Cybersecurity teams protect systems but neglect people: After all the effort it takes to break into cybersecurity, professionals often end up on teams that don’t feel welcoming or supportive.Jinan Budge, a research director at Forrester who focuses on enabling CISOs and other technical leaders, believes the way most cybersecurity career paths are structured plays a role in this. Because most team managers elevate from technical roles, they often lack the leadership and interpersonal skills needed to foster healthy team cultures or manage stakeholder relationships effectively.This cultural disconnect has a tangible impact on individuals. “People who work in security functions don’t always feel safe, psychologically safe, doing so,” Budge explains.Forrester recently published research showing a strong link between low psychological safety and organizational issues such as absenteeism, siloed communication, and, more alarmingly, an increased likelihood of security breaches.”In some instances, the less psychologically safe the team is, they are three or four times more likely to be exposed to a breach,” says Budge, who encourages cyber pros who find themselves in such environments to engage in honest self-reflection. “It’s important to examine: Is this really toxicity? Is this something I am able to influence? Am I able to change? Is this a me problem or is it rather an issue with the organization itself, with my boss?” she says.In addressing such questions, Budge recommends enlisting resources such as employee assistance programs, executive coaches, or even psychologists for support. And if the core problem lies with the organization, she advises strongly considering an exit.Still, many professionals hesitate to leave toxic workplaces, worried that short tenures will hurt their future job prospects, which Budge sees as a common concern, noting that many people stay in unhealthy environments simply to meet an arbitrary 12- to 18-month minimum. Cyber pros who find themselves in this situation should take not that, in the context of hiring, Budge believes this kind of rigid thinking prior tenure lengths no longer applies. “I feel like those days are gone,” she says.To reduce the risk of misalignment, Budge recommends conducting due diligence when evaluating potential employers, particularly with leadership roles.”Imagine if you go to work for a legal firm that only wants a CISO to do ISO 27001 compliance. That’s not going to work for you” if you’re seeking to be a transformational leader, she says, emphasizing the importance of aligning personal strengths and motivations with the company’s overall direction.Patrick Glennon, CTO at IDIQ, adds that functional staff should also seek out the kind of work that energizes them. For instance, those who thrive on investigation might find rejuvenation in combing through web application firewall logs and correlating them with system access logs to uncover meaningful patterns. “I would lock into the things that got you in there in the first place,” he concludes. Cybersecurity is stigmatized as a blocker: Bharat Mistry, field CTO at Trend Micro, points out how CISOs can adopt a zero-risk mindset by enforcing blanket controls without engaging key stakeholders, a strategy that can further isolate cybersecurity within IT, a function that is often already siloed.”You’ve got network teams, you’ve got server teams, you’ve got the IT applications teams, and then you’ve got the security team at the back of the chain,” Mistry says, adding that this isolation ends up shaping cybersecurity’s internal reputation. “Because they’re seen quite often as a department that says no, the reputation of the team is very much, ‘They’re a business disabler, not an enabler,’” he says. To overcome internal disconnect, Mistry recommends hosting events to give the cybersecurity team a chance to share insights on the broader threat landscape and the organization’s current posture, while also inviting input from other departments.”We want to understand how you guys are working, what are you facing, and what are the new regulations you need to cope with. And then let’s work hand in hand in a joint strategy to work out how we can enable you to work better, faster, and quicker,” he says.This kind of dialogue can help dispel a persistent myth. “Cybersecurity is seen as a technical issue, and the perception in most organizations is that it lies within the IT team. But the reality is: It’s a company-wide issue,” Mistry says.To reinforce this point, Mistry encourages empowering cyber champions, voluntary advocates from departments such as HR, marketing, and legal, who can help demystify cybersecurity for their peers, improve awareness of associated risks, and promote good cyber hygiene.Richard Addiscot, vice president analyst at Gartner, sees these informal roles increasingly being formalized into positions like the business information security officer (BISO), reflecting the growing need to embed security into the business at every level.”These roles are there to be the conduit between the security function and the business to ensure that whatever the business is looking to achieve can be managed,” he says.Even with such champions, Addiscot stresses communication must begin at the top. CISOs must clearly articulate how their work aligns with broader business objectives. Such alignment, however, can be difficult to achieve. “There’s often a disconnect between what communication the business is expecting and what the CISO is actually communicating,” Addiscot explains, noting that this gap typically stems from the CISO’s technical background.”Picking up business acumen, understanding how the business works rather than being a technology guru is a fundamentally important shift for any midlevel security manager who wants to find themselves in a true C-suite CISO role,” he says.Cybersecurity teams must also rethink how they approach risk, as relying solely on strict, one-size-fits-all controls is no longer tenable, Mistry says. Instead, he advocates for a more adaptive, business-aligned framework that considers overall exposure rather than just technical vulnerabilities.”Can I live with this risk? Can I not live with this risk? Can I do something to reduce the risk? Can I offload the risk? And it’s a risk conversation, not a ‘speeds and feeds’ conversation,” he says, emphasizing that cybersecurity leaders must actively build relationships across the organization to make these conversations possible.Without such efforts in place, cybersecurity isolation can take its toll on one’s experience of the career. Stakeholders expect da Vinci: Anthony Diaz, CISO at Exterro, highlights another tough reality of a cybersecurity career: the relentless pace of technological change.”Threat actors are quick studies, constantly finding new angles and leveraging the latest innovations, including the rapid leaps in AI. This demands that we, as defenders, are in a perpetual state of learning and adaptation, which can be quite demanding,” says Diaz.It’s not just a matter of learning more, it’s also about doing more. According to the IANS and Artico Search report, 61% of cybersecurity staff work across multiple domains. For instance, among professionals in architecture and engineering, 23% also contribute to identity and access management, 26% to application security, and nearly half, 48%, to product security.These expanded expectations are even more intense at the leadership level. Forrester’s Budge calls this the “Da Vinci Fallacy.””CISOs are expected to be experts with mastery of skills that includes cybersecurity, technology, strategy, finance, people, and communication. That is quite a burden of expectations of any leader, particularly of security leaders,” she says.To meet the increased demands on cyber pros, Diaz advocates for training programs, not just for the essential building blocks of cybersecurity but with risk management integrated as well. “This includes regular, realistic risk assessments and the development of practical mitigation strategies that consider both the technological aspects and the human element,” he says.He also champions mentorship programs that pair experienced professionals with newer team members to transfer risk assessment skills and core knowledge.While cybersecurity professionals may face steeper learning demands than most knowledge workers, IDIQ’s Glennon believes that development opportunities are a powerful motivator. He points to conferences as a key example, where professionals can stay current on best practices relating to emerging technologies.”The more you do things like that, the more people stay invigorated and plugged into the role and excited about what’s going on. It’s employee retention and it’s employee development at the same time,” he says. The emotional cost of constant readiness: Jason James, CIO of Aptos, notes that there is no downtime for cybersecurity professionals. They must always prepare for when, not if, an attack will occur. “You stay on guard for so long that it does become emotionally draining,” says James, who prefers the term “work-life harmony,” which allows for shifts in focus, over “work-life balance,” which implies a false sense of equality between the two.For James, achieving work-life harmony requires the ability to truly disconnect and recharge by doing things that bring joy and perspective. For him, that means reading non-business books like memoirs and taking family trips, such as a recent Disney cruise with his children. And he takes intentional steps to ensure his team does the same, by regularly reviewing how much paid time off (PTO) his team members are using and never denying a PTO request.As a global leader, he’s especially mindful of cultural differences, particularly among American workers, who are often reluctant to take their leave. “As a leader, you need to be looking at their PTO and go, ‘Well, how much time have they taken off?’ And you’ll have people that are like, ‘No, I don’t want to.’ It’s like, ‘No, you need to,’” he says.To get a clearer picture of work-life harmony across the organization, James cautions other technology leaders against relying exclusively on communication filtered through their direct reports. To stay connected and informed, he regularly conducts skip-level meetings, which allow him to engage directly with employees beyond his immediate line of management.”It’s to show that you’re not disconnected from the business, you’re not sitting in some ivory tower. The idea of leading is not being at the top, it’s being out in front,” he says.James also emphasizes the importance of succession planning to ensure team members can take time off without worrying about continuity.IDIQ’s Glennon shares a similar approach. He explains that cross-training through shadowing and knowledge-sharing helps build redundancy across roles, reducing risk when key personnel step away.”One of our main guys just took a couple of weeks to go to Europe. I think he checked in once or twice. And we can do that because we have two guys covering,” he says.James acknowledges that while new technologies can aid in defending against bad actors, maintaining work-life harmony remains just as essential.”We have a lot of AI that protects our environments, but at the end of the day, I lead people. I manage services. And so it’s my duty to make sure that I’m also protecting the people that are protecting us,” he says.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4026880/5-hard-truths-of-a-career-in-cybersecurity-and-how-to-navigate-them.html
