Kinly’s Don Gibson on why cybersecurity can be bad for the health
When he was 44 years old, Don Gibson realised that something had to change. While working in his garden, his heart started going crazy. For years, Gibson had been plagued by bad dreams, memory loss, weight gain, and feelings of unhappiness and stress, but his racing heart prompted him – finally – to seek help.
“My heart rate was 280 bpm,” he told the audience at Computing’s IT Leaders Summit. “My cardiac surgeon said he’d seen that three times, two were DOA in the back of an ambulance.”
Image
Description
Don Gibson: ‘Burnout is real’
Prior to undergoing emergency cardiac surgery, Gibson worked as Head of Cyber at the Department for International Trade (DIT). Like most people who enter the cyber profession, he was driven by a wish to help, to make the world a better place, but as he rose up the ranks the constant stress of feeling responsible for keeping his organisation safe took its inevitable toll.
Cyber is a very unnatural environment, Gibson said. “First, everything’s very important.” Second, cyber evolves very quickly. “You’re looking at decades for change in evolution in the normal world. In the cyber world, it’s instantaneous. You see that zero day and instantly you’ve got to evolve, you’ve got to change, everything has got to move. You’re always on the lookout. We are based in risk and our entire world is based around threat, fight-or-flight.”
Your job does not love you back
Feeling responsible for everything makes you believe that you’re indispensable, said Gibson. But that’s not true.
“I love my job, but your job doesn’t love you. If you drop dead then, quite frankly, everyone will be sad and in about two weeks the job description will go out and your job will be filled.”
Having recovered from surgery, Gibson is once again working as a CISO, now at video technology firm Kinly.
These days, he feels compelled to warn cybersecurity professionals and leaders about the dangers of ignoring the warning signs of stress and burnout.
“Burnout is real,” he told the audience.
The typical male-dominated environment means that people don’t tend to talk about issues until it’s too late. “It’s head down, I don’t care, I’m pushing through – and it’s really not helpful.”
The signs of burnout are not always obvious and neither are its causes. In his government role, Gibson assembled a top-performing cyber team whose stellar achievements set elevated expectations among management. “Because we were outperforming absolutely everything and everyone, there’s no way that the team was struggling, right?”
But the team was struggling, and so was Gibson; that level of activity was simply not sustainable.
This situation creates unhealthy team dynamics where everyone feels obliged to push themselves, which can ultimately make outcomes worse through worker attrition, a blame culture and becoming “threat blind.” Beyond the human cost, the situation also carries a financial burden to the organisation, with high staff turnover and increased risk.
De-stressing cyber
Since his illness, Gibson has become an evangelist for fostering healthier behaviour in cyber teams. At the IT Leaders Summit, he outlined measures and strategies that management and CISOs can adopt to create an environment in which cyber teams can thrive and be more effective while reducing the health-threatening dangers of stress.
Management should manage expectations and avoid seeing over-delivery as the norm. Meanwhile, teams need to get their heads up from the desk and talk. Open communication should be encouraged, and a non-judgmental culture created with protection and self-care at its core.
Overwork should be avoided in the first place through developing playbooks, and when emergencies do occur, lost time should always be compensated. “I think that’s really important in major incidents,” said Gibson. “We have a team large enough to split the team one day on, one day off to give them the ability to relax.”
Equally important is for the CISO to sing the praises of the individual team members when they’ve done good work, to avoid hierarchical structures, and to ensure that as a leader they come across as personable and approachable.
“CISOs can be scary,” admitted Gibson. “We know where the skeletons lie.”
But “if you can come across as a friendly face” then you will open up communications – which means both talking and listening. “Communicating and listening are two massively different things.”
By focusing on wellbeing, he concluded, the CISO will be able to build a stable, high-performing team while stopping burnout before it becomes a problem.
“If you are irreplaceable in your job, then you failed as a leader. Your leadership should be enabling people to step up after you.”