The CISO’s Guide to Mental Health

In the first few months of the COVID-19 era, Mark Eggleston, like other security executives who own business continuity, said he was feeling the stress that pervaded his organization.

As vice president, chief information security officer and chief privacy officer of Philadelphia-based Health Partners Plans, Eggleston said he was spending back-to-back virtual meetings, day and night, working out the secure transition of the nonprofit insurance provider to a fully remote workforce. It was a relentless effort, executed while working from home and surrounded by the dynamics of a family that was itself navigating the early disruptions of the pandemic.

Fortunately for Eggleston, there was another toolbox next to his security stack – the skills he honed from seven years as a psychotherapist. And in the long days leading to an ultimately successful transition to a 100% remote workforce, Eggleston said he frequently returned to an important question.

“Everybody’s situation is a little bit different. But you really have to start with, ‘How are you feeling today?’” Eggleston said. “You have to pull some old strategy out of the playbook from when people were taking the couch.”

Occupying a role traditionally considered to come with an extraordinary amount of unique stress, Eggleston and two large-enterprise information security executive peers said they drew on a specific set of skills and techniques to support the mental health – and performance – of themselves and their teams while entering the COVID-19 era.

The convergence of a pandemic, social unrest and economic uncertainty has only galvanized their role as people leaders, they said, and has reinforced best practices that will continue to pay dividends into the future of the CISO role.

“I always say, it’s people, process and technology – in that order,” Eggleston said.

The Nexus of Mental Health and Information Security

Almost half of CISOs - 48% - said the level of stress they were under had negatively impacted their mental health in a February 2020 report by Nominet, a domain name registration organization in the UK. The underlying survey of 408 CISOs in the UK and US notably came before COVID-19 forced many organizations to remote work, which created profound new challenges for information security leaders.

Still, 71% of CISOs at that time said their work-life balance was heavily tilted toward work, with only 2% responding that they could switch off after hours. Citing burnout due to stress, the report found the average tenure of a CISO to be 26 months.

Having long practiced routines to support personal sustainability in his role, including regular early-morning exercise, MassMutual CISO Jim Routh said he wasn’t concerned about his infrastructure’s resilience in moving to a remote work model due to COVID-19. The $554-billion-asset life insurance organization has a world-class security program, and previously tested the systems that would enable remote work.

His concerns, Routh said, centered on the resilience of his people.

“As leaders, and CISOs specifically that have to protect the enterprise, there’s no question that the work-from-home model extends the attack surface, creating more opportunities for threat actors. But the greater concern for me was actually the sustainability of the employees that we rely on to protect the enterprise,” he said.

Routh said he advised employees on a framework to ensure they were adequately adjusting to the “new normal” of working from home. First, establish what is necessary on the calendar for health, such as regular exercise. Second, establish what is necessary on the schedule for family. Only after those norms are established, Routh said, comes the third step – solidifying the work schedule.

“If you can’t sustain your health, it’s actually going to impact your work. It’s just a matter of time,” he said.

The stressors on staff evolved, Routh said, as thousands of people in communities across the country began regularly demonstrating in support of movements such as Black Lives Matter and reform for policing. As such, Routh said he has worked to evolve himself.

“I’m retooling myself for the times in real time, meaning that I’m learning how to speak about race, even though it’s uncomfortable,” Routh said as mass demonstrations were first occurring around the country. “I have to learn how to view my world through a different lens than privilege and systemic racism and learn how to communicate effectively as an ally.”

Routh shared three books on the subject for other business leaders to consider – “We Can’t Talk About That at Work,” by Mary Francis-Winters; “So You Want to Talk About Race” by Ijeoma Oluo; and “How to Be An Inclusive Leader,” by Jennifer Brown.

“We’re not just information security leaders – we’re business leaders,” he said.

“What Have You Done for Yourself Today?”

As employees began working from home in the early stages of the pandemic, Stephanie Franklin-Thomas, CISO at Houston-based petrochemical manufacturer Motiva, said she noticed a consistent problem. Staff were “always online.”

“It quickly became clear that people weren’t working eight to five, they were working 12 hours a day, and that’s really not acceptable for anybody’s mental health,” Franklin-Thomas said.

So, she started pulling the plug.

Franklin-Thomas said she began requiring employees to “do something for themselves” every day, be it exercise, simply going outside or otherwise. It became the first question in every meeting – “Have you been outside today? What have you done for yourself today?”

Cultivating a “family” dynamic among staff has been key to fostering effective and sustainable work, Franklin-Thomas said, even while navigating the dynamics of a partially remote work environment in the early days of the pandemic.

“I always start a team meeting with an icebreaker, and that icebreaker is usually something that has nothing to do with security, or even nothing to do with work,” she said. “But I’ve learned a lot, just over these icebreakers, about what kind of movies people like, who’s married to who – it’s amazing how much you learn from folks, and then you are able to interject that into conversations as you build the relationship. That carries you even further than work. They understand I’m invested in them not just as their CISO, but as a family. I understand you, I understand your work – you are now at home, homeschooling, cooking dinner – all of these things at one time. Just understanding people for who they are goes a long way for getting people to work with you and work for you.”

Franklin-Thomas stressed that, just as in a real family, the dynamic she strives to build with her staff opens up the stage for disagreements. That’s part of the plan, she said.

“If you’re able to establish it where everybody has a voice, and everybody can share what they think and share their ideas like in a family, you get much better ideas, and much better production, across the board,” she said. “There are many, many ways to do that, but probably the simplest way is getting to know people.”

Self-awareness and Empathy

With three teenage children, Eggleston, the Health Partners Plans CISO, said a work-from-home environment has been an excellent opportunity to connect with his family while maintaining a productive work schedule. He drew contrast with the challenges faced by those who have younger children at home, perhaps in multi-generational households and with multiple people working remote from the same table.

Recognizing those differing situations, and remaining purposeful in interactions across the organization, is an important cornerstone in effective working relationships in a largely work-from-home era, Eggleston said.

He cited a concept he carried forward to the CISO role from his time as a psychotherapist known as “therapeutic sense of self.”

“In short, it’s basically making sure that all your actions, your verbalizations with a client, are really centered around them, and you must have a lot of self-awareness in order to do that,” he said. “What follows from that is keeping in mind that everybody might be coming from a different position than you.”

Eggleston described how a traditional CISO risk analysis should extend to the scope of considering, and empathizing with, where business stakeholders are in their personal lives.

“It’s about understanding that everybody is going through their own little battles, and you really have to see where they are before you come up with any ideas or solutions to help them cope,” he said.