May is Mental Health Awareness Month, and I want to take this time to reflect on something we don’t often talk openly about in the security community: mental health. Nearly half of CISOs turn over every two years. Almost 100% of CISOs report feeling stressed at work, with about two-thirds saying stress issues are compromising their ability to protect their organization, and 100% saying they felt they needed more resources to adequately cope with current IT and security challenges.
This is a recipe for burnout: we’re in a stressful field that changes on a daily, sometimes hourly basis. We all have targets on our backs—externally, because of security threats to our organizations, and internally, because of how we shoulder the blame for a challenging security incident. We fight for resources, and are being asked to do more with less, and in the midst of protecting our organizations, defend how we spend our money and show more ROI. To many CISOs, this feels like an untenable situation.
I don’t have an instant remedy for this dilemma—none of us do. But my 30 years of experience in security has taught me that it is vital to prioritize mental health, and that we can no longer stay quiet about the constant threat of burnout and what CISOs—and all security professionals—are up against.
This can’t be just talk. But it’s often difficult to make it more than talk, and to cut through to what’s useful. Here is some practical advice that, from firsthand experience, I can say has worked for me to help foster positive mental health:
- Identify my scope of command and get buy-in from stakeholders. As CISOs, we have to spend our energy on the things we can control, and too many of us waste energy on the things we can’t. So, by proactively identifying the things I can control and influence, I’m also acknowledging the things I can’t. This allows me to dive deeper into solving problems for which I am responsible, while also alleviating the stress and pressure of the things I can’t control. That’s a big difference from saying something “isn’t my responsibility.” It’s a willful acknowledgment of the things that are worth spending time on.
- Check-in regularly with colleagues and professionals within the community. We are stronger when we work together, and when we are able to share some of the issues we’re facing, or struggles we see, we feel less alone. Because we come from such diverse backgrounds, our collective experience can help us solve these problems together.
- Connect to things that foster positivity. Perhaps this sounds