Take Care of Yourself: CISO Self Care During Wartime

Any CISO can tell you that our work is unpredictable. Like a night club bouncer there are long periods of preparing, watching, waiting, punctuated by periods of high stress and occasional bruising.

It seems that this cycle is speeding up; and indeed there are more periods of high stress than not. This increase has been gradual, which allows some of us to get used to the pace (pity the poor first time CISO). What is new is that the impact of the events is more than just a skirmish at the front of the building — these events are turning into full blown bar fights, and are usually taking place right on top of the Boss’s desk.

The challenge for Security leaders is that most organizations don’t really know what they want from their CISOs. During times of peace they want a diplomat — someone who can sit in the C-suite and talk about business objectives in non-technical terms. But when EternalBlue comes calling, they want a Commander-In-Chief/General/Drill Sergeant/Grunt to just make it all go away. The result is a CISO who has to bungee between the front lines and the corner office in the space of an hour. And make it look like you have complete control, because, you know, Leadership.

Fortunately, I have people around me both professionally and personally who are aware of the stressors of this profession, stay in tune with the news (which is saturated with Cyber-Scare items) and have my back. I know when things are particularly rough because they’ll ask: “Are you taking care of yourself?”

“Sure” I say, “Why do you ask?”

Of course, the general Rx for stress includes sleep, diet and exercise. Check. Foundational elements of self care. Got it. But when every new Global Cyber Catastrophy © requires you to reexamine your previous risk based decisions, and justify your resource allocation strategies not only to your Board but to your Staff (and to yourself), it doesn’t matter how healthy your salad, how many fitbit steps you have taken, and how many hours sleep you got the night before. No, you want to take out the next Monday Morning Quarterback who darkens your door.

Alternatives to this basic prescription look like this:

Surround yourself with other Security leaders who get what you’re going through. I advocate for a lot of shared events where you can wallow in your misery together. Go on, let it out — it will allow you to get back to the office having released all those mental toxins you have to deny during your time in the office. You may find someone else who has it worse than you, which is helpful.

Meditate. Taking small breaks to dwell on the bodily harm you will inflict on the next person who questions your decision not to patch that MRI machine that cannot be patched without causing millions of dollars in damages, will prevent you from causing that physical damage which will require the MRI machine to care for that idiot’s medical care. If you would rather meditate on rainbows and butterflies, be my guest. I just don’t think it’s as effective at stress relief.

Binge watch. Not those inspirational-it-all-works-out-in-the-end kinds of things. I’m suggesting those movies which explore global annihilation. Anything that involves mass destruction of major cities. If it makes you feel better, make it a Marvel movie, but don’t feel like you have to watch to the very end.

Engage in full contact sports. None of this namby-pamby-helmets-and-pads American football stuff. Full contact MMA. Go on. I know you want to.

Seriously, anyone in Security, and particularly the Security Leader, needs to have a significant support structure and coping mechanisms if they’re going to survive in the role (another suggestion for College Cyber curriculum…) which go beyond “take care of yourself”. Surround yourself with colleagues who can not only sympathize, but can help you find a way to emerge from a crisis with your sanity in tact. Look carefully at your organizations leaders — if they aren’t supporting you, consider finding another place to spend your efforts. Engage your staff in your thinking — they can be hugely supportive, or another stress point — make sure you’re all on the same team, and can hand off the reins of a crisis so you can all find time to rest and recover.

Remember, the Security crisis of today will be forgotten as soon as the next crisis arises — short term memory is your friend.

Take Care,

Cyber Security, Technology Ethics, and Humanity. What else? I can be found on Twitter @CisoHelen