As companies rushed to prepare for pandemic-driven lockdowns, IT and security teams, often already overextended with inadequate budgets and infrastructure, had to quickly pivot. Here’s what CIOs in South Africa do, and CIOs globally can do, to remedy stress in the here and now while keeping the big picture in perspective.
In 2020, research found that nearly 90% of CISOs considered themselves under moderate or high levels of stress. Similarly, a 2021 survey by ClubCISO revealed that stress levels significantly increased among 21% of respondents over the last 12 months, adding to mental health issues.
Two years on since the start of the pandemic, stress levels of tech and security executives are still elevated as global skills shortages, budget limitations and an ever faster and expanding security threat landscape test resilience. “In every cyber security team I’ve worked in, stress management is a common concern, says Vodacom group managing executive for cyber security, Kerissa Varma. “Some manage this better than others, but one of the most common questions I get asked about my job is how I’ve done it for so long, considering everything that it involves.”
Helen Constantinides, CIO at AVBOB Mutual Assurance Society, also understands these cyber stress and burnout trends all too well. “We need to remember that it’s not just about technology,” she says. “It involves people too.”
According to CIISec’s 2020/21 State of the Profession report, which surveyed 557 security professionals, stress and burnout have become major issues, with almost half (47%) working more than 41 hours a week, and some up to 90.
So what can CIOs do to mitigate against the long hours, heavy workloads and uncertainty in understaffed and underfunded environments? The experts share their four top tips below.
1. Encourage your teams to slow things down
Seeing that hackers don’t work 9 to 5, IT and information security professionals generally don’t get enough rest, says Itumeleng Makgati, group information security executive at Standard Bank. “Our roles require us to be alert, productive and energized,” she says. “You can’t do all this if you don’t get enough rest,” adding that CIOs must be deliberate about helping people to pause, take breaks and recharge, which may sound counter-intuitive but greater demands require greater efforts to look after mental health. This can take the form of hosting team events, meet-ups or just enabling staff to take personal time off during down cycles. “I try to have in person meetings as ‘walking meetings’ in a nearby park, which ensure that I get my daily nature fix and also stimulate creative thoughts,” says Anna Collard, SVP content strategy and evangelist at KnowBe4 Africa, the world’s largest security awareness training and simulated phishing platform.
2. Encourage collaboration
Look to extend and complement your team by bringing in trusted partners like managed security services, recommends Constantinides. “It’s about collaborating locally and globally to create new thinking, expanding the talent pool and coming at things a little bit differently,” she says. As part of this, CIOs must ensure the right technologies are in place to protect their most critical vulnerabilities, and assess, rank and respond to risks in real time to alleviate stress across IT teams. Automation can help too considering the skills shortage burden for under-resourced teams, says Varma. “Automation is a great enabler to use limited resources in areas that add the biggest benefit,” she says. “It also greatly improves staff morale, as they are able to focus on more interesting work.”
3. Discourage multitasking
According to Makgati, CIOs and IT leaders need to encourage their teams to embrace “monotasking.” Clear, one-at-a-time task prioritization and defining milestones that don’t overlap can help teams minimize stress. Avoiding the trap of mistaking the urgent for the important is also a great way to mitigate unnecessary stress, she says.
And according to Collard, multitasking and not being fully present actually makes a business more susceptible to social engineering. “I realised this when I failed one of our internal phishing simulation tests,” she says. “I fell for the phishing email, not because I didn’t know the dangers of social engineering or because I didn’t know how to spot red flags, but because I was distracted. I was multi-tasking and slightly anxious in that moment.” It’s critical for leaders to communicate what the most important items that need to be delivered are, says Varma.
Failing to do so can cause confusion and lead to teams skimming the surface in a number of areas but never truly resolving things effectively. “Be clear to your teams and business on what you’re prioritizing within a time frame,” she says. “This is critical to allow your team to focus and execute in the fastest manner possible and for your business to understand any potential risks.”
4. Exercise empathy and compassion
“Having the right cyber thinking and decision making in a board room can have immense impact on preventing stressful situations down the road,” says Varma. Collard adds that building a security culture is more about human psychology and behavioral science than technology. So CIOs and IT leaders must understand people’s motivations, expectations and struggles, and create a support mechanism to maximize individual and team potential. “It’s clear that we’re all going through a lot and a little understanding will go a long way in helping our teams feel supported,” says Makgati.