Ep. 15: It’s Tougher Than Ever to Be a CISO – and It’s Time to Admit It

A recent survey of small to midsize companies found that 94% of CISOs suffered from work-related stress and it was affecting their jobs. Amid the changing expectations of the CISO’s role, we talk to Steve Zalewski of S3 Consulting about how these vital security professionals can extend their careers and preserve their mental health.

Host: Melissa Bischoping, director of endpoint security research, Tanium
Guest: Steve Zalewski, former CISO; founder, S3 Consulting

Show notes

For more info both for CISOs – including the best ways to tackle burnout, effective communication with the board, new AI tools, plus actionable tips and perspectives from current CISOs in our popular “CISO Success Stories” series – and for those enterprise leaders looking to better understand and support the role, check out these articles in Focal Point, Tanium’s award-winning online cyber news magazine.

• 4 Critical Leadership Priorities for CISOs in the AI Era | Tanium
• How CISOs Can Fight Burnout and Extend Their Careers | Tanium
• CISO Success Story: A Real-Life Marvel ‘Superhero’ on AI Fighting Cybercrime | Tanium
• CISO Success Story: Predicting Cyber Risk (Accurately) Is Easier With This Guy’s Formula | Tanium
• CISO Success Story: How LA County Trains (and Retrains) Workers to Fight Phishing | Tanium
• The CISO’s Guide to the First 90 Days | Tanium
• The CISO’s M&A Survival Guide | Tanium

Transcript

The following interview has been edited for clarity.

Steve Zalewski: I burned out multiple times. It was not good. I used to joke about how people would text me at 2 in the morning and I’d text back, and they’re like, “What are you doing up?” I’d go, well, security never sleeps; it’s a 24/7 job. Because even if I want to sleep, an incident happens. You’ve got to get going.

Melissa Bischoping: Chief information security officers, or CISOs, are feeling the heat these days, especially with new rules from the Securities and Exchange Commission. The SEC’s new rules on cyber transparency went into effect in late 2023, and the lawsuit against the SolarWinds corporation and its CISO, Timothy Brown – which was the first time they had ever targeted a specific CISO – well, it’s left a lot of executives stunned and stressed out like never before.

Hi, I’m Melissa Bischoping, director of endpoint security research at Tanium, and today on Let’s Converge, we’re talking about CISOs and burnout – and how these vital security professionals can extend their careers and preserve their mental health.

A recent survey of small to midsize companies found that 94% of CISOs suffered from work-related stress and it was affecting their jobs. Another survey found that only one in three CISOs receive D&O insurance, which is a specific type of insurance that protects directors and officers at a firm. These aren’t good numbers, and they’re leading to more and more CISOs choosing to leave the profession.

Joining me to discuss what CISOs can do is Steve Zalewski, a former CISO and security architect, and more recently the founder of S3 Consulting, which provides expert cyber guidance for security companies, venture capital firms, and other enterprises. Welcome to the podcast, Steve.

Zalewski: Thank you, Melissa. I appreciate you having me on.

Bischoping: So before we dive in here, let’s just say at the outset that the CISO role has always been fraught with stress, and there’s a lot of stuff that goes with the territory that adds to burnout potential. But in recent years, that seems to be on a pretty significant upward trend. What do you think is the reason behind this?

Zalewski: Changing expectations. Historically, the CISO has worked for the CIO – it is a technical role, and the job of a CISO is to deploy technical tools to be able to secure the company. So I jokingly say my [previous] job was to inflict friction in a perfect business process to make it inefficient, but in order to stop attacks. And that was great for a while. But more and more of the lines of business are simply saying, I want to negotiate the amount of friction that security is putting into my business process. And now that means as a security practitioner, I go from a technologist trying to secure the company to a risk manager who’s here to protect the business. And that’s where a lot of the conversations have gone to. It is now where our job is: to enable the business.

At Levi’s, I used to say my job was not to secure the company nor to protect the business. It was to sell more jeans. So how do I have a business-risk conversation with the leadership team, not a cyber-risk conversation? As a result of that, to your point about the SEC, we’re now being held accountable from an executive risk perspective, while many of us are simply technologists at heart.

Bischoping: So let me back this up a little bit: Specifically, when you were a CISO – the workplace pressure you were under in that role, having to battle all of these different things – did you feel that gradually creep up on you, or was there a specific sort of breaking point for that level of burnout and stress?

Zalewski: It grows. I would say it’s similar – but maybe not the right analogy – to having a child. And you have the terrible twos, and then they become teenagers and they go into the tunnel. And then they come out of the tunnel, and it’s good. Well, building a security program and running a security program is a lot like that now. Because when I come in, there’s a certain set of expectations about what that program is. But the expectations of the child – which is the company itself, the executive team, the board of directors if they’re public – [are] maturing. They’re understanding, I either want technical measurement, or do I want risk measurement? Do I want business metrics? And the CISOs are coming in primarily as technologists or maybe coming in from banking where they’re more around risk registers – there’s this maturing on both sides, which means what was good two years ago isn’t going to be good today. But it’s not a fixed maturation path.

We’re figuring it out. So that’s why you see a lot of the stress. Because it isn’t obvious, like how to be a CPA or a lawyer. We’re figuring out how to be a CISO. And many people don’t necessarily see those transition points, and so then they either get burned out and leave because the way they were operating, they can’t sustain anymore. Or the expectations of the leadership team change and they’re simply saying, “I like you, but I need to have a different conversation with you.”

Bischoping: So looking at your background, you’ve worked for Pacific Gas & Electric, you’ve worked for Levi Strauss, so you’ve worked in retail. Do you see those industries hitting the same or different pain points as they struggle to reach those different levels of maturity and mature their processes alongside the industry?

Zalewski: At the technical control level, it’s all the same technical controls – identity and access management, network protection, endpoint protection. But if I look at what types of attackers are coming at me and what my obligation is to protect the company data but also the consumer data, it’s very different. And then I look at the controls that are being put in, like SOX controls or HIPAA controls and how I’m doing that. And then I look at young companies, small to medium enterprises that are SaaS-based, which don’t have heavy regulation or don’t have big security teams because they don’t have the money. [These are] the snowflakes, this is what the reality is as you’re understanding that. And so the individual security practitioners as they move in those verticals or under those things – very different.

So I’d say at a macro level, you have the S&P 500 CISOs – the big public companies, they’ve got large security teams, they’ve been in it for 10 or 15 years. We’ve grown through it, so we know what a large security program is. And then you’ve got all this new generation of small to medium enterprise – SaaS companies coming up or doctor’s offices or medical complexes – where they might not have a security team or they have a very small one, so they can’t deploy 25 security products.

Bischoping: Something that’s very near and dear to my heart is the political nature of the workplace and relationship-building. One of the things I have talked a lot about as I’ve grown through my career is that if you want to be successful in security, the thing that’s really going to set you apart is being able to build relationships and communicate with other parts of the business in terms they understand and recognize and be able to demonstrate security’s value to other parts of the business. And I think a lot of times security teams, especially the CISOs, the leaders of those teams, are seen as, “They’re just here to tell me no, that I can’t do something.”

How would you go about educating and advocating for how the security team is there to facilitate better business practices and maybe build some of those relationships to get more parts of the business on your side?

Zalewski: So, brutal truth: Security is a non-functional requirement in a functional-requirement world. Nobody would implement security if they weren’t forced to, because it doesn’t make money for most companies. It’s a friction, and what we want is an efficient business process to sell more jeans. So let’s acknowledge that, while we say, “Hey, we’re here to help you, so let me explain cybersecurity so you understand why my job is important,” it can still put friction on their job. So it’s a very difficult conversation to have.

Bischoping: Yeah, I think that’s why it’s often, at least in my experience, been more powerful to go and say, “Hey, I need this new security control. We’re being forced by regulation or by someone higher up. We have to implement this new security control. Let me work with you on the implementation to reduce friction. We’re all in this together.” But that still is met with a lot of resistance.

Zalewski: Absolutely. When I talk to other CISOs, I jokingly ask what’s the number-one security metric that I guarantee that every employee will pay attention to? And people will say, the number of attacks or the number of phishing exercises. No! The number-one metric is if you implement the security control and it increases by 20% the likelihood that you’re going to get a hundred percent of your bonus? I got your attention. That’s the reality.

So let’s talk about the tax of security against the cost of security if we don’t do it, as it relates to impacting you. OK? Change. That’s business. That’s a business conversation now, not a security conversation. And that’s what we’ve got to get to. And that’s what I said when I was at Levi’s; I said my job was to sell more jeans. I would ask a vendor, “OK, endpoint protection: How does what you do sell more jeans?” “Oh, I don’t know, Steve. We’re here to provide security, so therefore these attacks don’t happen.” That doesn’t help me. The business doesn’t care. Where’s the business risk analysis, right? I used to say, “My job was to be able to allow Levi’s to triple their revenue in the next six months and not have to triple my security program to support it.”

Bischoping: I think that’s a great perspective.

Zalewski: Where’s the risk analysis? And so I tell people, when we went up to the board, we used to talk about security controls, we used to talk about attacks. And we realized the only things we wanted to be measured against when we went up to the board were three things: I’m here to protect the brand; I’m here to protect the people; and I’m here to protect the supply chain. That’s it.

From a business impact analysis, I better make sure my brand, which means my consumer data, isn’t compromised, because you can go buy jeans somewhere else. My people are my weakest link and always will be, so what am I doing to manage the attack surface for my people? And my supply chain is absolutely mandatory, because if I don’t have jeans in stores, I’m out of business. So what am I doing for my physical supply chain and my cloud supply chain to make sure that’s not compromised so we stay in business? Everything I do better be against those three things because that’s what’s important to the business.

That’s an aha moment for a lot of people to now realize what it means to have a business-risk conversation and position your security program as that component.

Bischoping: I love that you put it in that perspective. I mentioned earlier I worked in the oil and gas industry, and one of my security mottos when I was working with my leadership was, When you’re in a manufacturing or an oil and gas environment, safety is always number one. How can I tie my security efforts back to keeping people safe so that equipment doesn’t explode or accidents don’t happen on a manufacturing line? And that really resonated. So I think in any industry, no matter what your company is, they all have a business objective that’s top of mind. And aligning your work to that business objective is a better way to get that buy-in, it sounds like.

Zalewski: I’m going to add one more piece, and this gets back to the stress. Most executives are business executives, like you’re listed in IT. Their job is to execute a business function to generate revenue. That’s it. So whether I’m laying a business application, let’s say it’s oil and gas and I’m trying to make sure the pipeline’s right and find oil, that’s my job. I have control over that. I have control over the issues that can do that. I have to do the geology. I have to know how fast I can get my supplies in.

The thing about security is I don’t control my destiny; the bad guys do. They’re attacking me all the time trying to find weakness. So all my best-laid plans every day are disrupted because I have to respond to where they’re being successful. And the thing about that is, as I tell people in security, the impossible happens every day.

I put all my controls in, it all looks good, and somehow they find a way through because somebody made a mistake or a vulnerability was exploited, and now I’m on the defense and I’ve got to reestablish perimeter, and then I still have to try to establish what I was planning to do, where I’m constantly reacting. That is a relatively unique position that security has, compared to all other types of business functions. So we get really, really good at crisis management. But when you are a surgeon in a MASH unit and you’re in the war and the soldiers are coming through day in and day out, and you’re trying to just keep them alive and figure out who lives and who dies and keep the company moving forward – that’s exhausting.

Bischoping: Exactly. So you’re talking about a lot of different skill sets and all of them are really hard, but when you combine them all into one role, you’ve got this sort of perfect storm of stress that directly contributes to the burnout because you are having to constantly think about a hundred different variables. You’re planning for unknown chaos that may or may not ever happen but you have to be ready for. You’re planning for the zero-day of the century to disrupt your holidays or your weekends, but maybe it doesn’t happen. And being at that level of vigilance and preparation is physically and mentally exhausting.

So how do we, not just CISOs but in the industry as a whole, what is your advice on tactics and strategies to be able to disconnect, to be able to preserve your mental and physical health? Because it’s not healthy. We have scientific studies coming out, one recently out of the United Kingdom showing that the effects of ransomware and breaches can be tied to cardiovascular health issues, mental health issues. How do we advise our peers, our employees, and our friends in the industry to protect themselves?

The more that we’re able to get people to understand what it’s really like in the day of a CISO, and they understand, then it becomes a little easier to be able to talk about how we manage this stress. This is a very, very stressful situation. Let’s acknowledge that. I don’t think a lot of people understand what a true executive CISO is up against, and what demands of the industry are on us as we’re trying to figure out some of this new stuff. But that then falls on us, OK? And when do you realize you have to step away?

When I was at Levi’s, we were two-deep with leadership. There were two of us so that we could spell each other if we got into incidents, or you could take a vacation, because the other guy could step up. There’s not a lot of two-deep leadership, right?

Bischoping: I mean, that’s a heavy investment financially.

Zalewski: And that’s what we’re saying. See all these pieces? …This is what it’s like to be a CISO. This is a day in the life of a CISO as an executive, one who looks through all these pieces and is trying to manage it. There’s no simple answer. But the reflection of folks like me to be able to give people an independent view of all the moving parts and how we’re trying to make the different parts move together and have that conversation to know what’s possible versus what’s probable? I don’t have any simple answers. I was part of that.

I burned out multiple times. It was not good. I used to joke that people would text me at 2 in the morning and I’d text back, and they’re like, what are you doing up? I go, well, security never sleeps. It’s a 24/7 job. Because even if I want to sleep, an incident happens. You’ve got to get going.

I don’t control my destiny. And so those are the types of impacts where if everybody starts to get a better feel for what that’s like, we can manage expectations better.

Bischoping: It’s not sustainable for any one individual to spend 24/7, 365, waiting for the phone to ring. There does have to be some delegation of authority, some rotation of duties. And when you’re talking about something at the level of the C-suite, you’re right, most organizations are not going to go two deep on that kind of authority. You might have a deputy, but you might not, especially if you’re a smaller organization. We were talking earlier about things like doctor’s offices and small community hospitals. Do they have multiple CISOs available? Probably not.

Bischoping: I once had a friend of mine who works in mental health tell me that oftentimes the first step to dealing with stress, depression, anxiety, is just acknowledging that it’s valid, acknowledging that you are experiencing that stress and that stress is affecting you. Just having the recognition around it. You can’t necessarily wave a magic wand and have it go away.

Zalewski: Yep. Absolutely, and we’re having the conversation. See what we’re doing? We’re building community.

Bischoping: Exactly.

Zalewski: We’re trusting each other to talk about the brutal truths, not to place blame but to look at the problem and figure out what we want to do about it together. And that’s the key aha moment where people are just understanding what it’s like really to be in the security industry.

Bischoping: Before we wrap up here, I just want to ask if there’s anything I’ve left out or you have any final words of wisdom for either CISOs who are feeling like they’re experiencing burnout today or those who are concerned they may be on the brink of that. What would you want to say to them as a final word on how to be better, more effective at their job, and be sustainable?

Zalewski: What I would say is for a lot of them, when COVID hit, in those three years of us not getting together and building community, that created a rift. Right? So… get out and talk. Meet each other again. Let’s build that support network and put it back together. Because the more we have these kinds of conversations, that’s probably the most effective thing that we can do to build that community and understand all this and work together. Because that’s what I’m here for, right? That’s what I say, which is, let me share my experience. Let me work you through the problems in a way that we understand where there’s new expectations.

How do we change some of the conversations so that we’re not put in a situation where there is no answer but we just keep doing the same thing over and over again, until we understand hitting our head against the wall isn’t working. So let’s stop hitting our head against that wall, ask a different question, and try to move on. We may end up hitting another wall, but at least it’ll be a different wall.

Bischoping: Maybe a whole room of walls. [She laughs.] I do love that at the end of this – y’know, we started the conversation talking about how the CISO used to sort of be a technical role, but it really has come back to a role about building community, building relationships, building strategy and communication, and the importance of that human connection in making it a sustainable career choice for yourself. So thank you again for all of your insight. I appreciate it today.

Zalewski: Thank you, Melissa. I enjoyed it. And for everybody out there who will hear this: Reach out. We’re here and we are a community, and… when you hear this, don’t think about this as, “Wow, why would I ever want to be a CISO?? It’s the best job I’d never want,” but rather, “This can be incredibly satisfying, personally and professionally, and we are going to figure this out.” And we need the best out there to be able to support us. So come join us in the journey.

Bischoping: Thanks, Steve.

I’ve been talking with Steve Zalewski, a former CISO and the founder of S3 Consulting. If you’d like to learn about more expert advice for and by CISOs, check out Focal Point, Tanium’s online cyber news magazine. We have links to several relevant articles here in the show notes, or you can visit us at Tanium.com.

To hear more conversations with today’s top business leaders and security experts, make sure to subscribe to Let’s Converge on your favorite podcast app. And if you liked this episode, give us a five-star rating.

Thank you for listening, and we look forward to sharing more insights on the next episode of Let’s Converge.