From increasing digital transformation initiatives to the rise of remote work, organizations have changed a lot over the past two years — and chief information security officers (CISOs) have been at the forefront of those changes, implementing technologies to secure the modern workforce as organizations migrate their data and applications to the cloud. But the recent shift in where and how we work has been both a blessing and a curse for CISOs.
On one hand, most organizations understand the necessity of having a CISO to steer their security strategy. On the other hand, the same shifts in work that are fueling the rise of the CISO role are also expanding attack surfaces — and bad actors are taking advantage, with 85 percent of organizations being hit by at least one successful cyberattack last year, an all-time high according to the 2022 Cyberthreat Defense Report. CISOs may be experts in handling breaches while remaining calm and collected, but it’s important to remember that just like anybody else, they’re susceptible to stress. Between mitigating a greater number of active breaches and thinking about how a future breach could take place, the CISO role is certainly a stressful one.
“It's constantly on your mind, wondering when the next incident will occur, and you know at any moment you might have to spin up quickly,” said Devin Ertel, CISO at Menlo Security. “You’re always thinking about it. It’s a lot.”
Too much stress without the proper time and space away from the stressor to regenerate can lead even the most seasoned CISOs to get burned out.
“You’re running a sprint, when this is a marathon you’re in,” said Dr. Christina Maslach, pioneer of research on the definition and predictors of burnout, and creator of the Maslach Burnout Inventory, the most widely used instrument for measuring burnout. “You just can’t keep that up. The human mind wasn’t designed to push through chronic stress without recovering.”
When one does try to push through chronic job stressors without properly managing them, it’s easy to slip into a state of exhaustion, the first stage of burnout, according to Dr. Maslach. Next comes cynicism, which is marked by feelings of depersonalization and hatred of one’s job. Employees in this stage of burnout put forth the bare minimum effort, working just hard enough to not get fired. Finally, an employee starts to feel negatively not just about their job, but about themselves. Burnout is far more serious than not liking your job, and can put you at greater risk of heart disease and mental health disorders like depression and anxiety.
To avoid that, it’s important to make sure you’re aligned with your job in six key areas, including workload, autonomy, rewards, workplace community, fairness, and meaning — or how valuable you feel your work is — according to Dr. Maslach. So how can a CISO address these areas to keep themselves from getting burned out? The following dos and don’ts lay out some practical strategies.
A CISO’s time is important, and attending every meeting you’re invited to is simply unsustainable. As Dr. Maslach pointed out, “We have a tendency to add meetings, but not to subtract the unnecessary ones.” It’s important to determine which meetings could be better spent doing work elsewhere. At a certain point, spending too much time in meetings is a detriment not only to your productivity, but also to your mental health. Don’t spend your day in meetings and save your work for the night.
Instead, Ertel suggests taking your workload and autonomy into your own hands by watching your calendar “like a hawk.” He blocks off time on his calendar when he needs to get work done to ensure that his team knows he’s busy. Over the holidays and during downtime, Ertel unplugs completely, because as he puts it, “You never know when the next breach is going to come along and you’ll have to work nonstop.” It’s important to create boundaries around your time and then respect them.
Protecting your calendar is only half of the solution when it comes to spending your time in a way that bolsters your mental health best. Don’t neglect activities that recharge you and help you disconnect from work.
The rise of remote work has made doing those activities more difficult by blurring the line between home and work — it’s more important now than ever to take deliberate steps toward self-care. Ertel takes those steps by blocking off an hour a day to work out, and making sure to stay off work email during that time. Aside from that, Ertel likes to carve out time for meditation and general self-care. The point isn’t to do any specific activity, but to make an effort to unplug, de-stress, and create space.
An effective CISO can push through stress when necessary, but pushing through works for only so long. It’s the little stressors — “the pebbles in your shoe” that are always there, explained Dr. Maslach — that accumulate without you noticing until they’re overwhelming. Letting those stressors fester until it’s too late is an easy way to burn yourself out.
That’s why it’s key to make a point of checking in with yourself. It doesn’t need to be on a strict schedule or take any specific form, said Dr. Jessi Gold, a psychiatrist at Washington University in St. Louis, but regularly setting aside some time to deliberately ask yourself how you’re feeling, both physically and mentally, goes a long way to mitigating the chronic stressors of the CISO role. It’s not enough to assume that you’re naturally aware of your mental state.
In the same way that small stressors build up over time until you slip into exhaustion, it only takes small steps to build resilience and strengthen your mental health. One of those small steps is forming a friendship with a colleague with whom you feel comfortable, so you can talk honestly about your feelings about work. When it comes to those feelings, you shouldn’t tackle them alone.
We often put on a front at work, Dr. Gold explained, and we act like everything’s fine until it’s not. An honest conversation with a work friend about the negative side of your role — without venturing into disparaging your company or coworkers — grounds you in reality in a way that sitting on those thoughts can’t. “You don’t have to go into your whole life story,” Dr. Gold said. “It’s as simple as saying, ‘Hey, I’m tired. How are you?’”
Don’t be unclear about who can help you get what you need in order to do your job. Uncertainty is stressful and can infringe on your sense of autonomy over your work. If you don’t know who to go to when you need resources, you won’t be able to gather all the tools you need so you can take ownership over security strategy.
Ertel treats the org chart as a line of communication, and stresses the importance of cultivating executive support — having a good relationship with the executives you report to and your team members that report to you is paramount in simplifying workflows and moving projects forward. Clean escalations, or escalating an issue up the reporting structure only after you run out of options, are key to ensuring that you keep executives on your side and don’t create extra work for them. Having solid lines of communication both above and below you goes a long way toward lessening the head-spinning effect — Ertel calls it “bungee jumping” — of trying to explain the down-in-the-weeds technicals gathered from your SOC team to your CEO.
Don’t rely on your experience alone to get you through a breach. That won’t cut it — you need a solid game plan in place to deal with the inevitable attack. But that doesn’t mean you should overprepare to the point of obsession.
“A lot of people at the top of their game like to imagine that nothing will ever go wrong,” Dr. Gold explained. “You have to be okay with the inevitability of failure.” The best way to counter the perfectionist mindset is to acknowledge the fact that failures will happen, and think about how you’ll cope when one inevitably occurs. This applies not only to strategies for responding to cyberthreats, but also to handling your own mental health. You need a plan to decompress after a stressful situation and regain your bearings.
“You have to be okay with the inevitability of failure.”
Don’t look at a breach as the end of the world — dealing with a breach is part of the job description. CISOs need not let a good incident go to waste.
Ertel recalled an especially stressful incident early in his career when a member of the SOC team exclaimed, “This is our Super Bowl, this is what we live for!” That simple comment changed the whole tone of the room — from stress and fear to confidence and even eagerness. Ertel realized his colleague was right, and since then, Ertel has tried to approach incidents as learning opportunities.
“This is our Super Bowl, this is what we live for!”
Though these strategies are simple, it’s important to remember that they’re not one size fits all — managing mental health looks different for everybody. As long as you pick your battles and take small, purposeful steps, you can make sure your job doesn’t dictate your mental health.