It was approximately one year ago that I made my decision to transition from a massive Fortune 100 organization to a security technology startup. There were many reasons for this conclusion. After mulling over such a change in my career path for nearly two years, it was also not a decision that I made lightly.
Since my transition and following the publication of now well-known articles from a few authors on the topic, I’ve been regularly asked to comment on the legitimacy of “CISO burnout”, it’s causes, and potential opportunities to improve the situation overall. In the hope that continuing this conversation benefits the larger community in regards to a problem that exponentially worsens every year, I wanted to take a moment to share some of my perspectives on this topic.
Is CISO Burnout Real?
The short answer is yes.
Effective cybersecurity leaders and their teams have been protecting organizations against some of the greatest risks facing enterprise brands and operational viability for the last decade. The unfortunate fact is that up to this point, most have been doing so with very limited support. Many organizations that have yet to experience a public breach (often due to effective cyber teams and programs) or that are being guided by leaders that have also yet to be impacted by such an event continue to view security as a necessary evil that requires little understanding or involvement beyond the actual security team.
Note that I make no mention of dollars being spent or not being spent on cyber programs but rather on an enterprise’s willingness to consider managing security and data privacy risks as the new normal for all business and technology functions if wishing to remain an active and viable business and competitor in a market.
The Accountability Problem Often Begins With Annual Planning
Large enterprises typically rely on annual planning exercises to determine company and department/function (e.g. HR) goals for the year, with leadership and employee bonuses often being directly tied to achieving these goals on time, on budget, etc. Failure to achieve such goals could mean lower personal compensation for a leader and potentially even members of their team. Such goals rarely include annual objectives to reduce cybersecurity risks or exposures in the area(s) for which they are accountable.
Unfortunately, this also means that regardless of the business exposures raised, recommendations issued, or direct offers to assist with the remediation of cyber risks associated with business initiatives, processes, or otherwise, security risk mitigation efforts are often the first to be sacrificed if annual goals are at risk of not being achieved.
Even if a breach should happen to be encountered and the impact of the event can be directly tied to risk assessments and remediation guidance shared with stakeholders, the cybersecurity team feels the pain of the event. This includes the responsibility to respond 24/7 to an event that could have been avoided, updating executive leadership and the board throughout the event, and finally, speaking to why the security team’s program failed to prevent the company impact.
Security Leaders Have Had To Become “Political Masters” To Succeed
Many of today’s security leaders began as earlier security practitioners; those that truly understood the technology itself, how it could be exploited for both good and bad, benefit or destruction, and what could be done to minimize the risks of the bad things coming to life. As such practitioners applied their craft within private enterprises, they learned to better apply what they knew about technology and risks to an enterprise’s business model, operations, and strategy. They developed business acumen and grew their passion against protecting the enterprise’s mission.
Once realizing that few other business or technology leaders among them shared their passion or desire to safeguard operations, brand, etc., the most successful leaders shifted their time to establish and maintain influential relationships across all enterprise areas that own risk or could influence risk owners.
Security leaders must establish long-term relationships with such leaders by understanding the breadth and depth of challenges and opportunities that they are facing, assisting them with such efforts wherever possible or logical, and based on the political equity earned, politically and strategically request their assistance with influencing.
Yes, all leaders must generally follow this playbook to be successful. This is also true whether leading a business or technology function. However, the key difference is that security leaders must use this playbook for nearly every big or small supporting effort that needs to be performed by another function.
Simply looking to business or technology functions to support the efforts without any outside influence is rarely successful for many of the reasons that have already been mentioned.
It’s also worth noting that with most CISOs rising from the technologist ranks, it may not be particularly fulfilling to spend the vast majority of their time focused on helping and convincing others to help convince others that an action to reduce enterprise risk; something that any ambassador for the organization, not simply security, should be concerned about.
Complexity & Risk Rises With Every Passing Day
The most significant of an enterprise’s technical exposures are typically longstanding (known about, yet unaddressed for years) and have been de-prioritized by IT functions for years. This isn’t due to malice, but rather the continued need to maintain an ever-growing landscape of technologies and meet an endless list of business integration and feature requirements.
For the last two decades, large enterprises have been growing through acquisition and have stitched together multiple generations of technologies in support of early value realization and future optimization. These future optimizations are rarely realized and high risk integrations and exceptions are in place for years. An ever-growing stream of new capabilities are being implemented and often integrated with decades old and potentially long isolated environments. The result? Business risk continues, the need to invest in additional security technologies grows further, and the complexity and stress associated with fending off thousands of attacks a day increases in kind.
Thousands Of Battles Are Won Everyday With Great Effort (Does Anyone Notice Or Care?)
Many security leaders and practitioners spend day and night thinking about and actively responding to cyberattacks that could bring down the business or the brand if any misstep is taken or they fail to deliver excellence in that moment. The number of enterprise attacks have been growing exponentially year over year. As a result, most experienced CISOs have been actively involved in dozens of attacks that if not identified and responded to effectively, would have been newsworthy events with massive enterprise impacts in terms of cost and loss.
Personal time with the family, including important milestones (e.g. weddings, graduations, etc.) have often been sacrificed more times than a CISO can count. This can have an impact on mental health, relationships, and the like particularly when the CISO or their team are rarely acknowledged in any fashion for the sustained above and beyond efforts that have come to be expected.
Though There’s More… Let’s Talk About What Can Be Done
There’s much more to talk about regarding the root causes behind this widespread situation, but we’ll save that for a follow-up discussion.
With that, let’s pivot and talk about opportunities to improve this situation:
1. CIOs should be far more engaged in both the problem and the solution than many are today.
- As with other functions with IT, the CIOs must be able to support and represent the security function at the highest level of the organization as long as CISOs continue to report up through CIOs.
- In cases where CIOs and CISOs are peers (often the ideal situation), CIOs must possess this understanding to drive their team to rise up to the need to manage risks prioritized by the CISO amongst requests being fulfilled on behalf of business functions. It can’t be about one or the other.
2. Reducing key security risks that could have the greatest impact on brand or operations should be the responsibility of all functions.
- Everyone says this, but until personal objectives and bonuses include the need to reduce cyber risks prioritized by cybersecurity against business priorities, risk reductions will continue to be slow to realize and this typical frustrating situation will worsen.
3. CISOs, take risks; succeeding in taking those risks may be your most rewarding experiences.
- Use your passion to pitch the project that you know to be both valuable to the business and about which you are most passionate. Reduce the time you’re spending in operations to free up availability.
- If you get the opportunity to move forward on what you are most passionate about, great! If not, maybe it’s time to move on?
4. Talk to peers you trust about how they’ve managed these situations.
- More often than not you will find that your trusted peers have experienced one or more of the situations causing the greatest pain and may have tools to help you get through it.
5. Look for fulfillment in giving back.
- In situations where I’ve struggled to find fulfillment in the role itself at specific points in time, I’ve increased the amount of time being spent with peers and community members and contributing to conversations based on the experience that we’ve gained.
- This can be an incredibly fulfilling experience that exceeds that which you would typically realize in the office while navigating these challenges.
- This can be the difference between being happy and feeling the need to leave the industry altogether.
6. Change jobs if it feels right.
- It’s not always the role itself but rather the work climate that you’re operating in.
- If your work climate feels painful and you’ve pulled the levers that you control to improve the situation with little to no impact, it’s likely time to move on.
- Someone else will find that your current role is the challenge that they need at this moment in life and you may discover one of the most fulfilling roles you’ve had in years if not your career.