Estimated Reading Time: 5 minutes
After seeing many of you again at RSA last week and recounting how the career change is going, a number of you suggested I write something about it, so here you go, from 32,000 feet somewhere over the Midwest.
As most of you fair readers know, I recently transitioned my career from that of an 18-year CISO to an industry research analyst. While I am beyond thrilled with this next phase of my career, making the change from an always-on lifestyle to one of ‘normalcy’ was far more challenging than I ever would have imagined.
Like many of you, I have always been very involved with considerable aspects of the overall security program on a daily basis. From project updates to SOC metrics, governance, compliance, and privacy issues to Board reporting, and many day-to-day things in between, the life of a CISO is very much interrupt-driven. Sure we plan and strategize, but when you look back over the hours many CISOs spend working, the majority of it tends to lean towards short, critical, high-stress decision-making or problem-solving. I think it’s safe to say that most of us do not plan out our personal deliverables over weeks or months, even though our teams may. The CISO lives in an urgent world of the here-and-now.
Early on in my career, in those pre-internet days, first as an application developer and as a system and network architect, then as a security consultant, I was hyper-focused on project work; a year-long banking application upgrade, six months to deploy a SEIM, eight weeks to review and update security policies, half a year to develop and execute an awareness program.
However, being a CISO requires one to develop one of the most fluid and dynamic feedback loop processes that would rival any other technology career. Envision long-term strategy -> understand the rapidly changing attack vectors & threat operators -> make daily decisions around proactive/reactive security posture -> ensure alignment with long-term strategy… Unlike those executives who lead IT Infrastructure, AppDev, or System/Network Engineering teams, the CISO’s ability to assimilate the rapidly changing risk landscape and adjust to keep a strategic plan in place is critical to the overall success of their program.
At first, the entire “decide here and now and pray for the best” mentality was an extremely uncomfortable process for me. I like to put thought into a plan, to strategize, to bounce ideas off peers, to set a course and feel accomplishment once it was achieved. However, over the years, my brain and my preferred way to work evolved, and dare I say, thrived. In his book, Blink: The Power of Thinking Without Thinking, Malcolm Gladwell conceptualizes ‘thin-slice’ thinking – making decisions in the blink of an eye – and how our brains are far more adept at such decisions than they are at critically overthinking the problems before us1. While I am not convinced that thin-slicing is the evolutional advancement Gladwell purports, I do feel that most successful CISOs consistently blend thin-slicing with their experience and understanding of risks and threats to conceptualize a tactical solution to the issue which aligns with their longer-term vision.
Unfortunately, after two decades of always being ‘on’, of always being ready for an incident, of always preparing for the worst, I was left completely unprepared for when the day came when I needed to be none of those things. Years of training my brain to thin-slice and be hyper-focused on immediate decisions left me woefully unprepared for the scheduled and planned lifestyle I now lead.
At first, I admittedly was a bit lost. The urgency and immediacy, hell, the chaos, that fueled most days was gone. There were no more critical issues to manage. The Board isn’t looking for an explanation as to the latest report from the Wall St. Journal. I didn’t need to perform financial gymnastics due to an unrealistic & unexpected budget cut. I didn’t need to do anything other than execute on my well-planned schedule.
It was incomprehensible.
Instinctually, my gut reaction was that I was addicted to the stress of the job. A month after stepping away from my last role, I was still up at 4 am checking email; still reading the dozens and dozens of news feeds every day “just in case”; walking around feeling empty and like I was missing something, but yet wound tighter than when I was behind the desk. Maybe it was the endorphin withdrawal, maybe it was the need to experience that rapid sense of achievement, or perhaps it was just the love of the never-ending stream of challenges to be conquered. In hindsight, all of these were indicators of how I’ve managed to adapt my life and my way of thinking to a job that required it.
A couple of years ago, I was interviewed by ESG on CISO stress and burnout and the impact it was having on industry leadership. In 2020, Nominet reported that 88% of CISOs were “moderately or tremendously stressed” and 48% said the role has negatively affected their mental health. One can only imagine how these numbers have changed following the pandemic and a couple of years worth of massive ransomware attacks.
In fact, when asked, this is the primary reference I use when I suggest that people do not look for a career path that ends up as a CISO. Over the past 18 years, I have had the true honor of mentoring many of those on my teams, as well as others in the industry. When I meet and discuss career goals, almost inevitably it ends with “I want to be a CISO”. When I asked them why, the response was always the same, “It’s where the money is.” True, but it is intrinsically tied to the level of stress you’ll be under as well, so go in with your eyes wide open.
Many of my current colleagues, most ex-CISOs themselves, seem to quietly chuckle when I talk about my challenges in making the transition. A knowing look and a nod of the head as they relate to their own personal experiences in stepping away from such a demanding role. There are always varying degrees of estimated time, but without question, the most common advice I get is, ‘Be patient – it will take months before you fully decompress.” Months.
At the end of the day, the fact remains that not only do I love what I do (or did), I wouldn’t change it for the world. Perhaps I should have listened to my intuition a little more and perhaps made a different decision now and again, but fundamentally, stress or no stress, not much would be different. That said, when half of the industry’s leadership is attributing mental health issues to their career, shouldn’t we be doing something about it?
I guess the first step is admitting it’s a problem..
My advice for those considering a future career change? Find time in your personal life to undertake tasks that require a long-term effort. Read that anthology, rebuild that classic car, paint that portrait – do something that gets your mind out of the thin-slice mentality and back into the contemplative, thoughtful mode it should be in. You’ll be better off for it.
1: I recognize that both Blink and its contrarian alternative, Think!, have been the subject of many heated debates over the years. Any such philosophical discussions are far beyond the scope of this piece, but always welcome over a glass of Cabernet.
Copyright © 2002-2024 John Masserini. All rights reserved.
John, as a prior CISO of a financial services firm myself as well, I couldn’t agree more with your article and the sentiment you articulated so thoughtfully. The adrenaline rush of the ‘here-and-now’ surrounding fast paced CISO-level decision-making, combined with the sometimes instant gratification of solving critical business challenges in near real-time under very tight deadlines, is tricky to replicate in roles which have the luxury of introspection. However, it is precisely the deep-thinking analysis which often brings about the best results, particularly over the long-term horizon. Thanks again for sharing your thoughts on this important topic, John!