separate out what are you doing and YOU to keep stress at bay.
You are not your job. You have so many more aspects to yourself. Be garteful.
- Stress can be a friend. Stress is the warning system. It tells us 'Action Needed'. Take ample rest.
Leanr to be grateful. End of day right 5 good things that happened
- Don’t get attached to your role. Live in the gratitude level
Remember you’re an individual. You shouldn’t tie it to a job you have. There’s so much more than your job. When you’re dealing with problems, recognise the level on the mood elevator. Live at the gratitude level
[Reference - levels of mood elevator]
- Stress can be unhealthy too. It is best tasted in the right mix.
Like Right amount of Jesus and whiskey. Maintain the balance. Make sure you have the balance for everything else. Having the right culture at work, it’s okay if you don’t check emails for 8 hours. Take team members together on breaks..it’s important. Make sure you’re not leaving your team behind
- I take stress as positive because I wanted to deal with it. From being a researcher to a CISO .. it was my choice
I can also get back to being a researcher. It’s about right balance.
Empower the team. Making them feel accountable is a big part. Take the stress and face it together as a team. Having constant discussion with peers (CISOs)..sharing thoughts, questions makes you realise you're not out there alone. All CISOs in your peer group would be facing similar challenges at work. You’ll see similar experiences. Talking about it makes you understand you’re not the only one.