Deloitte UK CISO addresses stress and burnout in cybersecurity

Stress and burnout are increasing within the cybersecurity field. Research has discovered that security teams and leaders are suffering from the pressures of keeping modern business secure in an ever-demanding environment of risk, threats and challenge. The negative impact of such issues on both the capability and longevity of security personal is requiring CISOs to act to address stress and burnout within their teams.

Jitender Arora, CISO of Deloitte UK, is a security leader whose recent efforts in this area helped earn him the number one spot in this year’s UK CSO30. Speaking to CSO during a virtual ceremony to celebrate the UK CSO30 2021, Arora reflects on recognising the causes and importance of understanding the role that stress and burnout plays in cybersecurity, along with detailing his own strategies for tackling these issues within Deloitte UK.

Business demands cause cybersecurity stress and burnout

“When people are working in security, it brings a lot of responsibility with it,” says Arora. “There are a lot of decisions that need to be made when quite often nobody knows the answer and it comes to the CISO function to decide what should or should not be done. Security walks a fine balance between what the business needs versus the risks and threats it faces.”

The requirement to regularly switch between those contexts puts enormous demand on (often small) security teams, because security is so important to almost everything businesses do. When that is happening, it’s not surprising that it creates feelings of stress and burnout for security professionals.

Prioritisation key to addressing stress and burnout in cybersecurity

Arora admits that an organisation as vast as Deloitte is very demanding in terms of what it expects from its security function, and an integral element in his approach to addressing this has been a focus on prioritisation. “We can’t do everything, so it is about how we make sure we are focusing on the right priorities in the right order so that we are enabling the business but at the same time striking the fine balance in securing the organisation.”

This is something the CISO must drive from the top of the security function and doing so allows you to give top cover to your practitioners, Arora says. For example, an unrealistic demand may require a security response within 24 or 48 hours, and that’s when the CISO must engage with the business stakeholders to show them security’s workload and ask them to be more empathetic to their people. “If we push and push people, we run the risk of breaking them,” says Arora. “Having clarity and transparency in leadership is very important and having dialogue with the business is absolutely essential.”

Ensuring mental capacity in cybersecurity teams

The chief aim in addressing stress and burnout in security teams is to ensure your employees have the mental capacity to not only carry out their tasks but also engage in personal development activities and breakout time, something that has taken on greater significant since the outbreak of the COVID-19 pandemic and shift to mass remote working, Arora says.

“The pandemic has created a situation where people start at 8.30 am and have back-to-back calls until 5.30/6.00 pm, and that creates a lot of stress. One thing that has really worked for me are virtual hallway conversations, as I realised I wasn’t having those useful hallway conversations anymore where I could check the pulse of the people.” Arora now holds regular one-to-one calls with almost every member of the CISO function, whether they work directly for him or lower below.

Having those interactions about how each person is feeling, how he can help them more, and learning about their families works well. “It’s all about that connection and giving your team bandwidth and support – creating a culture where people feel their colleagues have each other’s backs,” Arora says. “As a leader, I can instil the understanding that it’s OK to call for help. It’s OK to say your workload is getting a lot and that need some help to manage it.”

Arora has also introduced the team to external experts to support and guide them with proactive steps to help manage well-being and mental health, along with implementing interactive team building events to further develop collaboration, boost morale, well-being, and have fun. He believes creating a work environment of mindfulness and an open-door policy where people can thrive and talk openly is pivotal to tackling their stress and reducing burnout.