The role of a Chief Information Security Officer (CISO) often treads a fine line between accountability and responsibility. Balancing these demands puts a heavy burden on cyber security professionals, with potential consequences on their health and well-being.
Join us for a candid conversation with Andrew Rose, CSO of SoSafe and industry analyst, about the challenges of managing critical infrastructure under constant stress and invaluable lessons in resilience and strategic thinking.
Burnout is an important topic that I became interested in through experience. Overseeing critical national infrastructure with the expectation of perfection, compounded by less than supportive management, created a high-pressure environment that led to tangible health issues.
Discussing this with fellow CISOs globally, I realised how many other peers are affected. Even the non-critical national infrastructure roles these days are pressured to maintain service 24/7 and ensure profitability. So, every security professional must cope with stress.
People develop unhealthy coping mechanisms, so we discuss this honestly and openly in panels and workshops to figure out more constructive approaches, sharing insights and strategies on how to navigate this high-stakes environment.
Even the non-critical national infrastructure roles these days are pressured to maintain service 24/7 and ensure profitability. So, every security professional must cope with stress.
One of the most stressful challenges is being held accountable for aspects beyond the role’s control.
This gap between responsibility and accountability created a relentless loop of pointing out problems to the responsible departments and facing the board’s criticism for unresolved issues. What resulted was a cycle of stress without obvious means to change the situation.
Realising the need to manage stress better led to formulating a few strategies:
Beyond stress management at a personal level, it’s essential to learn how to mitigate risk effectively.
Maintaining a formalised risk register is crucial, particularly for decisions of consequence.
CISOs need to start thinking about creating indelible records with enterprises to prove their innocence in case of a data breach and to show that they gave the right advice at the right time.
Maintaining a formalised risk register is crucial, particularly for decisions of consequence. Such records, ideally included in board minutes, provide a clear account of decisions made and responsibilities assigned. At any point in time, if anyone says, “The CISO made a poor decision”, you can point to the record and say, “Actually, it was the board that made the decision, and I advised them in a different direction.”
This approach not only ensures self-preservation in the face of potential disputes but also maintains a comprehensive record of organisational risk management.
Storytelling is one of the most effective tools CISOs can use to gain influence across the organisation with leaders and with C-level executives. Talking about stories as a way to engage people has almost become a cliché around the world, but the fact is that they work.
In a role where technical details can overshadow the broader message, the ability to tell a compelling story ensures a better understanding of key facts and improves persuasion. This skill is particularly useful in board meetings, where dry statistics or data points can fail to capture attention.
Think of data and storytelling as the two blades of a pair of scissors. Stories make the data relatable, ensuring it resonates with the audience. Stories travel, plant seeds, and become a part of people’s conversations.
Think of data and storytelling as the two blades of a pair of scissors. Stories make the data relatable, ensuring it resonates with the audience. Stories travel, plant seeds, and become a part of people’s conversations.
I had been a CISO for ten years before I joined Forrester as an analyst. That role gave me more visibility into security strategies, and I noticed, for the first time, the huge discrepancies between different approaches.
CISOs often talk openly about general threats, incidents, or vendor recommendations. But that’s rarely the case with strategy or metrics. You may ask for advice, but you can’t share sensible information about your organisation.
There’s a delicate balance between openness and maintaining organisational confidentiality. Yet, these conversations are vital, offering support and shared wisdom in navigating the unique challenges in cyber security.
Check out our blog for more insightful discussions, and follow us to stay updated with industry trends and insights.
