Note: Please turn on the subtitles in English.
Without health, we can’t protect our companies from cyberthreats. The roles of an CISO or a CIO are very demanding, and it’s difficult to avoid negative stress that can lead to burnout. This includes constant communication with stakeholders from different departments, the general underestimation of investments in IT security and IT infrastructure in companies, as well as the broad scope of responsibilities that covers all processes in the company. Here I give you tips and strategies to prevent burnout as a CISO or CIO.
IT Security is Teamwork Involving the Whole Company
If you identify a widespread lack of resilience, data security, or security awareness in your company, you should not take full responsibility upon yourself. A successful transformation of business processes and adaptation of IT infrastructure requires collaboration with other departments. Without their support and the real support of C-level management, you’ll achieve little.
Recognizing the environment and understanding the real possibilities for implementing secure processes, as well as complying with legal regulations, will help you set realistic goals and reduce your stress. But there are exceptions: When I couldn’t work in a company because too little was possible, I left the company.
Log Your Time to Optimize Your Tasks
This is about identifying which tasks are particularly time-consuming and whether we’re taking on too much. In most companies where I’ve worked as an architect, there was already a time recording procedure for all departments that was suboptimal for IT. First, we should try to reorganize projects and tasks to answer our questions about time usage. For example, we clarify why so much time was invested in meetings or administration. However, this isn’t always possible: Once, I informed the controlling department that recording time in an old SAP module cost about 9% of my team’s monthly working time. Two months later, we introduced a new procedure that provided valuable time expenditure information both for them and our team. Finally, I must confess that sometimes I have to record time in two systems: superficially for controlling and in-depth for my team to make decisions.
First, I defined the process for myself. When I could answer my questions about time usage with it, I asked the other team members to use it. During retrospectives, I checked whether adjustments were necessary.
Please look at the time sheets of your team and ask yourself if you can make decisions with it.
With Data and Priorities, You Can Say No
If you have time tracking with useful data, you can better advocate for more staff, postpone the implementation of security measures with low impact, and cancel projects. Yes, there’s pressure from stakeholders, but those who can back their points with data are in a stronger position to persuade.
Because you can’t do everything, you must prioritize. We identify the three biggest threats and calculate their probability as well as the losses for our companies and the costs of prevention or mitigation. If these are at a tolerable level, we choose the next three. In the coming weeks, I’ll write an article about this complex topic.
Hydrating and taking breaks helps you stay focused as CISO
Define Processes
If you have a documented process, you can make improvements step by step, which is impossible with an adhoc process. Additionally, you’ll see if your idea of organization matches reality and if new steps are necessary. Often, after I documented the steps, I can also see if other people can follow the process.
I’m used, to defining processes even for my hobbies like producing music and practicing piano, so I see no disadvantage here. If you see one, please write me a comment.
Delegate
This will spare you a lot of time. To delegate, you need trust in others, time for training, and an open approach to mistakes., so it could be challenging at first.
When I was leading a team of developers, Johannes, a developer fresh from university, and Felix, a trainee with no programming knowledge at all, joined us. When I delegated two important topics to them, I saw how they unleashed all their passion for solving technical problems and they did a great job. Despite the risk of things going wrong, I tend to delegate and save so much time.
Take Breaks and Drink Water
For years, I didn’t believe that breaks were necessary for productive work. When I was in the flow, I thought any interruption was bad. Now I notice that my attention declines after 60 minutes without a break or movement. That’s why applications like Workrave or Strechly now inform me when I need to move or drink water. Breaks increase my productivity, and I’m not as tired when I finish work. Afterwards, I have energy for my family, my social life, and my hobbies.
Write Down the Status and Postpone Until Tomorrow
Sometimes I really want to complete my last task and often overestimate how much time I still need. This leads to unproductive overtime. Now I use a strategy to work and sleep better: I write the most important points of my status on a note and stick it on my work laptop. The next day, I won’t miss it.
What Tips Do You Have to Prevent Burnout?
Since every person is different, I’d be happy to hear about your strategies and methods for reducing the stress of your team and yourself.