Why work-life balance in cybersecurity must start with executive support

In this Help Net Security interview, Stacy Wallace, CISO at Arizona Department of Revenue, talks about the realities of work-life balance in cybersecurity leadership. She shares how her team handles constant pressure, sets boundaries, and deals with stress. Wallace also gives practical advice for those looking to build a lasting career in cybersecurity.

Let’s start with your perspective. How would you describe the current state of work-life balance in cybersecurity leadership?

Work-life balance is challenging in the cybersecurity world; this career field is demanding overall. Many cyber roles require irregular hours and some roles are still not clearly defined in all organizations, leading to additional stress. The national and international climate with its uptake in cyber related incidents and crimes adds fuel to the fire.

We often make jokes to ease the tension we feel, but the truth is, there are very few of us who take vacations and when we do, I’d estimate 90% of us are still working. Cyber threats don’t take a vacation.

Cybersecurity is often described as a “24/7 job.” How do you manage the pressure of being always on call, mentally, emotionally, and logistically?

The best way I’ve found to handle the pressure is to trust my team, peers, leaders, and partners. Trust and communication is key. Partnership is key. I am intentional with practicing healthy habits and am very self-reflective and open to constructive criticism.

Watching your mental and physical health is critical. Setting boundaries is something that helps the entire team, not just as a cyber leader. One rule we have in my team is that we do not use work chat after business hours unless there are critical events. Everyone needs a break and sometimes hearing a text or chat notification can create undue stress.

Another critical aspect of being a cybersecurity professional is to hold to your integrity. People often do not like the fact that we have to monitor, report, and investigate systems and human behavior. When we get pushback for this with unprofessional behavior or defensiveness, it can often cause great personal stress. This is why building an organizational culture with psychological safety is so important. Executive management is critical for helping organizations build cultures where it is ‘okay’ to report mistakes and issues.

Having executive management support, trusting your team and partners, being open and self-reflective, taking care of your personal mental and physical health, and setting work-place boundaries are key factors for managing this role.

Are you seeing a shift in expectations among younger cybersecurity professionals when it comes to work-life balance?

What I love about the younger cybersecurity professionals–and younger generations in general–is that they are very invested in mental health and work-life balance, at least from my perspective. There seems to be greater awareness of mental health challenges associated with cybersecurity work and I am noticing that the younger generation is more likely to prioritize work-life balance to avoid burnout.

Since retention is an issue in cybersecurity, addressing work-life balance and preventing burnout is important and I see that the younger generations are more likely to prioritize strategies to mitigate these risks. The younger generations are also more familiar with technology and more comfortable with remote work. We spend enough time criticizing the younger generations, so I try to look at aspects that will bring value to our space. Generations that embrace work-life balance and technology, care about avoiding burnout, and are not shy about protecting their mental and physical health are important to stressful career fields.

What role does executive leadership play in supporting balance at the CISO level, and do you think the board or CEO understands that?

Executive leadership plays one of the most critical roles in supporting the CISO. Without executive level support, we would be crushed by the demands and the frequent conflicts of interest we experience. For example, project managers, CIOs, and other IT leadership roles might prioritize budget, cost, timelines, or other needs above security.

A security professional prioritizes people (safety) and security above cost or timelines. The nature of our roles requires executive leadership support to balance the security and privacy risk (and what is acceptable to an executive). I think in several instances the executive board and CEOs understand this, but we are still a growing profession and there needs to be more education in this area.

What advice would you give to aspiring CISOs or security professionals about sustaining a long-term career without burning out?

Ensure your executive leadership supports cybersecurity and understands how critical it is. I also find that organizational culture is key. If you do not have solid support from your leadership, and an organizational culture that fosters cybersecurity, it might just be better to find another place to work.

Without those elements, only the very experienced CISO who has been through (and can stomach) the work-load and stress inherent in these roles will be successful.

Other advice for aspiring CISOs is to prioritize continuing education, self-reflection, and self-care. Our job is to align security and business, so partnership is key. In order to have an impact, you must have the stamina and courage to maintain relationships and hold difficult conversations while also fostering psychological safety for your team. I suggest not skipping career steps and spend time learning system administration, customer service, analysis techniques, and managing/leading people before aspiring to a CISO role.

Start somewhere in I.T. and learn various skills before entering into the cybersecurity field if possible. Cybersecurity professionals are expected to have a variety of technical and administrative skills and skipping crucial steps before becoming a CISO can cause issues. However, one way to prevent skill gaps is to have an open and continuous learning mindset.

Finally, understand your business, the data and systems you protect, and business processes for every organization you support. Without this awareness you should not force your current understanding of cybersecurity onto the business, as the impacts could cause damage. For example, as a CISO you may not want to shut down a system (due to perceived security threats that led to a system shut down in a previous organization or role) if you do not fully understand the current organization’s systems and business processes. Instead, partnering with your business, empowering them to make security minded decisions, and integrating security with key stakeholders will give you better results. Partnering also enhancs trust between your team and the business and keeps your team’s workload manageable.