Insights For Success

Strategy, Innovation, Leadership and Security

Hiring

CISOs are stressed and I can prove it

GeneralEdward Kiledjian
face-1013520.jpg

Not a week goes by without some data breach, leak, hack, attack or other significant cybersecurity failures that spills all over blogs and even national media.

Five years ago, only avant-garde companies invested in cybersecurity; today, it has become a must. Companies realize the importance of a solid cybersecurity plan built on the People, Process and Technology pillars. One topic rarely discussed by corporate executives or security leaders is the incredible (and growing) stress the current environment inflicts on CISOs.

hooded-man-2580085.jpg

The stress is real

Stress is a normal way of life for most executives, but CISOs feel an acute level. Nominet's report, in collaboration with Vanson Bourne, The CISO Stress Report - Life Inside the Perimeter: One yes on", was the first quantification of this systemic issue.

In 2019, Nominet and Vanson Bourne conducted 800 online interviews in the USA and U.K (400 C-Suite and 400 CISOs). The included CISOs worked for both public and private corporates with at least 3,000 employees. They were quizzed about work-related stress and its effect on their professional & personal lives.

88 percent of CISOs consider themselves under moderate or high levels of stress

digital-marketing-1725340.jpg

Some Interesting conclusions

  • 7 out of 10 CISOs agree their work-life balance is too heavily weighted towards work (71%)

  • Almost all CISOs are working beyond their contracted hours, on average by 10 hours per week (95%)

  • This equates to extra time worth $30,319 per annum

  • 87% of CISOs say that working additional hours was expected by their organization, while 78% of board members admitted this to be the case

  • 83% of CISOs spend at least half of their evenings and weekends thinking about work

  • Only 2% say they are able to switch off once they’ve left the office

  • Over a third have failed to take all entitled annual leave

  • 45% have missed family milestones or activities

More about the stress

The average tenure of a CISO is 26 months, and many believe stress is the primary motivator of change.

CISOs reported missing important family events such as birthdays, vacations, weddings and even funerals. Even with all the stress and extra working hours, most CISOs aren't taking their full annual leave (or sick days, time off for medical & dental appointments, etc.)

Stuart Reed, vice president at Nominet, suggested that the stress and wear & team on CISOs result from a combination of internal and external factors. The external factors are the headlines your read about, while the internal stresses are the pressure from executives expecting CISOs to "properly" handle these incidents and to provide updates & answers continually.

darts-102919.jpg

What are the most stress inducing elements?

  • 44% being responsible for securing the organization and preventing breaches

  • 40% the need to stay ahead of threat intelligence

  • 39% the long hours worked

  • 65% of those surveyed had suffered a breach in the past 12 months

  • 37% of CISOs consider themselves ultimately % responsible for a breach while 31% of board members agree

  • A fifth of CISOs believe they would be fired as a result, regardless of whether or not they themselves were responsible

leaf-1082118.jpg

What are the effects of the stress?

  • Nearly half of CISOs said the levels of stress they are under has impacted their mental health (48%)

  • 35% also reported that their stress had impacted their physical health

  • 4 out of 10 CISOs said that their stress levels had affected relationships with their partners or children

  • 31% said the stress affected their ability to fully perform at their job

pencil-2878764.jpg

How are CISOs coping with the stress?

  • A quarter of CISOs are turning to medication or alcohol to manage their stress - an increase from 17% a year ago

  • A fifth have taken a leave of absence due to stress (21%)

  • 21% believed there to be no support structures in place within their organization to help deal with stress, while 94% of board members suggest there are

  • 9 out of 10 CISOs would take a pay cut to improve their work-life balance; on average 7.76%, equating to $9,642

grass-455753.jpg

The silver lining

The report suggests that boards of directors are aware of the stress affecting their CISOs (74% of respondents believe that moderate or severe stress impacts their CISO).

As the board of directors and CIOs acknowledge this significant issue, they show more willingness to hire support staff to alleviate some of the stress elements. Ensuring the CISO is surrounded by skilled senior professionals can help alleviate many of the most aggravating elements. These supporting professionals must be experienced security technicians and have strong business acumen, strong interpersonal skills and the ability to work in teams or alone.

Another important stress reliever is ensuring the CISO can honestly share the state of their cyber universe with the executive leadership team to ensure decision-makers universally understand risks and provide executive support to the CISO (guidance and funding). The CISO must know he/she is not alone.

Cybersecurity is growing in importance and, for many organizations, has become the price of entry. Executives have started to understand this important fundamental truth and are now more willing to share the cybersecurity burden.

Conclusion

I built my first security business (a Canada wide security practice) that was later sold to Bell Canada in the early 2000’s and have been actively involved in cybersecurity since. Over the last 20+ years, I have seen the importance of security grow and this has required the creation of the CISO role.

Unfortunately I see too many CISOs that have been promoted to their level of incompetence (read about Peter’s principle here). The job is difficult enough for the professional with the right skills but is deadly for the wrong professional promoted as a reward (not because of merit).

Companies should perform an honest review of their CISOs competence and abilities. Thrusting the wrong person into this role is a disservice to the candidate.

Additionally it is important to realize that most security certifications tackle the technical skills. These are important but form less than 40% of the CISO’s true day to day responsibilities. The key skills (negotiation, strategic vision, budgeting, people management, etc) are completely ignored in most of the certifications companies deem “required” when posting a CISO job. HR leaders must quickly understand the new realities of the CISO role and craft job descriptions akin to that of a business executive leader than a manager for firewalls. This realization is important because a properly skilled CISO will handle the stress much better and therefore will deliver a much higher return on investment for the company.

HR leaders must learn to hire the right candidate for the CISO position

Google hopes Hire gives it a better stronghold in corporations

GeneralEdward Kiledjian

Google sees the corporate world as an excellent cash cow and has been working hard to secure its place. Most recently we have the fruits of its labour with redesigned G-Suite offerings, the Jamboard and more.

Google is the king of data and has decided it can help HR do a better job with recruitment. Google Hire is a purpose built solution that promises to make the entire hiring process easier and more efficient (from finding to managing). 

The target customer is the small or medium organisation that may not be using any of the larger more expensive and complicated tools. 

  • A 2015 report by Bersin (Deloitte) claimed it took on average 52 days to fill a position (up from 48 in 2011) at the cost of $4,000
  • 48% of small businesses report there are few or no qualified applicants for the positions they are trying to fill (NFIB)
  • 27% of respondends believe lengthy hiring timelines are a major impedament to increasing staff headcount (Recruiter Sentiment Study 2015 2nd Half, MRI Network, December 2015)

So all in all, we can safely assume the hiring process is broken in small to medium size companies, which may equate to a nice chunk of change for Google (if it plays its cards right).

Google Hire leverages the G-Suite platform and integrates with email and calendaring. In addition to winning new business by offering innovative cost effective new solutions for the SMB market, it also adds value to G-Suite. 

It is conceivable that a long time Microsoft Office customer may eventually switch to Google's G-Suite if it has enough value added features. 

I have spoken to dozens of medium size start-ups that just don't want or need the big Office 365 offering and are just looking for an excuse to make the jump. It is small but targeted offerings like this that may make the difference.

You can check out the Google Hire website for more details.

Secret techniques to finding your next job

GeneralEdward Kiledjian
Creative Commons Image - Flickr User Kate Hiscock

Creative Commons Image - Flickr User Kate Hiscock

It seems the web is all the range these days. We use it to shop, learn and play. So when looking for a new opportunity, we naturally turn to it as well. But did you know that 85% of all jobs are filled before being advertised which means most candidates miss great opportunities. The job market isn't as good as it once was but there are fantastic opportunities slipping through your fingers because you may know how to find them.

1 - Identify your target employers

  1. The very first step is to identify the types of companies your would like to work for. Think outside of your comfort zone and do your homework. Prepare a digital list (you will need it later).
  2. The next step is to search industry databases and identify companies within those industries you would like to target. These may be top employers, companies with known flexible working conditions, etc. It is important to include small and medium size business' as these are the drivers of most economies and thus the biggest employers.

2 - Target the right people

  1. Now we have to determine who are the key contacts that can hire you in your target companies. Read articles in newspapers, blog posts, press releases, search LinkedIn, you services like jigsaw.com, leverage your industry contacts. Find at least 1 contact per target company you listed above but preferably 2 or 3 for larger organizations.
  2. Check the corporate websites for possible open positions. Remember that not all candidates perform as expected when hired so there is a lot of value looking at jobs that have been filled 2-3 months ago and add that to your target list (just in case the original candidate didn't meet expectations).
  3. Where possible about sending your CV to the human resources department, unless you are looking for an HR job. Typically HR reps receive hundreds of CVs per job and may improperly skip over your CV because of fatigue or by mistake. When possible, target managers in the business (the people you would actually be working for).
  4. When you have the list of names, its time to get creative and find their contact information. Search the web, ask friends, buy it or use the company operator. Find email addresses, telephone numbers and civic addresses.

3 - Your CV represents you

Your CV is the first impression you are making on the hiring manager so make sure it is the best possible impression you can make.

  1. Each CV should be targeted for the company you are applying for. Change some of the elements to make sure it "speaks to the manager and sells the skills you bring relative to their industry".
  2. Have your CV proof-read to ensure it is well written and error free.
  3. Use a multi-medium approach. Your first contact should be via email (cover letter and CV). Ideally if you can find a fax number, you can also fax your CV in a week or so later. Just make sure you modify your cover letter to identify that your first contact attempt was via email and that you are following up via fax.
  4. A nice way to differentiate yourself is to have your CV professionally printed and bound then mailed via standard letter mail. In the age of email, a physically delivered CV will definitely stand out. Remember that you are running a marketing campaign for your services. Plan your strategy ahead of time and execute to plan.
  5. If your target company participates in local networking events or presentations, take the time to attend. This is a great way to make "friends" that can help connect you with the right person.

Conclusion

It may sound like a lot of work and it really is. Finding a good job is getting harder and you will have to differentiate yourself from the heard. The more effort you put into your self marketing campaign the bigger the reward will be.

Here are some quotes I think you will enjoy:

  • “Fall seven times, stand up eight.” –Japanese proverb

  • “You miss 100% of the shots you don’t take.”–Wayne Gretzky

  • “The definition of insanity is doing the same thing over and over and expecting different results.” –Benjamin Franklin

  • “Never put off till tomorrow what you can do today.” –Thomas Jefferson

  • “Find out what you like doing best and get someone to pay you for doing it.” –Katherine Whitehorn

  • “Big jobs usually go to the men who prove their ability to outgrow small ones.” –Ralph Waldo Emerson

  • “Success doesn’t come to you, you go to it.” –Marva Collins

  • “All our dreams can come true, if we have the courage to pursue them.” –Walt Disney

Archives: Leveraging The Paradox

StrategyEdward Kiledjian

I will be posting links to older articles that seem to be fairly popular. Hopefully some of the newer readers will find the articles interesting and helpful.

A popular 2010 blog entry about companies using the paradox strategy of management to drive competitive advantage.

Read the article here

 

A new model to consider when hiring employees

HiringEdward Kiledjian

Even in the best economic times hiring a mid-to senior-level employee is an expensive proposition. Because the process is usually fairly lengthy, the hiring manager will be extra careful to ensure that they scrutinize every candidate in minute detail so that they make the best possible selection. They do not want to spend the time “getting the candidate hired” only to realize they may have made a bad decision.

For these reasons alone, many companies have chosen to go without (jeopardizing the stability of their operations) or choose to go through temporary hiring agencies. The later, allows them to bring on "no commitment" workers however there is an additional 12 to 20% premium (the agency's margin).

There is another option. Companies need to identify best-of-breed employees without necessarily making any commitments and there are qualified candidates in the market that are willing to accept temporary work assignments.

As I stated in my previous blog entry, you should evaluate every situation from different angles. Can you see the other opportunity that is right in front of your eyes? This unique combination has created an entire new hiring models: try before you buy.

This is a win-win situation. Even the most complex and bureaucratic organizations can usually bring on a temporary employee with minimal fuss. Once the employee is in the position and performing their duties, it allows the managers to properly ascertain the capacities of that employee. If the employee meets the requirements, then they can convert that position to a permanent full-time one. If the candidate does not meet the requirements, and the contractor is simply terminated, the organization has not wasted any time hiring the wrong employee.

This is also beneficial for the candidate, since it allows him or her to get back into the working environment polishing their skill set and expanding their network of contacts.

In order for this model to actually work, the rules of engagement need to be properly documented and explained ahead of time (for both the employee and hiring manager). The employee needs to understand how he or she will be judged, and under what conditions he or she may be converted to full-time. How long will the trial period last? How will success be determined? What is the process if the candidate is to be retained?

The flipside of this arrangement is also that the employee may not meet your expectations and therefore may not be converted to full-time. This process should also be predetermined. In the event that the candidate does not meet the requirements, how will they be notified?

This is one of those situations where not only the candidate but also the hiring manager needs to take a leap of faith. As a manager, you may be asking yourself if the candidate is accepting this position because they are interested or simply until they find a better opportunity. Ordinarily, many managers would be reluctant to even interview a candidate that has not worked for prolonged periods of time, however this is not a normal situation. Many qualified and hard-working individuals have been made redundant. This will be an important realization to accept quickly.

Many companies have had great success leveraging this model. It is one that has proven to be mutually beneficial for the candidate and the company. The company must be honest and straightforward in their expectations, leaving many of their preconceived biases at the door.

The candidate on the other hand, needs to accept the fact that this may or may not turn into a permanent position. If the candidate has been unemployed for an extended period of time, they may realize that their skills are not as sharp but that these types of opportunities help them get back on the saddle.

 

WORD OF WARNING
Because of the nature of the Internet, I am not sure where you are reading this from. Each jurisdiction has its own employment rules, and you should consult your legal and HR departments to determine if this model is right for you.