Creating safe spaces
How can security leaders create safe and positive mental health environments?
Senior Vice President and General Manager, Cloud and Network Security, Cisco
For me, cybersecurity is a gratifying field because we can go home at the end of the day and say we’ve made the world a slightly better place.
There’s also a personal cause to cybersecurity. We all know people who have been affected by the work of cyber criminals. That’s one of the reasons why we’re seeing more women come into the field – they’re looking for a purpose.
But there’s an elastic limit to all of this. You can’t stretch it beyond its natural tension, because then it’s likely to snap.
As much as we try and tune into that personal cause element, and come together as a team to serve a great cause, we also need to really understand our people so that we know their elastic limit – before it becomes obvious.
That involves creating a safe environment for people to talk about who they are, where they come from, what is gratifying for them, and what is stressful for them.
Know the actions that get your people excited about their job, which allows them to bring their best to work. And also know what drains their energy.
Shailaja Shankar (continued)
In order to find people’s motivations, I ask my team members, “Do you feel the purpose of the work that you’re doing?” If the answer is, “I do it because I’ve been asked to, or it was assigned to me,” then it’s my job to go and find them something else. Because any time that you feel like you’ve been assigned to something, even if you’re not being stretched to the limit with it, your energy at the starting level is already low. That work is always going to drain you.
When we moved into the hybrid world, getting to know people became harder. So we need some new rituals. This morning I stopped in the middle of a meeting when we hit a tricky part. I stopped sharing my PowerPoint, and made a joke. When you laugh, you breathe, and when you breathe, you feel better.
Additionally, taking the time to have a casual conversation, rather than diving straight into whatever topic you’re discussing, allows you to connect better with people.
Professor of Communicating Cyber, Cyberfort Group
Our industry must work to develop a culture that removes the stigma associated with mental health. We should start by recognizing that we ALL have mental health, just as we have physical health. But just like physical health, our mental health will suffer if we put it through increased and sustained pressure over time.
As security leaders, we need to focus on individuals to understand their needs and concerns. Demonstrate you care about the individual by taking the time to have regular updates and one-to-ones, and really listen to what they say. Listening is the ultimate form of respect, and from there, we can understand how and when our people might need some support.
The security sector is challenging and constantly evolving, and with these changes and challenges, people can grow fatigued over time, especially if there are regular issues and breaches. Take time to celebrate individual and team successes, and when there are issues, look for the insights that will turn the incident into a learning experience; then celebrate those.
We must not only promote a healthy work/life; we need to live by it too.
It’s no good saying, “Don’t answer emails on weekends,” when you yourself are sending emails on weekends! Encourage teams to take time away from their devices, short breaks in the day (5 to 10 minutes), and holidays (5 to 10 days). But you must do the same.
- Lead by example.
- Give people your time and give them your attention.
- Listen to them.
CISO Advisor, Cisco
When I was a deputy CISO at my last organization, people who had never worked from home full time were starting to work around the clock, and I could see it taking a toll.
An action I took as the leader was to hold a 15 minute stand up every week with my directs, and encouraged my people leaders to do the same. We called them ‘FAQs’ - Feelings, Answers, Questions and Slowdowns. I monitored the temperature of the team through those touchpoints.
I also asked, “When are you taking a vacation?” We might not be able to go anywhere, but people still need time off, and if they hear of other people taking time, they might be encouraged to do the same.
I went a step further in the end by actioning my team, “You have until this day to tell me when you’re taking time off. If your time-off request is not in my inbox by the following stand up, you have to meet with me and explain why.” I took that stance because a large part of burnout is the feeling of guilt -- “I have to keep going or I'll let everyone down.”
As leaders, we must alleviate the guilt and proactively give people permission to take care of themselves. The work shouldn’t rest on any one person’s shoulders.
The second thing I did was for my entire division. They got a calendar invitation from me for an hour a day for lunch. It was routine, every day, and the title of the invite was, “Don't mess with my hour.” That was powerful and people later commented they were taking a full hour’s break.
Owner and CEO, KnewStart
Cybersecurity demands performance – clear and effective thinking around risk reduction. However, operating in burnout conditions doesn’t enable this. It just results in mistakes, misjudgements, and errors. Leaders who create high performing teams know this, and work to continually improve. They educate themselves, invest in coaches, develop more emotional intelligence, and are proactive.
They also value people highly. They treat them as their greatest asset rather than as a machine or product. That’s why when they lead them, they ensure they support and challenge them in equal combinations. I call this high-challenge and high-support.
Leading in environments of high-challenge and high-support equips teams to secure their own success and operate with responsible initiative and energy rather than being dependent – something every leader wants.
The combination of challenge and support has to be equal... as too much of one or the other will lead to a state where all parties aren’t achieving their full potential.
For example, too much support will make teams dependent on you and resistant to change. Too much challenge will mean you’re simply pushing your team, burning them out, or teaching leadership traits that don’t deliver consistently high performance.
Director of Cyber Security Strategy, ZeroDayLab
For a lot of people in this industry, myself included, our passion, our jobs, and our hobbies are all very closely related. So, what ends up happening is that you don’t see work as “work” -- you see it as your passion. And because it's your passion, you work harder. You're mentally not getting a break, and you can take on too much.
Trying to recognize the signs, such as mood swings, and hypersensitivity to certain situations that you're normally unaffected by, are all important indicators of early burnout.
One thing that I do is a device detox.
This is quite important because we're always attached to a device, and it can be quite mentally draining and overwhelming. So, I just literally take my laptop and phone and I'll put them in a drawer for when I am not busy, and let them stay there, especially when I'm on holiday.
VP of Cybersecurity, Kohler
Make sure that you share your stories; the successful ones as well as the challenging stories. A great example is last week I was having a rough day. I let my team know, “I am off today. I just can't seem to concentrate. I've been in back-to-back meetings all day yesterday, and I didn't get a chance to exercise. So, this afternoon, I'm going to flex an hour of my time, and I'm going to go out, and I'm going to get my run in. I need that time to decompress and really work through what I'm doing at work.”
Make sure that people know that you are doing those things, and you're modeling the behavior to make sure you have your own mental health needs met. You’ll help to make sure that they too feel that that's an appropriate response and it's okay.
We also do things that we call, “Do what you need today.” This is around flexing your time, and making sure that people know, “You put in 10 hours today. You started work at 6:00 AM. So, if you need to step away in the middle of the day or at the end of the day early, do what you need to do.” I don't want to micromanage people's time. That all comes back to relationship and trust.
When people feel like you understand them and that you have that relationship, then they trust that stepping away is truly okay with you.
VP of Infosec, SphereNY
When we talk about burnout, you need to look at everyone individually. Many of us are very different in this industry, and one technique might work for one team member, but not another.
Spend the time to understand what makes each of your team members happy.
For me, when you start putting metrics on your passion, that's when you start winding down, or when you start being ground down. It’s when you start feeling the pressure. Management can forget (when dealing with people like me) that people are on the spectrum. Some people are task-oriented and are very set in certain ways or certain patterns.
So when you start putting metrics and numbers, that is where the pressure comes from, because this craft is not all about that.
Whatever you do in your InfoSec career, make sure happiness is your number one priority. If you’re searching for the biggest paycheck, or the most prestigious job title, you’ll eventually burn out.
Happiness comes in many forms for many people, but think about what’s most important to you. Is it career progression? Travel? Speaking opportunities? Having the opportunity to break things and be creative? Focus on those things that make you happy.
Head of InfoSec, L&Q Group
It's about being creative with your approach. We can get quite siloed into a traditional way of working. One of the things that we did during the pandemic was act on ways to keep the team in a good place. For instance, we started doing a 15-minute workout together.
We also created virtual, scheduled coffee breaks. The rules were that you don't talk about work; it was just literally a time for the whole team to get together for 15 minutes. It's building in those kinds of mechanisms, and checkpoints, and they can inspire creativity.
The workout is another example. We tried it, and it worked for a while, then it kind of fell off the radar. That's okay. The point of it was to encourage that “self-time”; to do something that will be helpful for you mentally and physically.
It's about creating an environment for your team where you are driven, not by time, but by goals and objectives, and making sure that there's value from those objectives.
You want to create an organization of trust, and that should translate into output. Ultimately, it's creating an environment where team members feel that they can be trusted to do their job and deliver with mutual agreement. That helps create a good balance for mental health because the team then feels empowered.
Advisory CISO, Cisco
Security leaders create safe and positive mental health environments when they promote a culture of transparency and trust. A culture that allows an employee to bring their whole self to work -- with all their strengths, weaknesses, hopes, and fears -- supports authenticity. This allows them to avoid the stress that comes along with having a work persona that doesn’t align to a person’s values and style.
This person needs to lead by positive example, and also be vulnerable, show fears and insecurities, and be human. No one can be 100% “on” all the time. A leader who shows their humanity allows those around them to be human too.
A trusting culture starts with authenticity from the most influential person in the group – the “leader.”
The nature of the security profession means the industry is inherently untrusting. We look for flaws in design, gaps in thought processes, and weaknesses in technologies. This makes it hard for us to provide a trusting and positive work environment.
The industry can improve by consciously fostering a positive approach to problem-solving, allowing people to share their ideas and questions without fear of condemnation, or the need to be “right.” The industry acknowledges we have a mental health crisis. Attention is needed, immediately, to address this concern.
Co-Founder & CEO, ByteChek
The feelings that your people have, and the mental health issues that they're going through, whether that's depression or anxiety, imposter syndrome, or whatever it may be; those feelings are normal.
All people who are now leaders have felt the same way, and may still have some of these feelings. Leaders must take that time to be open and share when they're going through challenging situations too.
Take breaks publicly, and share with your team that you're logging off for the weekend.
We also have to normalize saying out loud that sometimes you don't necessarily feel good, and there's nothing wrong with that. The more that leaders talk about these things, the better it will be as an example.
As a leader, there are all kinds of pressures from different areas of the business that are constantly weighing on your mind, and that can weigh on you mentally. I was in a rough spot a few months ago. I was mentally drained, and I felt depressed. I had a ridiculous amount of anxiety. I just wasn't waking up excited about doing what I'm doing.
So, I reached out to my team on our social channel early on a Friday morning and said, “Hey, I'm taking a break. I am not feeling good, and I want to take a break from everything. I hope everyone has a good weekend.” I canceled all my meetings, and then chatted with the team again on Monday.
The reaction from my team, and different people on the team, was that they were feeling similarly. This showed me the importance of sharing when you're going through things like that, and being open as a leader about those things.
It's all about the person. As security professionals, we get so caught up in technologies and all the threats and all the different pressures it demands from a technical perspective. But we have to understand that this is still a people business, and we have to focus on our people.
Co-Founder, Cyentia Institute
Working for a large organization, I learned how to unplug occasionally to recharge, and to trust those around me to keep things on track. As an entrepreneur in a small company, I’ve found that much harder to do because more things depend solely or largely on me, and there’s nobody to make progress while I’m out.
Some time ago we started turning three-day holiday weekends into four days, and I find that refreshing.
It's so much easier to step away when you know others are too.
It’s not a cure for burnout, but little things like that help a lot.
Lead Information Systems Security Officer, SiloSmashers
With a growing number of cyberattacks, there is a tremendous amount of pressure on the cybersecurity workforce to prevent, detect, and respond to these events. Often, it is at the expense of the cybersecurity professional’s work/life balance, family time, mental health, and physical health. So, how does one prevent burnout?
Try to set boundaries and agreed-upon expectations with your supervisor. This may include core work hours or schedules. Having defined work expectations can greatly help with reducing stress.
There may be times when you need to rise to the occasion. However, if it becomes a routine occurrence, it may be worth a further discussion.
Allow time for yourself. Find a hobby or something you enjoy such as playing a sport, musical instrument, hiking, or traveling. Doing something that you are passionate about can recharge your physical and emotional batteries.
Cybersecurity is a challenging and demanding industry. We are in the best position to win when employees are happy, engaged, and have a proper work/life balance.
Advice on preventing/managing burnout
What’s the best piece of advice you’ve ever received when it comes to cybersecurity burnout?
Regional and Supplier Information Security Lead, Canon EMEA
The best advice I received about life in general was from AJ Cook during #ILFest. The advice was to stop holding myself to such high standards – instead simply be 100% present.
If it’s home, be focused at home, if it’s work be focused at work. Remove the guilt of feeling like you’re not doing enough, just be there.
That helped me because, unfortunately, I’m a perfectionist, and even before becoming a mother, I always felt like I needed to do more, be better, and nothing was good enough. As a mother, I have even less time, but I have to identify that I can only do so much and the rest will take time or require additional resources.
When working in Incident Response, you have very little time to gather a lot of information and digest it. If distracted, the job became almost impossible, so I would focus. However, that means hours to days at a time focused on something. I never stopped.
So whilst the advice of “be 100% there” applies, remember that also means to your capability. Taking time off to be at home, alone, on holiday, and to be there for your own needs, your family – not just work.
Owner, Stand Out In Tech
Burnout occurs when we aren’t able to balance our work and personal life. In InfoSec, many of us tie our identity to our job. In return, we then become our job, stop having a life outside of InfoSec, and lose our other identities.
We also work in a high-stress industry that runs 24/7, with the expectations to work all hours and days, if necessary. This reduces time spent on our personal lives and the people in our life outside of work. Thus, the balance of work and personal life cannot occur because we have a broken foundation that leads us to burning out incredibly fast.
If we want to fix this problem right now, we must listen and take actions to fix our broken foundation together to reduce this threat to our industry and personal lives.
The best advice on dealing with burnout is to recognize it’s not just about self-care. It’s recognizing that we work in an industry that seemingly discourages flexibility and balancing. It's also an industry that is heavily invested in being reactive versus preventative. In exchange, it continues to place us in a repetitive burnout loop.
SecureX Threat Hunter – ThreatGrid Research and Efficacy Team, Cisco
This industry pressures those in it to focus all of their waking hours on security. This is a dangerous mentality to have. On the contrary, I have always felt it’s critically important to resist this pressure and pursue hobbies and interests outside of the security world.
If you never take time to reset your brain and use other parts of it, fatigue will build and build. I firmly believe it’s critical to find balance.
Although I am involved in security organizations and events even outside of my work, I also paint and compete in Olympic weightlifting. When I do these things, I don’t think about work – at all.
I also paint and compete in Olympic weightlifting. When I do these things, I don’t think about work – at all.
By turning the technical side of my brain off during these other pursuits, I give my brain a break.
Because I do this, I’m able to come back to work the next morning refreshed and better able to approach projects with new perspective. Whether it’s taking time to focus on being fully present with family, pursuing a hobby, or even just going for a walk, time away is critical to mental health and well-being.
Security Compliance Manager, Knak
Security is a marathon, not a sprint. I love achieving goals and doing things to the best of my abilities. Whenever you're talking about security, that is a massive change management experience, which means that doing better than what you did yesterday is sometimes good enough.
There are occasions where you need to push and really demand more from your team, and that's okay. Healthy friction in any organization is what supports us in growing.
I always remember that I am a mere mortal, doing the best I can.
Above all, try to make it fun. Cybersecurity, and our digital threat landscape, and all of the risks that are out there to be mitigated or reduced, can be so overwhelming. There's a lot of fear-mongering in this space.
However, my experience with anyone in information security has been awesome. These people who are drawn to these types of roles often are unique personalities, possessing a ton of knowledge, and they truly want to help and serve both organizations and people. We might as well have a good time while we're doing it. Otherwise, what are we here for?
Senior Security Architect
Learn mindfulness. Not only does it help empty your head of stressful thoughts, it helps you stay in balance. It’s important to make time, understand how you feel in yourself, and listen to your mind and body. If you become skilled in that, the chances of you overlooking that you are about to burn out reduce massively. There are some great apps out there that can help, such as Calm and Headspace.
It’s really important that people make happiness one of their biggest priorities when it comes to a job in cybersecurity. This should be your number-one goal. I think if more people focused on what they enjoy, we might see a reduction in burnout across the industry and generally in life.
A few other tips I can share to help with mental health:
- Make sure to exercise on a regular basis – it always has a positive effect on most mental conditions.
- Make sure to take care of yourself. No one else does it for you.
- If you end up accepting more tasks than you can handle, then tell your boss in an open and honest way that you need help to prioritize your tasks, or that some tasks need to be reassigned. If the work culture prevents that, you really should reconsider where you work.
- Use your network and be honest about your situation with those you trust.
Usually people in the InfoSec community are good at 'picking each other up' and helping out. It’s good to talk.
The triggers of the cybersecurity industry, and how to get help
In conversation with Matt Olney and Matt Watchinksi
On the unique stresses of the cybersecurity industry:
Matt Watchinski: We have people in our teams who are having to look at the worst of the internet, and essentially place a tag on it, in order to protect others from seeing it. That can be hugely traumatic.
At Talos we have a lot of internal process to help with that, including company counseling.
We make sure that somebody isn’t focused on a specific area of categorization of criminal behavior for an extended period of time.
If you’re a manager, it’s important to know how much time your team is working on something, so you can rotate those responsibilities, and check in with them regularly to see how they’re doing.
One of the things about security is that the bad actors dictate your timetable 9 out of 10 times.
What we have to do is be constantly ready and try and fail as little as possible in the process.
That's a very weird mentality – to show up to work and say, “Today, I'm going to lose as little as possible.” It's not, “I'm going to get to the office and I'm going to win.” It’s a lot to get your head around. We can never be done. The game changes all the time.
On the ‘overwhelming’ nature of security:
Matt Watchinski: The realm of security is very broad, and it can get extremely deep. My advice to avoid being overwhelmed by that is to look at security like you’re standing in front of an orchestra – there are violins, tubas, drums, etc. Every single one of those instruments takes a different skill to play, even if you understand how to read music.
To become a master of any one of those things, you have to put in tens of thousands of hours. And you're not going to be able to do that for every single instrument in that room, no matter how good you are.
So, find the topics in the security realm that are most interesting to you, and pursue those.
Don’t worry too much about becoming overly specialized in a lot of areas.
Security is an agile game, and oftentimes shifting on the fly is required. You don’t need to be specialized to do that.
Being a security generalist is often a lot of people's career goal, and they're very successful at it. It’s a highly useful and utilitarian contribution to security.
Matt Olney: There is an entire planet worth of bad software out there. Hardly any of which you're going to be able to specialize in. What's key is that you're able to pick up what you need to know quickly.
I'm the head of threat intelligence for Talos. I don't know every APT actor number. I look up APT actor numbers every day, because it's never wedged in my head. But when I need to communicate about something, I can go through our documentation to figure out what the collective understanding of it is, and then push out an effective communication to our partners.
Security is much more about that than it is about being a super specialist in any one skill.
On getting help if you’re struggling:
Matt Olney: If you’re struggling, speaking to a mental health specialist is something I highly recommend. Because that person is trained to not only understand what you're telling them, but they can parse it from the context that you're telling them, i.e., from a wounded state.
They can extract details out and quickly get to the root cause. They can also tell you the name of whatever issue it is you might be experiencing. As someone who's gone through this process, getting the ‘name’ is very powerful. It means I have context, I can learn about it, I can be aware of it, and most important of all, I manage it.
That moment when someone says, “This isn’t about weakness. You have a brain chemistry that causes these things to happen. And this is how we deal with it,” is as liberating as any medication or therapy session.
Also, remember that during this time when you're feeling alone, you've never been less alone. There are so many people that are feeling what you're feeling right now.
Matt Watchinski: I was talking to one of my friends recently who's served in the military for over 20 years. And he was telling me that if there’s a physical issue with your health, you tend to be more empathetic to yourself.
But when you're going through a very stressful situation, it's such a different experience. And that's a big question mark. Why is it such a different experience? Why can't you have empathy for yourself? That needs to change.
I hope anyone reading this takes from these stories that we all struggle from time to time, and we should be kinder to ourselves as a result.
We're seeing so many people who are struggling at the moment, who may not have had to deal with mental health issues in the past. It’s important that we see a clear path to addressing them, and that they don't feel like they have to hide it. It’s a very natural, normal human reaction to the couple of years we’ve had. Getting help as soon as possible is key to ensuring that we don’t allow our mental health to decline further.