CISO Health and Wellness

I was inspired to write this piece after seeing Jonathan Nguyen-Duy speak at an event in New York City a couple of years ago. Jonathan was a VP at Fortinet and their Global Field CISO and he spoke about CISO health issues in a very refreshing and completely disarming way. Unlike some field CISOs who have never actually lived the practitioner’s life, it was immediately clear that Jonathan was speaking from his own personal experience and was being extremely authentic and genuine as he broached a topic that is not often discussed: CISO health.

“How are you doing?” is usually a perfunctory greeting or utterance in many professional circles and gatherings. It’s a sort of filler phrase that bridges the gap after seeing someone whom you may or may not be connected with on LinkedIn and whom you may or may not have actually met previously in real life.

Such examples of small talk also include talking about the weather, the local sports team, or how far they might have traveled to reach the bar or restaurant where you now find yourself, preparing to engage in what you hope to be substantive and engaging conversation with knowledgeable and experienced peers in this profession we call information security. And we graciously suffer the mandatory few minutes of the evening’s sponsor(s) who have a few words to share about their startup, new product launch or new business partnership.

But Jonathan really hit home with his allotted minutes of our collective attention and I immediately admired him for it. There were a good 100 professionals gathered at this storied and swanky steak house on Manhattan’s upper west side a few short blocks from Central Park. Nearly everyone by my count was at least one cocktail into their evening of high gustation, storytelling and network building (Old Fashioneds being the drink of choice that evening looking around the room, walls lined with photographs of famous and near-famous patrons of the establishment hung on wood-paneled walls with dimly-lit indirect lighting).

And here was Jonathan talking about stress, lack of sleep, weight gain, anxiety, constant threat of termination, budget constraints, script kiddies, advanced persistent threats, imposter syndrome, divorce and of course meds. There are few jobs that have such a short average tenure as that of the CISO. And the life of a CISO is rarely without some (un)healthy dosage of what we might politely call “coping strategies.” To be clear, however, I’m not saying that all CISOs are experiencing this particular combination of ailments. But a lot of us are and we should talk about it more than we do. We also need to do something about it.

Teaching is the ultimate act of optimism.

So what, you might ask, can and should we do about this sorry state of affairs? Teach. About four years ago I began teaching at NYU and I distinctly remember hearing someone at a faculty gathering say something that rang true but which also felt more than a tad disconcerting: teaching is the ultimate act of optimism. The mere idea that we can make a difference in this world by teaching, and that what we teach even matters or that the students actually care to pay attention is a sublime leap of faith. You have to be an optimist in some sense, I believe, to be a teacher.

Having studied the philosophy of education in college I must confess that I’ve spent a good deal of time thinking about thinking and one of my favorite things to think about is Education (with a capital “E” which means I’m talking about the proper noun). One of my NYU colleagues who teaches classes on the intersection of law and cybersecurity pointed me in the direction of a wonderful short film entitled “Teaching Teaching and Understanding Understanding.” But I digress and so to return to the subject of optimism I’d like to invoke the words and wisdom of Noam Chomsky who said "Optimism is a strategy for making a better future. Because unless you believe that the future can be better, you are unlikely to step up and take responsibility for making it so."

If this is indeed true, then optimism is not just a character trait, but an actual strategy that can be wielded to improve the world. For myself, teaching gives me energy. I gain strength and fervor from preparing lectures but even more from delivering them. The word “verve” comes to mind, which the dictionary defines as enthusiasm, rapture, spirit, or vigor, especially of imagination such as that which animates an artist, musician, or writer, in composing or performing. A teacher is an artist and a performer, an optimist and a dreamer.

CISOs are, I will posit, also teachers and thereby CISOs are also optimists. CISOs are engaged in cross-department diplomacy every day when they entreat their colleagues and peers to carry the torch of infosec into their daily toil and tasks. Information security and cybersecurity are inherently invested in the avoidance of harm when looking at the profession at a fundamental level. Security professionals work to keep bad things from happening and we need everyone’s help in this battle.

But rather than invoke images and analogies of war and conflict, let’s instead try to cast the discussion of information security as a game. An infinite game. Some games are finite and have an end where one usually declares or concedes that there is a winner and a loser. But some other games like the game of catch are not like that. They are infinite games. There is no end and there are ostensibly no winners or losers. You play catch in order to exercise your skills and improve your ability.

So infosec is an infinite game, and its leaders are having a hard time of it lately. For one, there are not enough of us CISOs to go around. There is generally agreed to be a global shortage of information security talent and that holds true for the CISO role. Teaching can help reduce the skills gap. Teaching can also help bring some much-needed verve into the lives of CISOs.

Finding healthy coping strategies like teaching is all well and good, but let’s make sure that we do not forget to think about how to fix the problem and not just survive as CISOs. We should want CISOs to thrive and flourish and play the infinite game that is infosec with joy and satisfaction. As consummate managers of risk, we must also turn our focus inwards and mitigate the threats to our finding balance and happiness in our work and in our home life.

How can we work to build a professional culture and mindset that removes some of the harmful elements from our lives? The ones that Jonathan called out in an almost heroic display of sympathy for the plight of the CISO. How can we structure work and compensation such that rest and recovery are included in the quarterly objectives and key results for the organization? We need structural support for CISO health and wellness.

Admitting that we have a problem is one of the first real steps towards solving the problem. Talking about CISO health issues is a necessary ingredient to building better and more sustainable plans to be resilient and thereby continue to earn the trust and respect that we deserve.