The problem of CISO burnout is real, and the industry is losing experienced staff who have simply reached their limit of fatigue, stress, and political bunfights. CISOs feel their job puts overwhelming demands on them, and an alarming 50% believe that their employer does not set them up to succeed. It was within this strained environment that I was able to plan a lunch date with a CISO friend I will refer to as ‘M’.
Under the shadow of Ukraine and enlightened by M’s military background, we explored the close association between cyber security and military thought, given that each deals with the control of risk, the achievement of objectives, and the management of resources in a hostile environment.
The Positioning of Leadership
The role of leadership is, quite obviously, to lead. However, there are many ways to do that —some less stressful than others.
The conflict in Ukraine has been marked by the loss of multiple Russian generals who placed themselves into active combat zones with the goal of improving situational awareness, directing actions, and raising morale. They failed in each goal.
One might ask why they needed to place themselves in the line of fire. The answer reveals a deeper issue. The culture of Russian forces is to wait for detailed orders. This is notably different from many other military forces who are given both objectives and a license to adapt and adjust based on exigent circumstances. The absence of this localised empowerment and trust demanded that Russian leadership be more tightly bound to the front-line resource.
Examining the issue from a cybersecurity perspective, we should ask whether it is possible that CISOs are similarly placing themselves in a perilous position. One challenge that CISOs face is that stress and overwhelm might drain their capacity for strategic thought and action. Often this can be attributed to their involvement in the operational aspects of the role, getting involved in incident response, tracking issues, and dealing with the minutiae of many security decisions.
Could CISOs improve their quality of life if they distanced themselves from Russian-style involvement in cyber front lines, and allow their Ops staff the freedom to operate independently, within certain boundaries? To do this, we would have to manage both up and down. ‘Up’ to ease the pressure of the CIO/COO/CEO constantly wanting updates on the issue of the day, perhaps by creating a schedule with which your staff can align. And ‘Down’ to establish parameters of independent action and escalation, support the relationships your Ops staffs need to ‘get stuff done’ across an enterprise, and empower them to act with authority.
That is not an easy list of objectives, but their absence will mean the CISO is continually drawn into localised firefights, heightening stress, and undermining their C-level status by supporting the perception of CISO as a ‘do-er’ rather than a leader.
The Protection and Allocation of Resource
M and I discussed the benefits of ‘distancing’ and, again, he shared his military wisdom, specifically his view of the importance of resource management. In military terms, M stated, it is always important to keep a reserve force to allow flexibility. The reserve can prevent enemy breakthroughs, plug holes in the line or consolidate successes. But its absence places the commander in a difficult position.
If something happens contrary to plan or expectation (which, as we all know, is pretty much everything), then the leader must reallocate already assigned resources. This can have multiple negative effects—breaking focus, requiring time to realign, weakening existing initiatives, and placing stress on the reassigned resources as they are moved away from their specialties to cover an immediate need.
Again, the parallels with cybersecurity are immediately apparent. How many of us utilise all our resources, both personal and organisational, on a day-to-day basis, holding nothing back to accommodate change, deal with unexpected incidents, or think strategically. It was certainly something that I was personally familiar with. All my energy and time went into the immediate demands of the role, leaving weekends as my only island of tranquillity. I did not recognise the importance of the ‘reserve’ either for my team, or myself.
Planning Your Advance
My meeting with M gave me much to think about, and these are messages that, however apparent, are worth reiterating.
If we seek to enjoy long careers as security leaders, we need to manage the stresses of the role. Take self-care seriously by:
- Empowering your staff to act independently. Give them the tools, relationships, and trust they need to act in the best interests of the organisation, and then allow them the space to learn by taking responsibility for their own insights and actions. There may be wrinkles, but you are building a much more capable team and identifying future leaders.
- Identifying and tracking your additional capacity as a metric, and don’t allow it to be constantly allocated to operational tasks. Use any time saved for personal development initiatives, business awareness and experience tasks, and relationship building which will reinforce your team’s capability for future challenges.
- Finally, looking after your own physical and mental well-being. Long hours, stressful Board presentations and keeping an enterprise safe will take a toll on you. Plan time for exercise. Take time away from the office. M has a new personal trainer and he even crammed in lunch with me. If he can do it, so can you!