Category: Mental Performance

What Causes CISO Burnout?

Burnout isn’t exclusive to the security industry, but it certainly seems like there is a higher incidence of burnout within security and particularly among CISOs. I have had my fair share of burnout and have tried a lot of different techniques to recover, however for this post I want to cover – What are the most common causes of CISO to burnout?

Lack of Appreciation

There are a number of reasons for burnout, but one of the main causes is lack of appreciation. This could be something as simple as celebrating the successes of the security organization more broadly or it can be more complex like advancement to the next level within the company. Given the broad range of CISO levels across the industry, advancement is certainly one of the issues that can manifest as lack of appreciation. For example, I see a lot of head of security positions or CISO level positions posted as Director or Sr. Director level positions. While this may make sense from an organizational standpoint it can put the CISO role at an inherent disadvantage compared to their other peers (like the CTO, CIO, etc.). Celebrating the successes of the CISO, acknowledging their contributions and promoting them to the appropriate level based on their scope and impact is one of the first ways you can reward a CISO, acknowledge their value and prevent burnout.

Lack of C-Suite Support

Another main reason for CISO burnout is the lack of equivalent C-Suite support. If the CISO isn’t supported by their peers and is always at odds with them, this will lead to burnout very quickly. Being on an island all alone is no fun, particularly when dealing with complex issues like security or when attempting to change behaviors across the organization. A CISO needs support and the C-Suite needs to be aligned to the overall security goals of the organization otherwise the rest of the organization will undermine the CISO. Without this support the CISO will spend all of their time just battling for political relevance instead of actually identifying and managing risk and this will lead to burnout.

Too Many Responsibilities

This can vary depending on organization size, but it is not uncommon to see a CISO with additional responsibilities such as Privacy, Data, Risk, Compliance, etc. all in their remit. Typically a CISO does deal with these things, but the organization has to be careful to not lump things under the CISO just because there is no one else to do it. The CISO organization shouldn’t be the janitor or garbage dump for the rest of the org and they shouldn’t be the place where all the misfit toys go. If the organization is going to lump additional responsibilities onto the CISO then those responsibilities need to come with support in terms of additional budget or resources. In addition to responsibilities and resources, the CISO needs to understand their strengths and weaknesses and delegate accordingly. Otherwise, the CISO will take on too much, not be able to scale and burnout.

Operational Burnout

Operational burnout is a big problem. If your operational tempo requires the CISO to constantly deal with incidents, respond to investigations, answer regulatory questions, deal with lawsuits, etc. then the CISO won’t be able to focus on other parts of the job like driving strategy, managing risk or prioritizing resources. Instead, they will constantly be reacting to situations which causes stress and takes a toll on personal health. Operational tempo can be difficult to manage, particularly if the CISO organization is understaffed, which means the team can’t maintain normal working hours. Personal care, such as maintaining normal routines to eat, sleep, exercise and decompress, can be seriously impacted if not managed properly during operational situations and this will lead to burnout extremely quickly.

Another area of operational burnout is constantly dealing with vulnerabilities, keeping up with the the latest trends, dealing technical debt or responding to increased reporting requirements. All of these scenarios have a never ending aspect to them and can cause the CISO to begin to feel like the situation is hopeless.

Risk Tolerance Misalignment

This is a very common area of frustration for CISOs and it boils down to not feeling appreciated. If the CISO is constantly making reasonable recommendations for how to manage risk and the business ignores them then there is clearly a risk tolerance misalignment, which will ultimately make the feel CISO unappreciated. To be clear, I’m not expecting every recommendation to be followed because you don’t want to get into a chicken-little type of scenario, but the CISO needs to have enough organizational credibility that the recommendations are acknowledged, considered and discussed. Organizations that don’t do this will rapidly find their CISO burned out and seeking other opportunities because you can only be ignored so many times before taking the hint and moving on.

Shiny Object Syndrome

At the next conference you go to, take a look around at the vendors and read their messaging. I bet you find it is hard to tell the difference between several of the companies there. Buzzwords like threat intelligence, machine learning, block chain, artificial intelligence, next generation, zero trust, etc. all hype up companies with buzz words, but remove differentiation for decision makers like CISOs. Keeping up with the Gartner Hype Cycle and the latest product buzz words is tiring because CISOs really just want to know what your product does and if it will be useful to solve their problems. Continually having to sift through the noise of buzzwords and hype is exhausting to CISOs and can burn them out quickly to dealing with vendors.

On the other side of this equation is technological churn. If your organization is continually implementing new tools and then replacing them after a short period this can also cause burnout. A security function needs a certain amount of stability and predictability to be effective. Shiny object syndrome from executive leadership or other parts of the business can make it difficult for a security team to find their natural rhythm or implement effective processes around those tools. Shiny object syndrome can quickly burn through the credibility or effectiveness of a CISO, which can ultimately lead to burnout.

Impossible Goals

It takes a considerable amount of effort for a new CISO to make their mark, effect change and achieve their goals at a new organization. This effort alone can cause CISOs to burn out, but it is made worse when the organization has impossible expectations or sets impossible goals for the CISO and their team. Examples of impossible goals are – achieving a compliance certification within an impossible timeframe, improving security posture when there is a significant amount of technical debt or trying to meet expectations for response times without appropriate staffing. The CISO needs to set realistic goals and have the latitude to adjust those goals as needed to avoid burning out.

Lack Of Accountability

The last situation that is sure to cause burnout for a CISO is lack of security accountability in the rest of the organization. If the business expects the CISO function to magically fix all of their security problems without support then that is unrealistic. The business (think CEO) needs to hold the other C-Suite members accountable for supporting and meeting the security objectives set by the CISO. If this accountability is not in place then other parts of the business will keep making decisions that increase risk or incur security technical debt, which places the CISO in an impossible situation and will cause burnout.

Wrapping Up

Burnout is an unfortunate byproduct of an otherwise exciting industry. CISOs are particularly ripe for burnout due to the immaturity of the role with respect to other C-Levels and the wide range of responsibilities that can be lumped under a CISO. Additionally, industry hype, lack of resources, lack of accountability and operational tempos can all cause CISOs to burn out. A CISO who is burned out is not as effective at their role and the level of burnout will take a proportional level of recovery. Hopefully, the examples above can help you recognize common situations to avoid or if you find yourself in that situation, recognize that it will quickly lead to burnout so you can make proactive changes and keep leading your team effectively.

Conquering Impostor Syndrome

Over the past eighth years I have been shifting my personal interests from reading technical books to reading books on mental performance. Navy SEALs like to say their training is 10% physical and 90% mental and I think this holds true for a lot of endeavors in life. The security industry is inundated with training courses about how to penetration test, how to be an incident responder or how to become a CISO. However, if you want to strengthen your mind to handle the stress of a security role you have to leave the community and seek answers in other places like extreme sports, the military or even self help.

Mental Health is an extremely important aspect of career management that often gets overlooked or neglected. The security community is notorious for burnout because the issues we deal with on a daily basis have a sense of urgency or feel never ending. One important mental health issue that is particularly pervasive within the security community is Impostor Syndrome, which is when people who are otherwise talented or successful still feel as if they are a fraud.

I have personally experienced both burnout and impostor syndrome throughout my career and in my experience impostor syndrome is caused by a fundamental lack of belief in oneself. Therefore, in order to overcome impostor syndrome one must somehow boost their own confidence, which can be difficult because it is tough to self assess.

Understanding the problem

In order to overcome impostor syndrome it is important to first diagnose and understand the problem by asking the question:

What part of your life, career or skillset makes you feel like a fraud?

Perhaps you recently received a promotion, but haven’t received training or coaching to build the necessary skills in that role?

Or, maybe you have the skills, but you haven’t received feedback or validation that these are the right skills to have?

Maybe you are worried your skills are sub-par compared to other people you see at conferences or who you interact with regularly?

Whatever the issue, it is important to be honest with yourself about what makes you feel like a fraud. This is an important step because once you identify the issue you can build a plan to address the problem.

Develop A Balanced Approach

One of the most impactful books I’ve read on mental performance is called With Winning In Mind by Lanny Bassham. This book discusses different parts of the human psyche that need to be in balance in order to avoid psychological performance issues like Impostor Syndrome. With Winning In Mind discusses how to balance the Conscious mind, Sub-conscious mind and the Self Image to achieve balance of the psyche and ultimate performance.

In my opinion, Impostor Syndrome is caused by an imbalance in the Self-Image. The self image has not developed in line with the knowledge, career progression or skillsets possessed by an individual. As a result the individual lacks confidence in themselves and needs to spend time building up their self image to conquer impostor syndrome.

Building (Or Rebuilding) Your Self Image

Below are the steps I recommend you follow in order to overcome Impostor Syndrome. These steps require work and dedication, but if you commit and follow through it will be worth it in the end. The steps are as follows:

  1. Identify the skills or character traits in which you lack confidence. Write these down.
  2. Develop a plan to train or develop each area so you can begin to build confidence in that area.
  3. Create positive affirmations to reinforce your training and build your self image. Put these in prominent places (fridge, desk, mirror, car dashboard, etc.) that you see daily and repeat them to yourself whenever you see them.
  4. Record your progress in a journal and review regularly.

Example

  1. Identify skills – I feel like an impostor when I speak in public. “I want to be a better public speaker”
  2. Develop a plan – “I will practice public speaking for 15 minutes a day, while recording myself. I will review the recording each time and make a plan for the following day for how to improve.”
  3. Create Positive Affirmations – “It is like me to be a great public speaker”
  4. Record your progress

Wrapping Up

Impostor Syndrome is a common psychological performance issue, particularly in the security community and it is caused by fundamental lack of confidence in oneself. By honestly identifying where you lack confidence, you can develop a plan that will help you improve your self image and ultimately overcome the feeling that you are a fraud. If you suffer from impostor syndrome I encourage you to speak openly and honestly about it with a mentor, trusted colleague or mental health professional who can help you create a plan to overcome the issue because impostor syndrome can cause you to psychologically hold yourself back from truly achieving your fullest potential.