CISO’s say they’d give up £7.5k ($10k) of salary for a better work-life balance, while 97% of the board says they want CISOs to deliver even more value
Security is a very stressful job that is not a surprise to anyone, but the extends of the stress can be shocking. The CISO (Chief Information Security Officer) report on stress level and pressure for 2019 came out with staggering numbers. The average tenure of a CISO is over two years, precisely 26 months, which probably relates to the average length of time between security breach. Those two are more than likely related since more than the quarter (29%) of CISO believe the C-Suite (CEO, CTO, CISO, CFO, etc.) would fire the responsible party in case of a breach. Who would be the responsible party for a security breach? The CISO.
That is a lot of pressure to have on one’s shoulder, no matter how you look at it. Those numbers are also just for CISO; the rest of the security chain from technician to analyst most likely not much better. On top of that, since security becomes increasingly important in all parts of society, this pressure is just going to go up if we don’t take time to address it. How to fix it is a million-dollar question we need to have answers as an industry, but until then on the individual level, there are things you can do right now to help.
Systematization here is the way to create a system that allows your business to work without requiring your help and sometimes even your input. Small companies often use that to help scale with virtual assistants or contractors. Being able to do a similar thing for security can be a great help. Then no more running around with hair on fire in a crisis to find what and who does what.
Having a clear agreed-upon framework for a crisis, breach, leaks, etc. will make sure everyone can promptly fix issues together. Netflix recently released its framework to help with that task. The idea behind it is to “relieve the incident commander of the stress of managing access to resources and data, and of managing communications. At the same time, all relevant data is recorded, while key tasks – including post-incident reports – are tracked, and owners are reminded if they’re not completed on time.”
That’s pretty much what you would want out of that type of system. Something that can cleanly handle communication and ensure everyone is up to date and doing the correct tasks is a lot of removed stress. With that, you can focus on trying to solve the problem or help others who are doing so, instead of juggling communications channels and wrangling cats. Since this also ensures all tasks completion, it prevents the lingering “did we forget somethings” anxiety, at least until the post-incident review, everything planned for was done.
Systematize or Document Everything
The incident response is also just one part of what can be systematized; you could probably do a lot more with disclosure response, quarantine, etc. Given enough time to set it up, you can document nearly everything, if not fully systematized. Process documentation and test of such processes are also an important requirement in security in most frameworks, so it’s never lost work.
Recovery is one of those things we often forget and say, “I don’t have time for it,” but it truly is essential. That also doesn’t apply just to stressful jobs, but everyone. We all need to decompress and recover after an intense day, whether it was intensely excellent or bad. What exactly count as recovery will vary on an individual level but generally exercise, reading, walking, hiking, meditation, or a mix of those.
Whatever helps you recover should be scheduled on your calendar. If you’re working 10h+ of overtime, like most CISO in the reports, you might not have time to plan 30m to 1h of relaxing every day, but you need to have some. It would be best if you had multiple times to recharge throughout the week. It also helps if you protect that time from being taken over by others or yourself. Time left open won’t end up being recovery time; it’s going to be eaten by other projects or duties.
End of work routine
Another easy thing to help recovery is a clean separation between work time and home time. An “end of work” routine can be of great helps here. Take 15-20 minutes each day before leaving work to go over what you still need to do tomorrow and write them down with some next steps. That will help your brain not continually think about things all evening and relax. The ritual can also be as simple as moving to another room if you’re remote or taking a walk after work. The critical part is a clean separation for your brain; work is over now.
If you don’t take time for yourself and recover from everyday stress, your body will make you pay for it. Burnouts are a grave thing in nearly every respect, health, body, mind; it affects everything. On top of that, while it happens, you won’t be able to function correctly or help your company, customer, or yourself. That’s why it’s so critical not to reach that point and take measures before hands, like recovery. Another thing that can significantly help with burnout is a support system.
You’re not alone in this situation, even if you’re at the top. A support system composed of other people at your level, friends, and family can be of great help with a lot of issues. The report shows such a high percentage across the board that it’s nearly impossible for your situation to be truly unique. Exchanging ideas with others, bouncing things off each other, or just venting is a great way to relieve some stress. A different perspective is also an excellent way to find or fix problems and see things differently overall.
The final thing to remember is, it’s just a job. It’s a tough and stressful job that can be rewarding and fun, but it’s just a job. It’s essential to your company and customer, but it’s still just a job. Burning yourself out and getting sick or missing important events in your life is not how it should be. Some sacrifices can be necessary for a job, but don’t sacrifice health, relationship, and happiness because those are limited, and you can always get another job elsewhere.