Take a high-pressure job, add in high-performance expectations, season with continual threats from hackers looking to steal your company’s electronic assets, and you have a sure-fire recipe for burnout.
The list of things that keep chief information security officers awake at night—and some of them still in the office with their sleeves rolled up—are legion. That leads to pressured lives and high turnover rates due to job burnout.
“If you’re the person who’s responsible for worrying on behalf of the company, what do you expect? That’s nothing but a stressful job,” says Andrew Ellis, chief security officer at Akamai Technologies. “One way to do it is to remake the CISO and security team into business partners.”
Stress levels become more manageable in companies where the CISO becomes part of the management team, he notes, and gets enough power to effect change. “You get it by showing up and saying ‘I am here to enable business.’ That is the job of security—we are a business-enabling function.”
Consider the purpose of a vehicle’s brake pedal, he says: Do you think the pedal exists to slow and stop the car? “Nope. That’s what it does. Its purpose is to let you drive faster.”
“If you think my job is to make sure you stop, and that every time you go to engage I’m going to stop you, you’re going to return that car pretty quickly,” he says. “But if the first thing you say [to department heads] is, ‘Let me help you go faster,’ to find ways that help them reduce risk, they’re going to say, ‘Wow, you got out in front on this and helped me reduce risk.’ Then they come to you.”
Ask business lines what are the unacceptable losses that security can help mitigate, and whether specific actions will make their lives easier or harder. You need to get the security conversation started.
“Then listen to what they say, and if they say harder, you say ‘I’m not going to suggest you do that.’ And if they say that would make their life easier, you say, ‘Great, let me help you do it.’ ”
Working proactively lets CISOs earn political capital and be seen as problem solvers. “And at the same time you’ve made them actively think about risk, which means that they’re going to try to be safer,” Ellis says. “You get this positive feedback—and that makes all the stress worthwhile.
“But if you think your job is to be the conscience of the company or to keep people from taking risks or anything other than make the company successful, then you’re not going to be aligned with the business, that’s going to lead to stress, and that’s going to lead to burnout,” he says
Another strategy to deal with the pressure is to prioritize what’s going on, says Martin Fisher, manager of IT Security at Northside Hospital in Atlanta.
“You have to be willing to let some things go and to push some things out,” Fisher says. “Not everything can be a No. 1 priority.”
The other thing Fisher says he tries to do personally and in the group he manages at the hospital, which has a family-friendly culture, is to enforce appropriate boundaries, with the understanding that there will be occasions when security staff will work very long hours. “Having people work 60 to 70 hours a week might work for a week or two, but that lifestyle’s not sustainable,” he notes.
A lot is influenced by personal behavior, he adds. “If the boss is there 80 hours a week, the team is going to want to be there 80 hours a week. If the boss demonstrates that he’s going, you are affirming that it’s OK to honor that boundary. I think it’s really important for CISOs and other security leaders to publicly demonstrate by their own behavior—and not just by telling other people to go home—that they’re going to honor the boundaries for themselves. That’s hugely empowering.”
Theresa Payton, president and CEO of Fortalice Solutions, a security, fraud and risk consulting company, recommends CISOs make sure they’re doing something outside of work for themselves—exercise, church, mentoring, spending time with family, whatever it is.
“Make sure that besides work, you’re doing the things you love and that bring you happiness. Whatever that is for you, hold yourself accountable to it,” she says.
Because people in the security space think in terms of ones, zeros and measurements, she suggests adopting some kind of measurement system.
“I hold myself accountable by color-coding my calendar. I actually divided my life up into what I call my ‘five Fs’—for me, that’s faith, family, friends, fellowship and then what am I fighting for at work every day, because I’m at work longer than I’m anywhere else.”
“For me, I’m fighting to protect and defend companies, our nation, our allies and individuals from cybercrime and cyberterrorism. I color-code my calendar based on those five Fs. And I can tell you, sometimes the fighting for the things that I’m doing at work is my whole calendar for the whole quarter. And I look at it and I go, ‘OK, I’m going to have burnout if I don’t have more time for family, or for faith or for friends—the one hour for church on the weekend is not cutting it.”
Payton, who worked in banking for 16 years and also served as CIO at the White House, recommends CISOs guard against over-scheduling their calendars. Delegate listening to product pitches to your team, and then have them report back on what looks most promising.
Do what she calls walkabouts in different departments, spending time talking with staff. Ask them what security protocols make it hard for them to do their jobs, she suggests. “Don’t judge them, don’t try to fix it, don’t tell them right or wrong, just do these walkabouts and listen. I think a lot of CISOs would get a lot of energy and value out of hearing the answers. It’s going to be the good, the bad and the ugly, so be prepared for that. But there’s a lot of value in hearing what’s working well and what’s not working well,” Payton says.
“Staying current, knowing how you’re helping people gives you that reward—and that reward gives you that intrinsic energy that you need to push forward,” she adds.
Incorporate some of these tips for life at work and life outside work to make stress manageable and avoid being a burnout statistic.