The CISO role is stressful, and there is often a temptation to get emotionally involved in your work, to identify your self-value with your perceived value at work.
Don’t do this.
You are in the role to secure your employer, and you do not serve that role by letting your ego and emotions get in the way.
It’s possible to care too much. Giving the right number of fscks is key. Give too few, and you are obviously not doing your job. Give too many, and you are less obviously not doing your job—and that’s what this blog post is here to explore with you.
Rather than try to fight the temptation, the better strategy is to ensure you have, you know, a life. A life outside of work, that is. You work to earn money to support your life. Your work is not your life. Your work is not a source of emotional satisfaction. Your work is not the source of your self-worth.
I don’t know who needs to hear this message, but it’s probably me.
What’s the saying—teach what you most need to learn? And here we are.
I can’t tell you what kind of life you should have outside of work, and I won’t tell you what kind of life I have outside of work (because that is none of your business), but I can highlight some of the stumbling blocks that a CISO can face in their role.
Most people don’t like or appreciate the value that the cybersecurity job function provides the business. That’s just a cold-blooded, unemotional fact. No way around it. Not likely to change anytime soon. Maybe in a couple of generations, but that’ll be long after I’m gone from this earth. So don’t hold your breath waiting for it to change.
So letting your ego and sense of self-worth hang on what ignorant people think of your job and your job performance would clearly be a foolish thing to do, would it not?
Because security work is fundamentally about both whole-of-company risk management as well as change management, the CISO frequently comes into some form of conflict or friction with other teams. Changing the way we do things to improve security unavoidably means other teams will object to changes they (most often) neither like nor understand.
People can become passionate and upset when you tell them they have to change how they do things. Let them feel that way. You can’t stop other people feeling whatever they feel. But you can take a deep breath, and explain for the umpteenth time in your career that security is important, and work the levers of corporate power to ensure risk is either properly mitigated or accepted.
Whether you succeed or fail is not completely within your power. Life is messy, security risk management is messy, you can’t achieve perfect nor are you trying to. Sitting in the mess and chaos and keeping a smile on your face is a key success factor in the CISO role.
I’m not saying it’s easy. It's one of the hardest parts of the job. But you have to do it. The alternatives are noticeably inferior.
Check your ego and your emotions at the door.