Being a CISO can be a horrible job

2nd April 2019

Sarah Rees headshot

Sarah Rees

Phil Huggins headshot

Phil Huggins, an IT security professional with over two decades of experience, was not surprised by the alarming findings of Nominet’s CISO research, Life Inside the Perimeter. Most notably, he could relate to the fact that nearly 17% of CISOs are self-medicating or using alcohol to deal with the stress.

“Being a CISO can be a horrible job,” he admits. “It can be incredibly stressful if you have mismatched expectations with your executive team, you don’t have the resources, or you’re being held to account for failures that are beyond your control.” Phil can himself recall periods of misery, such as when an executive pointed out that any mistakes Phil made could result in the deaths of hundreds of people. “I didn’t sleep for week,” he says, “but I just carried on, which is not a good idea.”

Indeed, he believes the culture that has built up around the male-dominated job has in part contributed to the problem. CISOs are expected to cope; stress becomes a badge of honour. “There is a lot of drinking to celebrate the success of breaking things,” says Phil. “The macho culture is not healthy. And the cyber security incidents themselves can be intense. A friend of mine ended up in hospital because he was working 18 hours a day for weeks trying to cope with a security incident.”

It all paints a grim picture of a job that Phil fell into sideways. “I had no idea at school what I wanted to do,” he says. “I was never driven to a career, it all just happened to me.” He enjoyed History, and work experience led him to archaeology after meeting an archaeologist “who seemed so chilled that I figured it was an easy job!”

Phil qualified, and was working in Oxford when an ankle break restricted him to the office to help the IT manager. “I hadn’t realised how much data is involved in archaeology,” he says. It compelled him to specialise. It was while studying for a masters in archaeological computing that a friend of his offered him a job designing websites with the Ministry of Defence. “I was the only person he knew who sort of understood computers,” Phil says, “and the money was so much better than archaeology that I just went for it.”

His flippancy, and the unconventionality of his route into the IT world, are misleading; Phil is passionate about the field he has now worked within for 23 years. He has also come to realise that his innate skills make him well suited to a role that didn’t even exist when he was a youngster in Dorset, losing himself in ‘cyber punk’ science fiction and Wired.

“I am quite good at seeing the world as a system. I can place lots of information from different disciplines into context to create a systematic view of how they interact with each other, and from that I can derive meaning,” he explains. “History was great for that, and it has proved incredibly useful for cyber security. It helps me identify where an issue is within a complex system.”

He also loves improving things, for which his chosen field can cater ad infinitum. “I look at cyber security as a fantastic opportunity to improve things all over the place,” he says with a laugh. “There’s a lot we can do better, and I think we should be trying.”

One of the most pressing problems is the lack of clarity, both around what cyber security is – “it’s so much more than an IT specialism” – and what the CISO’s role should be. Phil explains that there can be too many discrepancies between “what you as the CISO think the job is, what the job spec is, and what the expectations of the management team around you are.”

“And then this will change over time,” he adds. “If you get a new team of executives in, they will have a completely different idea of what a CISO should do.”

Meanwhile, Phil sees two different types of CISO emerging from different organisational styles. “There’s a bifurcation happening. In the big businesses, being a CISO is becoming about business awareness, risk management, strategic alignment, and moving away from the technology. But then in the tech-first companies, you see the technical CISO rising through the ranks, with CISOs who are writing code.”

Phil is one of a rare breed that keeps a foot in both camps. He has considerable experience within large, complex organisations such as the Prudential, prioritising strategic leadership and stakeholder management, but he also consults for ‘tech first’, agile start-ups where he has to get his hands dirty. “I don’t have a team in small start-ups, I have to do the technical work myself. It’s good for my skills. It reminds you of what is practical, and what matters.”

Having now done almost every role going within cyber security, maturing with the discipline itself, Phil is intrigued to see what comes next. That said, the pressure of the role still provokes the odd career change fantasy. He says: “I remember sitting in a mall in the US and watching one of the fountains that coordinated with lights and music”.

“It is obviously quite a complex thing to create, and it struck me that a job making it would be really interesting and yet one of the few instances where you are doing nothing but good for the world. It’s simply making people happy. I thought that would be alright.”

Happiness is something he takes seriously now, and he urges his peer group to recognise it is as a priority. “If we don’t look after self-care, if we don’t look after our teams, we’re going to break ourselves,” he warns. “I’m not surprised about the drinking and the drugs among CISOs because, where’s our outlet?”

Download Nominet’s ‘Life inside the Perimeter: Understanding the Modern CISO’ report or find out more about our cyber security services. Read about other CISOs on our blog, including Nando’s Lachlan George and Revolut’s Paul Heffernan. Find out more about a new set of CxO Priorities Cards for CISOs that Phil recently developed with Matt Ballantine.

Life Inside the Perimeter: Understanding the Modern CISO

Download here
CISO report