Security is a tough job. But it is not uniquely so. Our colleagues in risk, safety, compliance, privacy, and many other disciplines have much in common and also share the same vocational pride in what they do. Also, as I have written here security is actually one of the most rewarding jobs there is.
However, despite those rewards it is a highly demanding and often stressful job. To quote Dan Geer:
"One could argue that cybersecurity is the most intellectually demanding profession
on the planet. The rate of change is so great that no challenge is ever solved
and no problem ever resolved completely. That said, security failures more often
result from a lack of direction and focus, not of skills or resources."
There can be tough days, very tough days. I’ve always had them and always will. Thankfully, the great days often outnumber the tough days. But, no matter how long I’ve been doing this CISO, Risk Officer or other role I find I am not immune to the stress from those down days. This post is how I deal with that occasional stress.
“It’s not the load that breaks you down, it’s the way you carry it.”
- Lena Horne
1. Keep a Congratulations / Success and Lessons Learnt File
It’s very useful to keep an email folder or document with notes of past successes and congratulations that you can look back on during the occasional down day. This can remind you of what you have done and hence can do again. One of the hardest things I’ve always found in the security role is you have an image in your head of where you want the organization to be. In your journey to that state it’s hard to notice the small daily progress that builds toward this. No matter how many transformation programs I’ve led over the years I still have the same natural impatience that I have to temper. It helps to look back and remind yourself of every past success as something that was hard-won, that took time and steady persistence as well as the occasional 10X leap forward. It is also just as useful to keep in the congratulations file some, it not all, of the failures you experienced and what was learnt from them to remind you that even on the down days that you are always capable of learning and progressing.
2. Keep an Inspirational Picture / Quote File
I have a set of pictures and inspirational quotes in another folder I occasionally look at, some I have even have framed on my wall like this one (from a rare 2001 Goldman Sachs print advertisement):
“You have no stunt double. This is leading."
My other favorite is the Teddy Roosevelt Man in the Arena quote:
"It is not the critic who counts; not the man who points out how the strong man stumbles,
or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without
error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat."
Finally, you can't go wrong with an occasional look at the next two:
3. Practice Mindfulness
This might polarize people a bit. There are certain aspects of the whole mindfulness ecosystem that smacks of mumbo-jumbo, but I have found much benefit from the simple act of 10 minutes a day of mindfulness meditation. That is, sitting quietly, concentrating on the breath and when your mind inevitably wanders to non-judgmentally bring it back to focus on the breath. This hasn’t "changed my life" as some people say but it has done one thing which has been transformational. It has enabled me to have a higher success rate at being able to respond not react. In other words, when faced with situations or information you don’t like, you need an ability to respond to that thoughtfully not to react immediately in a counter-productive way - whether it’s showing too much frustration, temper or blame, or just inadvertently being a bit of a jerk. Daily mindfulness meditation has enabled me to go from 50% responding not reacting, to something like 95%+ responding not reacting. This is well worth it.
The other thing this has helped with is the practice of empathy and assuming good intent in people. Recognize that when you’re not getting what you want or when things that you think should be happening aren’t, then have a bit of empathy for the load that the other person or team is carrying. It is almost never that colleagues or teams set out to deliberately do something harmful to you. In fact, imagining such goings on can often create the very animosity you seek to avoid.
4. Remember the Mission / Higher Purpose
Everyone working in pretty much any aspect of security, no matter what role and no matter what industry is protecting something important. It could be people’s sensitive data, their privacy, their livelihoods or even lives. It is not cliched to think of our roles as having a higher purpose. In every way, no matter how small, we’re defending someone’s freedom, liberty and livelihood. That is something worth fighting for. It is worthy of us and the extra load we may have to personally carry.
5. Remember What’s Really Important
You are not your job. Most of us get tremendous pride and a profound sense of community from our organizations and the wider community we are a part of. However, it is important to have some separation between that life and “real life”, whether it is family, non-work friends (this is tough, though, as most of my friends are from work or other professional association), and non work related hobbies or other community activities.
6. Progress not Perfection - The Obstacle is the Way
“The impediment to action advances action. What stands in the way becomes the way.”
- Marcus Aurelius
It can be tempting to look at obstacles as frustrations, but obstacles to what you need to get done are in fact why you are here. The obstacles are mostly in your role to deal with, otherwise why would they need you?
It is important to view the job as establishing and operating a set of processes and systems to achieve goals, not let the goals be the only aim. Why? Because there’s always more goals in our ever changing risk landscape and without the process and systems the goals don’t get any easier to achieve.
Fine tuning processes and systems and measuring their ability to surmount more complex challenges also has a more direct feedback loop. They can be more innately satisfying than behaving like an artisan, tackling goal after goal in some bespoke way. We often talk of having difficulty measuring the success of the security program in the positive as opposed to simply the absence of negatives (like incidents). Focusing in on process and systems (and their associated measurements) is a terrific way to do this.
7. Channel your Lays of Ancient Rome
No matter how good anyone is, or how great their organization is, there will be always some thing that goes wrong. You will do your best to avoid it but it may still happen. In that case think of Horatius:
“Then out spake brave Horatius, The Captain of the Gate: To every man upon this earth Death cometh soon or late. And how can man die better Than facing fearful odds, For the ashes of his fathers, And the temples of his gods”
Bottom line: Notice the best part of our jobs, accept that the roles are stressful and figure out ways, iterating every day, to carry that load in better ways for you and your team.
Note: some of the quotes I’ve used in this post are of their time and use “men” or “man” instead of “people" or “person”. I decided to leave them as is rather than adjust the original quote as I think all will, of course, get the point.