 Excellent. Let's do this. Who will welcome to Burnout, the greatest start to your organization security. If you're not scared about Burnout or you're like, Burnout's not a big deal. I'm hoping that I scare you so much that you started realizing how important Burnout is that we need to focus on. First things first, my name is Chloe Masari. I am the co-founder of Woasec, Hackiness Not a Crime, and the founder, We Are Hackers. My day job is a growth strategy consultant. If you want to learn anything about me, I am and easily can be found on standoutintech.com. All right. Now let's get to the real reason why you're here. Let's get into this talk. This thing may look familiar to you. Well, this was RSA conference last year. We were so full of hope for the new year. We hugged, we shook hands, we attended events full of people. We had drinks and food together. We leaned in to hear each other often at a busy event. We had to speak loud to be heard, and we even attend karaoke. It was a glorious time. Then eight days, 10 days later, suddenly we started hearing a different people getting sick. I unfortunately became one of those people that on my 13th day, I ended up getting sick, and it lasted for quite some time. But I remember that transition and that moment of knowing that I'm one of the unfortunate people that got sick. I remember how stressful it was, worried about, did I give this to someone else? The fear of losing my parents came up. Everything when it came to, do I need to revisit my will? What do I need to do? Because it was so at the beginning of it, and in the US, it wasn't prepared for it. It was a scary moment. But good news, I survived, but there were many that didn't too. I have to admit, if we were to think of 2020, this is what I think of 2020, is that in a nutshell, it was intense. Everything thought was on fire. There wasn't a moment we weren't on fire. It just seemed like the universe gave you just a little bit and then it's like, oh, you're stressed and overwhelmed. You think you're okay. You can't get any more. Guess what? I'm going to hand you another thing. It became a layer on top of a layer of more and more stuff hitting at you all at once, to a point where we're all going to be very different from this pandemic. And to be honest, we're still in it. And the reason I have this sign on here, because to be honest, we are in 2021, but it still feels like we're in 2020 a little bit. But I'm hoping things get better in many ways. Because let's be real. We are walking on a fine line of being just barely okay and terrible. And all of us have been dealing with burnout. Well, not all of us. Lucky you, New Zealand, lucky people, anywho, but even if New Zealand, in New Zealand and everywhere before 2020, in security, we've known about burnout and have been through it before all the chaos fell in 2020. This is not a new thing for us. We've been talking about this for years because with burnout, we are placing ourselves in organization at a security risk. We'll most likely click on a link because we're not 100% who we are. For example, when you wake up and you're checking your emails and you're exhausted, you haven't had your cup of coffee or your tea, chances are you may click on that link that comes from your manager because you didn't do it further looking at the details of where that email address came from, which was not from your manager. And so that's the thing is to understand is that when you're burned out, you're more likely to click on a link. You could be the most secure personnel. You could be like the leader of security or InfoSec or a leader in social engineering, but there will be a time where you will click on a link when you're burned out because you are functioning on a very low battery and you're not 100% who you are. We may not even patch right. We could be overwhelmed by what is needed to be patched immediately. So let's all be very real. The thing is that while working at InfoSec, we're kind of seen as bots, not humans, and humans cannot handle this 24-7 type of work because when we're working all hours and always expected to be on calls at all hours, like in the middle of the night, how do we even balance the personal life and work life? Because burnout occurs when we do not practice self-care and when our work demands more from us and we spend less time on personal life, the bouncing is gone, stress increases, we feel guilty, we struggle to sleep because we feel like we're trying so hard not to drown. You may even notice changes on your team, such as employees withdrawn or fast to become sad or angry or delays in email response or projects. This can all be seen when remote too. It's not just in person. And right now, working from home and remotely has increased the number of hours worked, increased expectations and has really increased the blurriness of work time and limits. And some people have quit because they cannot handle the juggling of work and personal life because their company failed them because they weren't being more flexible. And when we're not being more flexible, we're not practicing inclusion and equity in our companies. And this is one of the reasons why we saw an increase of women leaving the field because we weren't being there for them. Companies weren't listening to them they couldn't be more flexible, instead they kept putting more and more demands. Well, they unfortunately had more of also the demand for them to be nurturing. And it's one of the things that it just shows that we're so broken that we allow for this to happen. And we need to do something about it. We need to change this because let me be blunt. In security, we haven't had a job that's from nine to five PM at all. And this is the contributing factor because employers are pushing employees to work from nine to five and yet send emails, Slack messages, call them, text them at all hours. This places you and your team at a losing situation because they feel obligated to respond. And this is why the burnout cycle continues. And for those who are not aware of what burnout starts to form and look like, it could be that it used to take a few minutes to respond to an email. Now it takes an hour or so. You feel exhausted and trapped. You may even feel empty. You push yourself to a breaking point or you no longer coming up with new ideas but rather taking meds to help with the aches. You're overly anxious over events and deadlines and you can easily cry or get angry faster than usual. You may not even respond to friends and family when they call or text for some time. And then because you're not doing that the guilt starts entering. Now your personal life is slipping. Your life is now your work and you start to feel unappreciated for your work at work and then become resentful at work and then end up hating and dreading your job. And this is the moment you may lose your team members because what we have been doing is putting employees at a huge health risk. No matter how much sleep you get you just feel exhausted and emotionally depleted which can mimic depression and even anxiety. You may even struggle to sleep such as troubling falling asleep or staying asleep. And when we are stressed out our cursor increases and it gets harder to shut down our minds which causes us to toss and turn and reduce deep sleep or even getting enough room. And when we don't get proper sleep stress levels increase. Mental state can start shifting to anxiety and depression symptoms. And when we're overly anxious or experienced depression symptoms we start to get sick way more often such as gastrointestinal issues, headaches, infections, colds, flus, colds, rashes, irritated skin, lower immune system. Our joints and muscles are getting stiff because our body is on survival mode thinking that there's a perceived threat. It can then turn into a muscle weakness and fatigue if left untreated prolonged stress increases high blood pressure, heart attacks and strokes because there's too much adrenaline and cortisol over an extended period. Clearly burnout is not a joke. It's actually extremely serious. And we have a real problem in our industry that's leading our colleagues and ourselves into this situation. And recently this week, the who released a statement about when we're working past 40 hours a week we're putting ourselves into this situation. So let's look at the results of our industry. The reality of working in security that high demand 24 seven. 21% of CSOs said that they have taken a leave-on absence because of job related stress. 41% of CSOs took the significant step even though many reported being afraid to take sick days and 35% neglected to take all their allotted time off. 48% of CSOs said that their work stress has impacted the mental health while 35% said it impacted their physical health. 40% of CSOs said that their work stress has impacted their relationship with their families and children and 32% said it impacted their relationships with spouses or romantic partners and 32% said they've impacted their relationships and friends. 23% that stated that they've been using medication or alcohol to manage stress. I wanna just state that these statistics were released in 2020 but took data from 2019. These numbers are definitely not relevant to today in many ways. If anything, they may be much higher. The other thing to understand is that 94% of American CSOs and 95% of UK CSOs reported working more than their contracted hours. On average, 10 hours per week more. In addition, 83% of American C-suite execs and 73% of UK execs confirm they do indeed expect security teams to work longer hours. In other words, we are expected to work beyond normal work hours. You have to understand, there isn't really too many roles that are like that. Sure, sales does, but it's not like sales are gonna get phone calls in the middle of the night because of some sort of incident. But we will, we get it all the time. CSO is the manager and leader and having someone who's burned out that leads can become really dangerous to employers, security risk and increase in the possibilities of managerial issues. Coping with such issues can lead to themselves medicating on the job and walking on a very thin line of what is appropriate. But once again, this is not a CSO's fault. It is a system that is broken, an industry that isn't sufficient in the long run. It's an industry that continues to fail us and runs on people being burned out. I wanna take a moment here. I want you to understand that we have a foundation that doesn't empower us. We have a foundation that disempowers us in every single way. And there's no wonder we have a rotating door in mental health crisis in our industry. And I'm about to show you why it's like this. So why are we so burned out? You probably have ideas already. But for those that aren't aware what security team personnel are doing and what's happening on their side, I hope this gives you a good idea. By being in security, we are monitoring and operating 24 seven. And sometimes we work throughout the middle of the night. Sometimes we cannot sleep well because we're always at the edge of our seat when it comes to security because we know attackers work all hours. And we are always worried when a breach will occur because we all know if there was a breach, it would be ad hoc style to fix it. Don't believe me? According to the Pondman Institute, while security response planning is slowly improving, the vast majority of organizations surveyed, 74% are still reporting that their plans are either ad hoc, applied inconsistently, or that they have no plans at all. Additionally, more than half, 52% of those with security response plans said that they've never reviewed or have no set time period for reviewing or testing those plans. And with COVID-19 and working from home, how many of these plans have been updated? Yeah, this is one of the reasons why there was a 400% increase of successful breaches. So instead of doing better planning and having less disruption, we tend to throw tools at the problem. We always do this because it's so much easier to throw tools at something than to actually understand the situation and how human element plays a huge role here because the human element is complex. It is different from one person to another, but the reality is tools don't always solve the problem because we're actually making the situation worse by doing so, because when we add tools to it, guess what? It's not in the plan and coordination is off. And these third-party tools, we have no idea how secure they really are. Are you feeling stressed out yet? Perhaps cortisol levels rising? No? Well, I want you to imagine a situation. I want you to imagine you're part of a crew and you just found out your ship is sinking, but you found out after for some time because you were not alerted by your system. Your customers are aboard, trusting you for their safety. Your team is scared and some are paralyzed by the fear of failing, but they're trying their best, but there's a catch here. Your entire team hasn't slept well and have sea sickness. So they're not exactly 100% state of mind. If anything, you could say that kind of are functioning the same rate and scope as someone who is burned out. Okay, now you have the backstory. Now I want you to imagine your captain pulls out the safety binder to know what is the protocol. Unfortunately, that binder that was updated is not on that ship. So you're using an old procedure but have new features to the ship. Are you stressed out now? Because this is what it's like when we're dealing with bad plans and when the human element is taken out. It leaves you with a wreckage. The truth is bad actors are everywhere and attack at all hours, zero days drop often and we constantly need to be up to date of what the bad actors use. That takes time and energy. This is why we are struggling. We are part of the crew and when we don't function well or communicate well, it becomes a really, really scary situation. The reason we are in security is because we know how incredibly important it is, but we also need to come to terms that if we work around the clock and don't practice self-care or even promote employee wellness, what's the point? Because then we can be a danger to the organization as well if we're running on low battery feeling not well. And this is why burnout matters. This is why if we keep turning to tools and not finding time to plan, practice and self-care, we become the security team that sinks. We won't be able to fix a breach fast and it's really scary. And please don't turn around now and blame your employees. If they're not performing as well, because for the majority of you, that is what happens. You let the team member go without checking to see what have you done that has reduced their performance because chances are they're burned out and feeling alone. With COVID-19, we're taking care of family members on camera daily, unable to leave. We must put off important life events. We've lost people close to us. Our colleagues are struggling. We're worried about keeping our job. We're worried about afford and the life we have. We have COVID, we may not make it through COVID. We are not a machine, we're completely human. And the human element created security and run security. And we're all struggling with staying okay before COVID and even during COVID, except New Zealand. So how can we lead like the prime minister of New Zealand? Think about it, she worked with people and she planned with specialists and when you plan, there's less disruption. So let's talk about four ways how you can invest in your team. Investment number one, listen, take action together. Be strong, be kind, ask your team what they need. Don't just listen, take actions. When we listen to each other and strategize together on how to improve the team and our department, it reduces the stress because stress happens when we're not being listened to or feel uncomfortable to speak up. Your colleagues may share that certain tools aren't needed or there's a tool that does five things all in one that is better. They may share what is missing on the team and perhaps less meetings are needed. By working together on what are the issues, we can actually collaborate together on how to reduce the issues or completely resolve them. Investment number two, plan together, strategize together. With collaboration and listening, working together with the team to make strategies and revisit your security response plans, make it up to date. Revisit a plan every time a new tool is removed or added or a team member changed or an environment changed and so on. By creating and making solid plans, it helps speeds up the recovery and reduces the stress of when a breach occurs, that there's a plan to follow up that's up to date. You owe it to yourselves, your colleagues, your org and your customers. I mean, look at what New Zealand did. They planned. They had 25 deaths versus the US. We had over 563,000 deaths in the US because someone didn't want to plan or take actions or listen to their team. Investment number three, encourage self-care. Studies have shown that when dealing with burnout, taking one week off away from work or anything related to work provides recovery for burnout. If your employee is burned out, make sure that they feel supported to take time off and also encourage it often to the team. Majority of employees in security are afraid to take time off because they feel guilty for not being there to help their team and are giving more work to their colleagues or coming back to a dumpster fire. If you can, give everyone one day off a month for a mental health break. And lastly, make sure you have one day per week dedicated to not having any meetings. This allows your colleagues to catch up on any IMs or projects. And plus, come on, we all have Zoom fatigue a little bit here. Investment number four, be kind and respect boundaries. Please be kind to one another because from what we have learned when we work together and understand how we impact others, we start practicing empathy. And empathy is certainly missing at times in our industry. But by listening and being there for one another, it reminds us that there's people who care for each other because we cannot assume how someone is doing by how they look or their performance. We don't know how each other and what we're going through. So instead of going at someone reframe and think before you speak or act because you really don't know how that will impact the other person. So as New Zealand shares be kind because that's the element we need to stick together to protect the world from the darkness. But also know that being kind is respecting work boundaries such as that six feet of distance in a mask. So what can you do right now? This is only gonna take you maybe five minutes to do maybe 15 minutes at most. Right now you can take a screenshot of this portion of this slide and save that. It only takes five to 15 minutes to do this right now. It's called set weekly one-on-ones for 15 minutes with each employee. Basically in this one-on-one meeting is the time where you go projects that are coming up and being able to be on the same page on what to prioritize. But also it's being there for your employee. Now the one thing to keep in mind though is that when you do this, you don't micromanage. You don't follow up on anything throughout the week. That means once a week you meet with them for 15 minutes. If they need anything, they'll come to you. That's what it means. When we micromanage people, we're setting them up to fail or actually setting them up to get burned out. We're setting them up to leave. And so it's really important is that we do these one-on-ones for 15 minutes so we all are on the same page and then it's hands off. Make Monday or Friday a no meetings day. So one day per week it's set that in your department that you will have no meetings on that day. The other thing you do is set up a meeting with the team to explore ways to improve together. So just set something up. Next week or the following week, a one-hour meeting of being like, okay guys, how can we do better? What can I do to help your team out? How can we do better? And if you're not the manager that's okay, go to your manager and be like, hey, I think that we should all have a meeting and discuss how we can do better. Your manager will probably like that idea, to be honest, because they're always wondering how to do better if they're a good manager, that is. Also create an anonymous survey and really get the feedback from your colleagues on how to do better. Now I wanna say it has to be anonymous because the chances are people are still not gonna participate because they're always worried that it's actually not anonymous. So if you want real results, you're gonna have to ensure it's anonymous. And lastly, remember when we work together and listen to each other, magic happens. When we work together making sure people get personal time off without them fearing or taking time away, we are then becoming collaborative. When we collaborate, we reduce the stressful items that hold back the team from thriving. And when we focus on balancing work and personal life for everyone, that's when we no longer have that dumpster fire. Burnout as a security concern, no more. Because we know we are human and the human element rules the world we live in. And whenever in doubt, just remember if New Zealand can plan well, so can you because in all this, there's a Frodo within us who's on a journey to get rid of some malicious threat. So quick overview is that burnout places you and your team at a security risk and also a personal risk, a health risk. Collaborate to form strategies to improve the team. It's called teamwork for making a very bad environment where no one's talking to each other in a collaborative fashion. Start making plans and revisit security response plans. This is so critical. Like we have to be on top of that because you'll be helping your team members out by doing so. Promote self-care by being kind and respectful to boundaries. In this sense, don't call or text after work hours. Don't even slack after work hours, email. And make sure that you let your colleagues know when you email, it doesn't need to be responded right away. It's just to put it out there so we don't forget about that item. That is gonna be the best way forward. Anyway, I just wanna say thank you all for having me thank you in more sec. This was awesome to be part of and I hope everyone's staying safe. So thank you so much for existing. And if you wanna stay in touch with me, feel free. I'm on Twitter, Instagram and LinkedIn. Feel free to follow or add me as a friend. Totally down for that at any time.