Creating safe spaces
For me, cybersecurity is a gratifying field because we can go home at the end of the day and say we’ve made the world a slightly better place.
There’s also a personal cause to cybersecurity. We all know people who have been affected by the work of cyber criminals. That’s one of the reasons why we’re seeing more women come into the field – they’re looking for a purpose.
But there’s an elastic limit to all of this. You can’t stretch it beyond its natural tension, because then it’s likely to snap.
As much as we try and tune into that personal cause element, and come together as a team to serve a great cause, we also need to really understand our people so that we know their elastic limit – before it becomes obvious.
That involves creating a safe environment for people to talk about who they are, where they come from, what is gratifying for them, and what is stressful for them.
In order to find people’s motivations, I ask my team members, “Do you feel the purpose of the work that you’re doing?” If the answer is, “I do it because I’ve been asked to, or it was assigned to me,” then it’s my job to go and find them something else. Because any time that you feel like you’ve been assigned to something, even if you’re not being stretched to the limit with it, your energy at the starting level is already low. That work is always going to drain you.
When we moved into the hybrid world, getting to know people became harder. So we need some new rituals. This morning I stopped in the middle of a meeting when we hit a tricky part. I stopped sharing my PowerPoint, and made a joke. When you laugh, you breathe, and when you breathe, you feel better.
Additionally, taking the time to have a casual conversation, rather than diving straight into whatever topic you’re discussing, allows you to connect better with people.
Our industry must work to develop a culture that removes the stigma associated with mental health. We should start by recognizing that we ALL have mental health, just as we have physical health. But just like physical health, our mental health will suffer if we put it through increased and sustained pressure over time.
As security leaders, we need to focus on individuals to understand their needs and concerns. Demonstrate you care about the individual by taking the time to have regular updates and one-to-ones, and really listen to what they say. Listening is the ultimate form of respect, and from there, we can understand how and when our people might need some support.
The security sector is challenging and constantly evolving, and with these changes and challenges, people can grow fatigued over time, especially if there are regular issues and breaches. Take time to celebrate individual and team successes, and when there are issues, look for the insights that will turn the incident into a learning experience; then celebrate those.
It’s no good saying, “Don’t answer emails on weekends,” when you yourself are sending emails on weekends! Encourage teams to take time away from their devices, short breaks in the day (5 to 10 minutes), and holidays (5 to 10 days). But you must do the same.
When I was a deputy CISO at my last organization, people who had never worked from home full time were starting to work around the clock, and I could see it taking a toll.
An action I took as the leader was to hold a 15 minute stand up every week with my directs, and encouraged my people leaders to do the same. We called them ‘FAQs’ - Feelings, Answers, Questions and Slowdowns. I monitored the temperature of the team through those touchpoints.
I also asked, “When are you taking a vacation?” We might not be able to go anywhere, but people still need time off, and if they hear of other people taking time, they might be encouraged to do the same.
I went a step further in the end by actioning my team, “You have until this day to tell me when you’re taking time off. If your time-off request is not in my inbox by the following stand up, you have to meet with me and explain why.” I took that stance because a large part of burnout is the feeling of guilt -- “I have to keep going or I'll let everyone down.”
The second thing I did was for my entire division. They got a calendar invitation from me for an hour a day for lunch. It was routine, every day, and the title of the invite was, “Don't mess with my hour.” That was powerful and people later commented they were taking a full hour’s break.
Cybersecurity demands performance – clear and effective thinking around risk reduction. However, operating in burnout conditions doesn’t enable this. It just results in mistakes, misjudgements, and errors. Leaders who create high performing teams know this, and work to continually improve. They educate themselves, invest in coaches, develop more emotional intelligence, and are proactive.
They also value people highly. They treat them as their greatest asset rather than as a machine or product. That’s why when they lead them, they ensure they support and challenge them in equal combinations. I call this high-challenge and high-support.
Leading in environments of high-challenge and high-support equips teams to secure their own success and operate with responsible initiative and energy rather than being dependent – something every leader wants.
For example, too much support will make teams dependent on you and resistant to change. Too much challenge will mean you’re simply pushing your team, burning them out, or teaching leadership traits that don’t deliver consistently high performance.
For a lot of people in this industry, myself included, our passion, our jobs, and our hobbies are all very closely related. So, what ends up happening is that you don’t see work as “work” -- you see it as your passion. And because it's your passion, you work harder. You're mentally not getting a break, and you can take on too much.
Trying to recognize the signs, such as mood swings, and hypersensitivity to certain situations that you're normally unaffected by, are all important indicators of early burnout.
This is quite important because we're always attached to a device, and it can be quite mentally draining and overwhelming. So, I just literally take my laptop and phone and I'll put them in a drawer for when I am not busy, and let them stay there, especially when I'm on holiday.
Make sure that you share your stories; the successful ones as well as the challenging stories. A great example is last week I was having a rough day. I let my team know, “I am off today. I just can't seem to concentrate. I've been in back-to-back meetings all day yesterday, and I didn't get a chance to exercise. So, this afternoon, I'm going to flex an hour of my time, and I'm going to go out, and I'm going to get my run in. I need that time to decompress and really work through what I'm doing at work.”
Make sure that people know that you are doing those things, and you're modeling the behavior to make sure you have your own mental health needs met. You’ll help to make sure that they too feel that that's an appropriate response and it's okay. We also do things that we call, “Do what you need today.” This is around flexing your time, and making sure that people know, “You put in 10 hours today. You started work at 6:00 AM. So, if you need to step away in the middle of the day or at the end of the day early, do what you need to do.” I don't want to micromanage people's time. That all comes back to relationship and trust.
When we talk about burnout, you need to look at everyone individually. Many of us are very different in this industry, and one technique might work for one team member, but not another.
For me, when you start putting metrics on your passion, that's when you start winding down, or when you start being ground down. It’s when you start feeling the pressure. Management can forget (when dealing with people like me) that people are on the spectrum. Some people are task-oriented and are very set in certain ways or certain patterns.
So when you start putting metrics and numbers, that is where the pressure comes from, because this craft is not all about that.
Whatever you do in your InfoSec career, make sure happiness is your number one priority. If you’re searching for the biggest paycheck, or the most prestigious job title, you’ll eventually burn out.
Happiness comes in many forms for many people, but think about what’s most important to you. Is it career progression? Travel? Speaking opportunities? Having the opportunity to break things and be creative? Focus on those things that make you happy.
It's about being creative with your approach. We can get quite siloed into a traditional way of working. One of the things that we did during the pandemic was act on ways to keep the team in a good place. For instance, we started doing a 15-minute workout together.
We also created virtual, scheduled coffee breaks. The rules were that you don't talk about work; it was just literally a time for the whole team to get together for 15 minutes. It's building in those kinds of mechanisms, and checkpoints, and they can inspire creativity.
The workout is another example. We tried it, and it worked for a while, then it kind of fell off the radar. That's okay. The point of it was to encourage that “self-time”; to do something that will be helpful for you mentally and physically.
You want to create an organization of trust, and that should translate into output. Ultimately, it's creating an environment where team members feel that they can be trusted to do their job and deliver with mutual agreement. That helps create a good balance for mental health because the team then feels empowered.
Security leaders create safe and positive mental health environments when they promote a culture of transparency and trust. A culture that allows an employee to bring their whole self to work -- with all their strengths, weaknesses, hopes, and fears -- supports authenticity. This allows them to avoid the stress that comes along with having a work persona that doesn’t align to a person’s values and style.
This person needs to lead by positive example, and also be vulnerable, show fears and insecurities, and be human. No one can be 100% “on” all the time. A leader who shows their humanity allows those around them to be human too.
The nature of the security profession means the industry is inherently untrusting. We look for flaws in design, gaps in thought processes, and weaknesses in technologies. This makes it hard for us to provide a trusting and positive work environment.
The industry can improve by consciously fostering a positive approach to problem-solving, allowing people to share their ideas and questions without fear of condemnation, or the need to be “right.” The industry acknowledges we have a mental health crisis. Attention is needed, immediately, to address this concern.
All people who are now leaders have felt the same way, and may still have some of these feelings. Leaders must take that time to be open and share when they're going through challenging situations too.
Take breaks publicly, and share with your team that you're logging off for the weekend.
We also have to normalize saying out loud that sometimes you don't necessarily feel good, and there's nothing wrong with that. The more that leaders talk about these things, the better it will be as an example.
As a leader, there are all kinds of pressures from different areas of the business that are constantly weighing on your mind, and that can weigh on you mentally. I was in a rough spot a few months ago. I was mentally drained, and I felt depressed. I had a ridiculous amount of anxiety. I just wasn't waking up excited about doing what I'm doing.
So, I reached out to my team on our social channel early on a Friday morning and said, “Hey, I'm taking a break. I am not feeling good, and I want to take a break from everything. I hope everyone has a good weekend.” I canceled all my meetings, and then chatted with the team again on Monday.
The reaction from my team, and different people on the team, was that they were feeling similarly. This showed me the importance of sharing when you're going through things like that, and being open as a leader about those things.
It's all about the person. As security professionals, we get so caught up in technologies and all the threats and all the different pressures it demands from a technical perspective. But we have to understand that this is still a people business, and we have to focus on our people.
Working for a large organization, I learned how to unplug occasionally to recharge, and to trust those around me to keep things on track. As an entrepreneur in a small company, I’ve found that much harder to do because more things depend solely or largely on me, and there’s nobody to make progress while I’m out.
Some time ago we started turning three-day holiday weekends into four days, and I find that refreshing.
It’s not a cure for burnout, but little things like that help a lot.
With a growing number of cyberattacks, there is a tremendous amount of pressure on the cybersecurity workforce to prevent, detect, and respond to these events. Often, it is at the expense of the cybersecurity professional’s work/life balance, family time, mental health, and physical health. So, how does one prevent burnout?
Try to set boundaries and agreed-upon expectations with your supervisor. This may include core work hours or schedules. Having defined work expectations can greatly help with reducing stress.
Allow time for yourself. Find a hobby or something you enjoy such as playing a sport, musical instrument, hiking, or traveling. Doing something that you are passionate about can recharge your physical and emotional batteries.
Cybersecurity is a challenging and demanding industry. We are in the best position to win when employees are happy, engaged, and have a proper work/life balance.
