Emily Wearmouth [00:00:01] Hello and welcome to another edition of the Security Visionaries Podcast, an all round excellent lesson for anyone in the cyber data or related industries. I'm joined today by two excellent guests. Shannon Jurkovic is the chief information security officer at Bendigo and Adelaide Bank in Australia. Her career background is in risk management and before her current role, she worked for many years as a consultant at both KPMG and EY. In a recent count, she determined that she'd supported more than 150 organizations in their risk management efforts. So there's no doubt that she knows a thing or two about things. Welcome, Shannon.
Shannon Jurkovic [00:00:34] Thanks, Emily. Great to be here.
Emily Wearmouth [00:00:35] My second guest is Samm MacLeod, who's also a CISO. At the moment, she holds the role at Culture AMP. But over the course of her career, she's held CISO or other security and risk roles within energy companies, banks and also the NBN, the organization responsible for building and running Australia's fiber network. Welcome, Samm.
Samm Macleod [00:00:52] Thanks, Emily. Pleased to be here.
Emily Wearmouth [00:00:54] I think it's clear from the little snapshot I just gave of Samm and Shannon CV's that they're no strangers to high stress roles in organizations that operate often very critical infrastructure. And so the thing I wanted to talk to them both about today is personal resilience. Research earlier this year suggested that 94% of CISOs reported suffering from work related stress. 94% is one of the highest percentages I've seen on any survey like this, so it really is no trivial topic. I wanted to start Shannon, Samm, just one of you want to kick off by helping us set the scene of what we mean by personal resilience. Maybe. Shannon, you want to go first?
Shannon Jurkovic [00:01:29] Sure so resilience in its pure form is really about the ability to adapt to changing situations and difficult situations and challenges. And if you look at, I guess, the conversation we're having today, really, you can look at it from two angles, one being the cyber perspective. So how we go about protecting our organizations and being resilient in terms of responding to cyber attacks and keeping the business running as we respond and then being able to bounce back as business as usual. But if you also flip it on, its on its head. It's really also around that personal resilience. And so again, it's about being able to identify and to adapt to challenging and changing situations. And certainly from a cyber perspective, we we deal with this every day and multiple times a day, but then really gets around having the mechanisms and applying those to respond to and now and ultimately bounce back from those sorts of situations.
Emily Wearmouth [00:02:25] Samm are personal resilience and corporate resilience completely intertwined?
Samm Macleod [00:02:29] Oh fabulous question. Yes, I feel like so particularly for CISOs. So if I look at, you know, what are some of those keys to being resilient? It's all about the contribution you're making, the control that you've got over the situation that you're in, how well you cope. And I think a lot of the things we look at from a corporate point of view is how do we control a particular set of circumstances, how do we make sure we've got teams that can work their way through problem solving to achieve a particular outcome for an organization. So I think they're very well intertwined.
Emily Wearmouth [00:03:04] When you're looking at your risk planning for an organization, how much do you factor in personal resilience or sort of the the negative side of that personal burnout? How much do you factor that into risk planning? Is it a conversation that organizations are realistic about?
Shannon Jurkovic [00:03:20] I think that it's growing in and how much we focus on that. And I think if you look at the cyber landscape that we are working in and operating in, it's relentless and there's no mental downtime. Whenever shore cyber professionals, when an attack will occur, when we need to respond, could be any time of the day or night. I think cyber teams certainly know the impacts that a single failure or event can have on an organization. And I think too, if you look at cyber today, we used to talk five, ten years ago. It was all about technology. It's not about technology today. It's holistic. It's about, you know, a huge role around people and culture. And so you need to be including that people and culture element in it. If you look at my role as a CISO professionally, you know, it's necessary, not the case, but you do feel personally accountable for protecting the organization and looking after your teams and also yourself. And so while there's a level of reality to that, it's an organizational risk. Security is everyone's responsibility. We hear that cliche, but we also reflect on the fact. And we're hearing this more and more that cyber is a team sport. And so you need to be looking at the personal elements of this because to be able to respond, to be able to do cyber, you need people and you need those people to be switched on. But you also need to make sure that they're effective and what they can do, and providing them with the balance and the support that they are not just 24/7 responding, but also looking after themselves and being able to to be resilient and bounce back.
Samm Macleod [00:04:57] Just to add on to what Shannon was saying there, we we can see in statistics that organizational performance is linked directly to to people and culture, and I think we spend a lot of time diving into what are the risks from a financial point of view, what are of the risks to cyber point of view, where are our operational risks, but I would question whether we're diving deep enough into what those people and culture challenges are, and some of those risks around how we look after our people. We do workforce planning fairly well to achieve our business outcomes, but are we really looking at how we take our people through their career trajectories? How do we work with them and support them? How do we help them be more resilient with some of the challenges that they're facing into? And cyber is just one of them. But you could throw anything out there. It could be the economic climate that we've been going through and in some of those other, you know, cost challenges and workforce challenges and how well our people bouncing back and how well we're looking after them from that point of view.
Shannon Jurkovic [00:05:53] I think the other thing I'll add to that as well, and something we're certainly focused on and growing our focus in, in our organization is the concepts of psychological safety and personal vulnerability, because we also need to be providing environments for our people and ourselves where it's okay to share how you're feeling. It's okay to share when you might be struggling and having a safe space that you actually can take support and get that support that the people need. And I think each person will be different in terms of the support that they need, but we need to be able to have that culture and that risk culture behind being able to speak out. And really it's about being able to raise issues. And if you think about it, it is the behavior that you walk past that you then accept as an organization and as individuals.
Samm Macleod [00:06:45] We're probably the worst at it. If you look at us as technical people or people who work in technology roles, we're probably the worst at that. And our people probably are too, where, you know, there's a propensity for tech people to be introverts and keep things to themselves. And so I think there's a real onus on us, not just from a risk perspective, but from a helping people thrive perspective to figure out how we pull that out of people and in particularly in cyber, where I think the pressure is different in those roles compared to some of the other roles in the organization. How do we make sure people are well supported, that they do feel safe to speak out, that it's okay to put your hand up and go, that was mad. We've just had the biggest leaks that we've ever had or, you know, it's just the propensity and the amount of work that is on top of us right now to try and protect the organization and [00:07:34]tech people do take, as Shannon said, a massive amount of personal responsibility around protecting the organization. And we've got to figure out how to help them protect themselves as well. There needs to be some sort of mechanism or barrier that we support people with. [12.9s]
Shannon Jurkovic [00:07:48] And I think on top of that too, the other thing that I find technology and cyber people aren't good at, but we're really trying to encourage and really grow this in our organization is around we do something, we respond to an incident, we deliver something, and then we just go to the next thing. We never stop. We never reflect, recognize and celebrate what we're doing. We just deliver one. We respond, we move on. And so I think those sorts of behaviors and driving that culture in an organization and encouraging people to stop for just a moment, to be able to reflect on what has happened or what we've delivered is actually really important as part of building that whole behavior around resilience.
Emily Wearmouth [00:08:27] So it's interesting because you've talked about the fact that people within your teams might not be naturally comfortable communicating about and proactively managing their personal resilience, but I wonder whether I'm talking to both of you who are clearly very aware and able here, but whether above you, within organizations that you've worked at. You know, Shannon, you've worked with over 150 organizations. You're almost like a field work poll all in yourself. Do you think that executive teams and board teams are comfortable talking about these topics?
Shannon Jurkovic [00:08:57] I think it depends on the organization. I think some are certainly focused on it more, and recognizing that this is something that's really critical. Certainly in our organization, that's something that I've seen grow even in the time that I've been in this role. And but I think there are other organizations where they would still be early in the journey. And I think, again, it comes back to having people like Samm and myself in the roles where Ian is also using it as leading by example, communicating upwards, our role is to sell to, to tell the story. And so as part of the role, as much as we talk about cyber and those things, I think part of our role is to make sure that we are educating up and providing awareness to the the sorts of issues and challenges, and that's certainly something that I've been specifically focused on to make sure that there is that awareness and recognition and understanding that this is equally, if not more important than some of the other cyber things that we own and technology things that we need to do.
Emily Wearmouth [00:09:58] I'll be talking more about resilience now than we did five years ago. Is this an emerging thing or, you know, as has been going on for a while, these conversations.
Samm Macleod [00:10:08] I find it fascinating that at least in the last two years, that the concept of mental wellness or mental wellbeing for CISOs has become something that is, you know, on the front, on the main stage, for want of a better term. it was talked about sort of between silos or in smaller groups, but I've definitely seen a lot more of it out in the general public and the public domain. And it's fascinating. I don't know what's suddenly driven that I don't know if it was that has done that. And some of the changes that we're seeing around how we live, how we work, how we operate, and the additional challenge that that gave people during that time, particularly with isolation and working from home, not being in the office and, you know, the lack of connection or the lack of belonging and so forth. So I don't know if that sort of brought that forward and more conversations have happened. But there's also particularly within Australia, we've seen a number of top CISOs leave the industry as well and leave the industry for reasons of burnout. Or of the complexity and the challenges of the role that impact so much on your your personal life and your personal wellbeing. So I think there's just a a lot more being spoken about from a mental health point of view that's then driven the the taglines of resilience and and so on.
Shannon Jurkovic [00:11:31] And I think to add to that, it's not just the CISO level as well. It's also the teams on the ground. And and particularly if you look at some of the recent articles and thought leadership around security operations professionals and the like who are on the ground having to respond to a myriad of incidents one after the other and often multiple things at the same time. So I think it's reflecting that it's absolutely a leadership element to the resilience discussion. But I think equally and if not more important, it's actually the entire teams who are also on the ground dealing with this every day.
Emily Wearmouth [00:12:09] I was going to ask you whether it's a generational issue, and it feels like, you know, whether it's the Prince Harry effect, you know, the younger generations being comfortable talking about mental health and pushing upwards. But in cyber security, it doesn't feel that it's bottom up. It feels like these growing conversations about mental health and personal resilience are coming throughout the organization and certainly at senior levels. It's becoming an increasingly pressing topic. Is that how you are experiencing this or do you see it particularly coming from certain demographics?
Shannon Jurkovic [00:12:40] I don't think it's generational. I don't think it's, you know, different groups. I think people generally come at those sorts of issues and challenges and events in different ways. And really through that, it's how do we tailor our approach to support the individuals on the ground. So I don't necessarily think there's a difference in generation or the like. I think it's just different people responding and adapting in different ways.
Samm Macleod [00:13:09] I think the element of it might be generational is the bounce back component of the resilience. What have you experienced before? What have you seen before? What can you resonate with and how quickly can you recover? And I think, you know, we particularly the organization that I work in, we have an average age group, I think is about 28. And depending upon the different walks of life that the individuals have come from, they have a variability in their understanding of what's going on and their ability to bounce back. So we do a lot within our organization around working with our teams to see where different individuals are at in order to give them the collateral or give them the help or the understanding of, whether it's economic climate, whether it's, you know, cyber related matters to, to try and help facilitate that resilience for them and help them find where that is for them.
Emily Wearmouth [00:14:01] Now I'm going to ask the tricky question. And then we can build into positivity. I'm going to start by asking you to help us understand what does burnout look like. So we have listeners who lead security teams around the world. And I would love if we can give them some indicators to look for, perhaps in themselves and in their teams of what it looks like when an individual is struggling and they don't necessarily have the resilience that they need at the moment.
Shannon Jurkovic [00:14:26] I think to start off with, you actually need to understand your people and you need to understand them on both a professional and a personal level, that you understand what makes them tick and how they operate and how they work and how they they come to work each day. And I think then the challenge and I guess the, the what we would focus on then is really around what's not quite right, what's what's an abnormal response. Are you seeing people checking in less or more depending on their response? Do they come with problems that feel insurmountable? Are they disconnected? Do they have diminished delivery? Are you seeing less delivery than you would say normally from them? I think it's really understanding what's, "normal" that you see on a, on a day to day basis, and then both yourself and your leadership team being able to recognize when when something might not seem right, and then working through how you can approach the individual and providing the support that they need because it might be work related or it might be personal related, that you don't actually have a view of. You just need to work through how you can provide that support to them. But it's really those telltale signs around what doesn't look quite right.
Samm Macleod [00:15:40] I think Shannon absolutely nailed it. And I think the the absolute key is understanding the individuals that are in the team and, and knowing where they're at personally and professionally, so that you can actually see what some of the things are that might be blowing up for them or what their triggers might be. So what are they actually reacting to? That might be an indication of what's going on for them.
Emily Wearmouth [00:15:59] Yeah. And I suppose it's key to look out for these things when you're not just in the middle of a particularly large issue that you're dealing with as a team, you know, looking out for them at those points as well, but also when you're, you know, in those rare days of, of business as usual as well. So how do you personally cope in your role? You know, we talked at the beginning about some of the organizations that you guys have worked for in your career, and I can't imagine the stress level being involved of, you know, CISO of a major bank, the CISO of a major utility company. So what are some of the the tools and techniques, perhaps, that you've built up in order to cope in your role and build up your personal resilience?
Shannon Jurkovic [00:16:36] I have a few things. I'm a person somewhere within work, and I think if you look at the work front and I mentioned before around cyber being a team sport, it really is about you. You don't want to be alone and you you need the team and support around you. And I think one of the key things that I've certainly been focused on in my team and continue to do today is empower them as the leadership team to take the pressure off. It's around delegation and managing up and down, but giving them the opportunity as well to step up into more senior roles and activities, as well as taking that pressure off and supporting, supporting what I'm trying to deliver as as a CISO. I think the other thing is around self-discipline, and it's about walking away, taking breaks. It is a 24/7 role, but you also through empowering the team and sharing the load you you do need to take that that time away as well. The people who know me very well will know how important I guess my. My family and friends, so it's about spending the time with them and taking the time away to spend with them. But I think if I don't do my gym training or my running and I spend my my time on my health and fitness, I think everyone who's close to me will know that, that I need to do that. That's my release. That's my way of de-stressing. So [00:17:56]I think for me, we talk about work life balance. We talk about it being cliche, but it is true. It is about how you balance both what we do at work, but also that your personal life and the things that you do and enjoy. Other things that also help you balance out managing resilience. [14.9s]
Emily Wearmouth [00:18:12] Samm, what about you? What are your tools and techniques?
Samm Macleod [00:18:15] Yeah, from a from a work perspective, it's going back to that shared responsibility. So it's having the sense of belonging to the team in the company that you're working for, but also making sure that everyone's diving in. And it's a shared responsibility for me to help manage this for my team more than myself. It's about making sure we're all agreed on what our true north is, what is our strategy? What is our goal? You know, what are our priorities? And I'm doing whatever I can to remove it and see from whatever's coming in and hitting us with front and center, because that just adds to the stress. And the rope gates tightening and it makes it very, very hard to bounce back. So there's a lot of planning uh, and prioritization in there as well. But I think the personal stuff is absolutely key. And Shannon mentioned the word joy. And I think at the end of the day it's knowing what brings you that. So for me, having worked in a couple of different organizations, so working in the energy industry where I was looking after and protecting systems where people could be harmed or the general public could have something, you know, something terrible could happen. You carry a very different perspective around what managing cyber means compared to where I'm at now, where I'm in a data company that's big tech, and it's a scaling organization where no one will come to harm. But it's all about protecting really important data. And I think the lens that we look at cyber AI through AI industry, all through our company, helps to manage our resilience and helps to prevent burnout. And so for me now, the mechanisms I use personally are slightly different to the ones that I used when I was in the energy sector. But you know, it's all about wellbeing, so it's finding that ability. Go for a walk, meditate, yoga, whatever it is that sort of floats your boat. Finding those things to really get back to, to basics. For me, it's boxing or it's the gym and it's calming and hiking. It's dumping every bit of technology because I'm on it all day, every day, and it's getting out in the bush and where I cannot be contacted and it's going for a really big hike or 4-Wheel driving and things like that. So it's just finding those things that give you pleasure and joy. And I feel of the things that the exact opposite to what you're doing on a daily basis.
Emily Wearmouth [00:20:26] Yeah. An escape. And so would it be a useful thing to when you've got your relationships within your team, if you can identify what are the things that bring them joy, you can perhaps notice someone who's spiraling in a way that means they're no longer finding time for those activities, you know, being aware of and then suggesting, hey, you know, are you still swimming every day, you know, and coaxing them back to the things that that help them? If you're aware of what those things are in the first place?
Shannon Jurkovic [00:20:52] Absolutely. And I think, again, it comes back to understanding them on a personal and professional level and the personal level, that's where we often find the common ground. It's not necessarily work. We all work in cyber. So we we I guess we have that common work front, uh, already. But it is about understanding that and finding that common ground and using those opportunities to touch base with your team and understanding how they're going on that front.
Emily Wearmouth [00:21:16] So just looking to close with some really practical thoughts. How do you build a team that has time and space for resilience building behaviors? What is it with the way you're approaching your day to day activities, or the way that you delegate and communicate with each other? What do you change in order to make sure that the team you're building and the sort of etiquette within the team perhaps allows space for those resilience building behaviors.
Shannon Jurkovic [00:21:41] So for me, you need to lead by example. So the team's a priority. But you need to remember yourself and you need to demonstrate that you're also thinking about yourself. So again as a leader, if I'm telling my team that they need to make the time and space and I have the permission to do that, and then as a leader, I don't, then you're not driving that right behavior. So I think firstly it's about leading by example and driving that culture in the team. It is a bit like putting your oxygen mask on first before you put it on others on a plane. It's about putting you first and really leading through that. The other things. What we've done is certainly I've mentioned this already around taking the time to celebrate successes and recognition and the like. And we have in our team, we have a monthly recognition program where people can nominate the great things our team are doing, and then we have a voucher system at the end that they get the most votes for will get a voucher system. So we have some things like that that really try and drive some of those behaviors around recognition and reward and encouraging us to take that time away fromthe grind of everything we do every day. The other thing we've been doing, particularly in our technology team, is encouraging things like meeting free Friday mornings and allowing people the space to take the time away, to do learning and development and all the things that they don't get the time to do. But again, for me, it's about making the time and space. It's about understanding people and their non-negotiables on a personal level and being flexible where you can where it makes sense, getting that balance right and really driving that that change through a culture perspective is how we go about it.
Samm Macleod [00:23:19] I think for me, I kind of look at it as a multi-level consideration. So going back to that old adage that we use even within cyber and tech, which is, look at the people, look at the process and look at the tool. So, you know, I look at how are we planning, how are we defining our performance goals, what are the personal goals that we want to fit into our performance goals, and how do we help and support each other to achieve those, as much as we're trying to achieve the the performance ones that then underpin the company ones, and as an example, we give each other a lot of feedback. So we have lots of feedback loops and feedback to also not just about celebrating success, but remembering to say thanks and acknowledging how we've been helped or how we've been supported. We've got lots of flexibility in the ways that we work. So we're very specific, particularly in my team, around what works for us about when we work or where we work from or how we work. And, you know, we have a social contract and we have a set of team norms. And we we try to all make sure we adhere to those or we bring up new ones if we feel there's something that's really putting too much pressure on the team or making it difficult for someone to succeed, what else can we be doing differently? Is it a group? We do a lot of cross skill and upskill in the L&D component that Shannon just mentioned. And we've got, you know, social impact days and and ability to take time out from the day to day in order to help and service others or in order to, you know, plan and team build and do things together. So I think there's lots and lots of different ways to tackle it. Our organization, like most do, have access to modern health facilities and things like that, that, you know, whether it's a subscription to the Calm app or whatever. So there's a lot of little tactical and more strategic things we can do to, to support each other from that perspective.
Emily Wearmouth [00:25:12] It's quite a holistic approach at that. That's interesting to hear. Well, thank you Shannon. Thank you Samm. You've been incredibly helpful, I think and very open with what works within your team, and I hope that there's something of value here for the listeners to help them improve, not just their own personal resilience, but also try and create the environment that supports others to better handle the unavoidable, really, challenges that security professionals face in their day to day roles. You've been listening to the Security Visionaries podcast, and I've been your host, Emily Wearmouth. If you enjoyed this episode, please share it. But also make sure to like and subscribe on your favorite podcast platform. We publish a new episode every two weeks, some hosted by me and some by the marvelous Max Havey. If you're subscribed, you'll never miss one. I'll catch you next time.
Why Netskope 
){kind=icon}
