How should I spend my time as a CISO?

I decided that I would like to write again for Medium. For those of you that read my SecArch Files, I’ll do so under a new name given this new topic: CISO Contemplations. Moving from consulting to a new and executive role within my organisation is a big change for me. I will be sharing some of the questions I ask myself and how I go about solving them to become a better CISO. I am looking forward to your feedback and I hope these articles will help you in your role.

We’re coming to a close of week 2 in my new role as CISO. Counter to common consultant-practices, I am trying to ‘experience the organisation’ first. Quite passive — simply noticing how the team and our broader IT team works. As a consultant you are asked to address a specific situation, and problem-solving overdrive mode is our go-to. But the span of control of a CISO is quite wide. And so I first need to figure out what that span looks like before I can surmise what is going well and what needs work.

One of the things I have noticed is that the entire world now wants to meet with me. And I like meeting them. Building a strong network is the foundation for CISO success. But I also sat into meetings where I was unsure why I was attending. Having worked for other CISOs as a consultant, many felt they were only ‘firefighting’. They were going from incident to incident and had not enough time for strategy setting. That’s why this first ‘contemplation’ is on how I want to spend my time as a CISO.

On tracking time

As a consultant I made use of a time tracker ( Timeular, in case you’re curious, but I’m a fan of Rescuetime as well — check out their time management blog). The use of my time tracker changed over time. When I had more than one client, I used to track my billable time for each. When we went in lockdown I used it to be mindful of how I spent my time, as it was more easy to forget about taking a break. When I wasn’t doing so well, I made an activity heatmap (with axes for adding/draining energy and good/bad results). I first tried to divest activities that weren’t going well or draining energy. I then used my time tracker to be aware of and reduce time spent on energy draining activities. I find time tracking an effective way of reminding you of how you spend your time. And if you reflect on those results, you can set a strategy to refocus on the actions that matter to you.

Finding your time buckets

In my new role as CISO my activities will be different then as a consultant. For instance, I will not be working for clients anymore. Nor do I need to do sales or manage a project administration. Like I had ‘buckets of time’ as a consultant, I’ll need to go and discover those for the CISO role. Based on the last two weeks, my first guess is that these are the eight (my Timeular tracker has eight faces) buckets. I have tried to make them MECE:

  1. People Quality Time. Meeting new people, maintaining relationships, coaching people in my team.
  2. Management. Interacting with our Dutch IT Management, the Information Security Team or CISOs from other countries.
  3. Personal Growth. Hard skills or soft skills training and receiving coaching.
  4. Security Strategy: Why are we doing this? Reviewing security maturity and business needs, vocalising a strategy, setting up improvement initiatives.
  5. Security Management: What are we doing? Decision-making on risks, budget, time, people allocation and program SteerCo’s.
  6. Security Operations: Let’s do something! Most operational responsibilities are with my team. I support in navigating business & IT through security processes, reviewing plans and incident management.
  7. Internal Community Impact. Sharing my vision and explaining security throughout the company’s business & IT. This can also be on talent, culture, leadership, D&I, sustainability and purpose.
  8. External Community Impact. Sharing my vision and explaining security outside of the company. E.g. by speaking on conferences, presence on social media, networking with other CISOs.

These are the things that I have come up with based on my first two weeks. I am curious to hear from you whether you use different ‘buckets’ or you think I missed out on something. I am also not sure whether these are all things I should be doing. I e.g. noticed I took part in quite some ‘security operations’ the last two weeks. To what extent are these part of my duties? Or were people just roping me into their work?

Setting time goals

Awareness is one part of the puzzle, but how to make sure that you spend the time you want to spend on the right things? I like to do so by setting ‘time goals’, meaning beforehand specifying what my ideal week would look like. Then every week I compare how I did in relation to those goals and look for recurring items that fall into the wrong categories. Of course, not every week is going to be equal. But if you have four weeks in a row without any security strategy setting, something’s got to give. Time allocation preferences are partly personal, but here’s my first attempt at goals:

  1. People Quality Time: 20% (8 hours)
  2. Security Strategy: 20% (8 hours)
  3. Security Management: 15% (6 hours)
  4. Management: 10% (4 hours)
  5. Personal Growth: 10% (4 hours)
  6. Security Operations: 10% (4 hours)
  7. Internal Community Impact: 7.5% (3 hours)
  8. External Community Impact: 7.5% (3 hours)

You’ll notice I have taken a 40-hour workweek as the basis. As a leader I like to role model a healthy work-life balance. I may work more when I want to, but sticking to a ‘normal’ week makes it much easier for the people around me to do the same. Besides, this entire post is about working more effectively. If you can’t do the things you need to do in this time, the first step should be to cut out the things that matter less instead of working more.

Performing a time audit

I looked back over the last week at my time expenditure to establish a baseline. I assigned each of my meetings to a category. Since I did this audit after the week was over, I had to guestimate in which category to place the time between meetings. For upcoming weeks I will track this real-time with my tracker. This was one week and my schedule is still ‘developing’ as a I settle in, so it may not be representative of the ‘typical’ CISO schedule. It would be interesting to update this post with averages over a period of 2 months.

The results over this week show that security operations took a lot of my time. I did not spend enough time on security strategy. I said at the start of this post that I was ‘experiencing the company’ before bringing any ideas, so this is not surprising. Plus, security operations are an excellent way to learn how security in our company works. But this pattern, like with other CISOs, is something to be mindful of towards the future. For the upcoming time, I have now blocked 8-ish hours every week in my agenda to spend on security strategy. And who knows? We may find out that is 8 hours is too much and I should be re-routing it somewhere else. The other categories look pretty balanced when it comes to expenditure versus goal. I know I have weeks coming up that lean towards certain categories, so it will be interesting to see how the averages develop over time.

In conclusion

Do you think the way I’ve currently divided time in my CISO role makes sense? How do you divide your time if you’re in a similar role? And how do you steer your time or keep yourself accountable for spending your time right? I would be curious to hear your thoughts. Also, let me know if there are any future ‘CISO contemplation’ topics you would be interested in!

This article is written on my personal title. Although I talk about my experiences at work, this article does not necessarily represent the views of my employer.

Originally published at https://www.linkedin.com.

Specialist in Security Architecture | Director @ The SABSA Institute’s BoT | Diversity & Inclusion Champion | Conference Speaker | Personal account