Over the last few months I’ve been asked by multiple people how I deal with stress. This is no surprise – it is well documented that Chief Information Security Officers and many other security professionals have uniquely stressful line of work.

Security leaders have all kinds of challenges to deal with in the course of protecting their business and its customers. The stakes are especially higher when protecting not just information, but people’s lives and/or quality of life.

In order to be effective, security leaders need to manage risk in extremely complex environments. This responsibility can extend to managing teams, creating vision, inspiring change, negotiating with stakeholders, organising systems, people & work, planning how to execute on the vision and lots more. In so far as management goes, this is nothing particularly new.

However, security leaders have a pivotal role in protecting the organisation and its customers from crisis; cyber attacks have a way of choosing the least opportune moment to strike and when they do, security leaders are on the hook. Security leaders are scrutinised by their ability to protect and lead the organisation both from crisis and at a time of crisis.

To compound this, global security is declining. International cyber-crime groups are flourishing with impunity in places like Russia. Geopolitical alliances are sharply polarising with the risk of collateral damage of cyber-warfare spilling over and impacting western businesses. Both threats present a very real risk to western businesses, and the lives and livelihoods of people in the west.

So I reflected on the question that was posed to me – “how do you do it?”

For me personally, the last few months have been especially crazy. My wife has been in hospital several times. We’ve had a fourth child and we’ve had limited sleep. Believe it or not, that’s not the challenging part.

The really challenging part for us has been supporting our kids – we now have 4 children, two of whom are high functioning ASD. Anyone who has experience with ASD will be familiar with the hour by hour challenge of dealing with emotional dysregulation and typical challenges associated with challenged executive function. This can be relentless and thoroughly exhausting for the child/ren and the parents.

So in reflection, no shortage of stressors in my personal and professional life. So to answer the question, how do I manage it?

Perspective & purpose

What’s important in life?

For me it’s my family and my future. As much as I love my work and the team at work, I have a very clear purpose and future for my life that doesn’t include work. That’s not to say that I slack off at work – quite the opposite, I’m known for being motivated, focussed and hard working. But work isn’t the end-goal for me. I’m invested in doing a great job, but far more invested in my future & purpose. Unfortunately too many people conflate these things.

Meditation

I meditate every day – it clears my mind and brings me a profound sense of peace – even after a harrowing day. Meditation takes many different forms – my meditation consists of reading through the Bible, understanding it and and deriving meaning and purpose.

Allocating time to meditate is essential in order to have a mind that is clear and effective. Research has shown that meditation is especially helpful for anyone struggling with anxiety or other mental health issues which typically amplify stress.

Compartmentalisation

When I switch off work, I try to switch off properly. Research has shown that this is an extremely effective way of dealing with stress. I do this in a few ways.

• I use the focus feature on my mobile phone to control who/what can contact or send me a notification and when. This does things like block calls during dinner time so that we can share an uninterrupted family dinner.
• When I finish work, I leave my phone in my room and only use my Apple Watch for minimal interaction with notifications.
• If I work after-hours, it’s usually only on the condition that it will not result in unmanageable stress or conflict with other personal matters which would otherwise increase stress.

Delegation

I push work to trusted individuals. If you haven’t built a team that you trust as a security leader, you need to build a trusted and competent team so that you can delegate. Building trust in your team can only happen if you have the right culture.

Prioritisation

Across the industry, security people often have XXX hours worth of tasks that need to be done in a day.

Constantly stepping back, and reassessing and splitting my work into 80/20 is important. I can’t do everything, so I pick what I colloquially call “the burning priorities”. Those that don’t make the cut get delegated to other trusted individuals and others I’ll defer or push back on.

Improving – or implementing – the systems and/or processes that are needed to manage the flow of work in the organisation is also an effective way to ensure that prioritisation and focus is correctly systematised.

Over the course of my career, the limitations and capabilities of the human brain and how these impact the tasks we perform, the choices we make and our long term career trajectory has been a source of great fascination for me.

When solving problems at work we rarely take a step back and consider to what extent our mind is equipped to handle a particular task. Usually we just focus on fixing the problem, not optimising the thing that is fixing the problem.

But the reality is that inside our heads, we are each equipped with a kit that contains its own incredibly unique set of limitations and strengths.

To illustrate the point, we might briefly compare the brain with a car. Fred has a four-wheel-drive, and Bob has a dragster. Bob and Fred are asked to solve a problem. The problem they need to solve is how to get to the top of sand-dune. Bob might throw his hands in their air and say “this is impossible” and Fred will most likely get the job done in style.

The next day they are given a different task, this time they need to hit a straight and cross the finish line in 7 seconds. Before Bob can say anything, Fred turns around and drives back towards the sand-dune.

Like Fred and Bob, each of us have a brain that is equipped with a varying set of cognitive abilities. Understanding your cognitive strengths and weaknesses can help improve your ability to perform your work. You can capitalise on your cognitive strengths and you can find ways to mitigate the effect of your cognitive struggle.

So what are some practical examples of this? While I’m going to provide examples which can be applied to all types of work, I’ll use hacking as the practical example.

Let’s start with executive function.

Executive function

Executive function is the cognitive process that helps us to regulate, control and manage our thoughts and actions. It includes a number of cognitive processes, but for the purpose of this post, I want to focus on only three of them.

Each of us have certain strengths and certain struggles with our executive function. These struggles can be amplified significantly for people with ASD or ADHD.

Task Initiation

Task initiation refers to the capacity to begin a task or activity, as well as independently generating ideas, responses or problem solving strategies. People who struggle with initiation typically want to succeed at a task but can’t get started

A great example of this is bug hunting. Hunting for bugs or exploits that allows a hacker to exploit a system is usually something that people do in their spare time, so usually self discipline is needed to sit down and well… start.

I see people all the time who want to get started in bug hunting and despite all the advice out there to just “get started” some people really struggle to just get started. And for some people – those who struggle with task initiation – this is a very real issue. Usually these people are just as smart as anyone else, but the one thing holding them back is cognitive struggle encountered when initiating tasks.

I’ve seen some great initiatives within infosec at a very local level which inadvertently help people who struggle with this. Local study groups who proactively encourage beginners to join in are a great way to bridge this gap.

If on the other hand, you have no trouble initiating a task, then use it to your advantage! start a local meetup. Join an organising committee. Invite a friend who struggles with task initiation to collab with you. Initiate your work and career away.

Planning and organisation

Planning and organisation refers to a person’s ability to to manage current and future-oriented task demands. Planning relates to the ability to anticipate future events, set goals and develop appropriate steps ahead of time to carry out a task or activity. Organisation relates to the ability to bring order to information and to appreciate the main ideas or key concepts when learning and communicating information.

In information security there is an array of roles that require varying levels of organisational and planning ability. Its worth analysing your capacity to plan and organise and then aiming for a role which aligns with your capability in this area.

In the past, I’ve made the mistake of hiring someone who while technically excellent, struggled to manage small projects. They really struggled with their ability to plan and organise. That person was able to thrive much more in an engineering context where they execute to a set of sequential instructions.

As a bug hunter, organising is helpful for reconnaissance and planning is helpful for exploitation. I’ve seen bug hunters do these things at varying levels of complexity. If planning and organisation is a strength or yours, then use it to map out a plan on how to get to your ideal role, or attack your ideal target.

On the flip side, if you struggle in this area and you want to bug-hunt, I think you are in luck – not much planning or organisation is actually needed to discover and exploit bugs.

Working memory

Working memory (not to be confused with short-term memory) is your mental sticky note or sketchpad. It’s a skill that allows us to work with information without losing track of what we’re doing. 

It describes how much working information you can store in your mind at a given time. For example, you might be storing lines of code, exploit strings, heck – even UUIDS or hashes.

How much information you hold in your working memory determines how much of the overall informational picture you can see/process at once.

Struggle with working memory might result in someone struggling to remember their code logic while scripting, or could require someone to reference documented instructions more regularly to compensate for not being able to hold the instructions in working memory.

If you have a bigger working memory, then this is going to be particularly beneficial if you are reverse engineering, doing OSINT or building an exploit.

If you struggle with working memory you might need to consider ways to mitigate the impact of this. For example, you could work on visualisation skills. Visualising the problem requires your brain to store the information differently. Breaking big chunks of information into bite sized pieces also helps to digest information more easily.

---

While our executive function is made up of many cognitive processes, executive function is just one aspect of how our minds are equipped to handle the problems that we solve each day. There are many other aspects of our minds that are used to solve problems and make decisions and process information.

And the more we learn about our minds, the better equipped we are to solve tasks more efficiently and do our work more effectively.

Do yourself a favour and become more effective at work – doing the hacking or whatever your doing – by identifying your cognitive strengths and weaknesses and how to use these to your advantage.

Related resources

https://sharpbrains.com/what-are-cognitive-abilities