John has built a stellar reputation as a problem solver and cyber defender. Yet, today, John, the chief information security officer of a major manufacturing company, is frantically trying to find out why the CEO had been unable to retrieve or send any emails for the past four hours. The CEO is furious, and as John takes in the barrage of anger, John begins to feel fear sinking into his chest. Would this incident tarnish his hard-earned reputation? Will he lose his job?
John prides himself on having answers and receiving praise for fixing problems, so he is taking this situation to heart. He started his IT security career as an analyst. He was incredibly talented at spotting gaps in security posture and determining creative ways to close those gaps. John's intelligence and innovation helped him quickly climb the ranks to CISO. However, each level of promotion brought with it increasing challenges and demands.
As an analyst, John's responsibility was confined to himself and his specific role. The CISO role has widened John's scope of responsibility immensely. He now has to manage a team of people with varying personalities, budget and request funds for projects, communicate and build relationships with other business leaders within his company, negotiate and buy products and services from vendors, and meet a number of other responsibilities. John also has to find time to be a husband and father and to take care of his own physical and mental health.
It doesn't help that John's leadership expects the IT security department to protect the company 100% against malicious threats. John and his team are expected to perform perfectly. It's an unrealistic and unreasonable expectation, which leads to high stress and burnout. Unfortunately, many are in this position.
What Leaders Should Do
Had there been someone coaching John, he would have been taught about effective leadership traits that would help him have less emotional fallout in this scenario. There are three core tactics John could use to keep from questioning his own efficacy or suffering burnout.
1. See mistakes as a learning opportunity. Mistakes happen. They are a part of life. Those who thrive see mistakes as learning opportunities and ways to get better. Accept any mistake as what it is: an outcome you did not want. Investigate what led to that outcome, determine what alternative choices were available, and understand what better options exist moving forward.
2. Control the controllables. Much is out of our control. For example, we have no control over how others respond (like a yelling CEO), if a salesperson gives us all the information we need to make an educated purchase, if employees leave the company, if it's going to rain, or a litany of other things. Focusing on things outside of our control will lead to increased fear and manifesting more of what we do not want.
However, we do have the ability to focus on what we have control over. We have control over how we respond to situations; we have control over our energy, effort, and attitude; and we have control over how we choose to model for others. Focusing on what we control will not guarantee things work out. However, it will allow us to have more sanity and certainty that we are doing the right things at the right time, which will increase our chances of success.
3. Remain calm. When threats to our safety (real or perceived) occur, we instinctively go into survival mode — fight, flight, or freeze. In times of fear and panic, our cortex disconnects from the cerebellum, known in psychology as a "flipped lid." We lose our ability to critically think and problem-solve. Our breathing also becomes faster and shorter. You can get back to calm through your breath.
Box breathing is a simple and effective technique for recovering a mental space in which you can problem-solve. It employs four equal parts, just like the sides of a box. You inhale for five seconds, hold at the top of that breath for five seconds, exhale for five seconds, and hold at the bottom of that exhale for five seconds. Repeat this process for a minimum of five rounds or more.
Reduce Stress to Reduce Turnover
Stress is on the rise within the IT security space, which leads to problems like burnout and employee turnover. The "2022 Global Chief Information Security Officer (CISO) Survey" from management consulting firm Heidrick & Struggles found that stress (60%) and burnout (53%) were the top two most significant personal risks to CISOs in the United States.
People are leaving CISO roles for other operational positions, pursuing consulting opportunities, or not entering the CISO roles altogether. This exacerbates two big issues in the industry: not enough talent to fill seats and employee retention.
"They're [CISOs] choosing to punch out," Matt Aiello, partner and leader of the cyber practice at Heidrick & Struggles, told CNBC recently. "What we're hearing in offline conversations is that it's a great role, but it's very hard and the regulatory pressures are increasing, and that makes being a CISO even more challenging."
Awareness and prioritization of mental health support and performance coaching is growing in this industry. In 2018, for example, the Black Hat conferences introduced a community track focused on mental health and other nontechnical topics that continues to this day.
Being an IT security leader is hard. There are so many challenges to being effective in the role — unrealistic expectations of protecting your organization 100%, not getting the funding you need to purchase resources, difficulties finding and retaining good talent, etc. Ineffective leadership skills make this job harder. You and your team can thrive if you learn how to lead effectively and avoid burnout.