How should I spend my time as a CISO?

On tracking time

As a consultant I made use of a time tracker ( Timeular, in case you’re curious, but I’m a fan of Rescuetime as well — check out their time management blog). The use of my time tracker changed over time. When I had more than one client, I used to track my billable time for each. When we went in lockdown I used it to be mindful of how I spent my time, as it was more easy to forget about taking a break. When I wasn’t doing so well, I made an activity heatmap (with axes for adding/draining energy and good/bad results). I first tried to divest activities that weren’t going well or draining energy. I then used my time tracker to be aware of and reduce time spent on energy draining activities. I find time tracking an effective way of reminding you of how you spend your time. And if you reflect on those results, you can set a strategy to refocus on the actions that matter to you.

Finding your time buckets

In my new role as CISO my activities will be different then as a consultant. For instance, I will not be working for clients anymore. Nor do I need to do sales or manage a project administration. Like I had ‘buckets of time’ as a consultant, I’ll need to go and discover those for the CISO role. Based on the last two weeks, my first guess is that these are the eight (my Timeular tracker has eight faces) buckets. I have tried to make them MECE:

  1. People Quality Time. Meeting new people, maintaining relationships, coaching people in my team.
  2. Management. Interacting with our Dutch IT Management, the Information Security Team or CISOs from other countries.
  3. Personal Growth. Hard skills or soft skills training and receiving coaching.
  4. Security Strategy: Why are we doing this? Reviewing security maturity and business needs, vocalising a strategy, setting up improvement initiatives.
  5. Security Management: What are we doing? Decision-making on risks, budget, time, people allocation and program SteerCo’s.
  6. Security Operations: Let’s do something! Most operational responsibilities are with my team. I support in navigating business & IT through security processes, reviewing plans and incident management.
  7. Internal Community Impact. Sharing my vision and explaining security throughout the company’s business & IT. This can also be on talent, culture, leadership, D&I, sustainability and purpose.
  8. External Community Impact. Sharing my vision and explaining security outside of the company. E.g. by speaking on conferences, presence on social media, networking with other CISOs.

Setting time goals

Awareness is one part of the puzzle, but how to make sure that you spend the time you want to spend on the right things? I like to do so by setting ‘time goals’, meaning beforehand specifying what my ideal week would look like. Then every week I compare how I did in relation to those goals and look for recurring items that fall into the wrong categories. Of course, not every week is going to be equal. But if you have four weeks in a row without any security strategy setting, something’s got to give. Time allocation preferences are partly personal, but here’s my first attempt at goals:

  1. People Quality Time: 20% (8 hours)
  2. Security Strategy: 20% (8 hours)
  3. Security Management: 15% (6 hours)
  4. Management: 10% (4 hours)
  5. Personal Growth: 10% (4 hours)
  6. Security Operations: 10% (4 hours)
  7. Internal Community Impact: 7.5% (3 hours)
  8. External Community Impact: 7.5% (3 hours)

Performing a time audit

I looked back over the last week at my time expenditure to establish a baseline. I assigned each of my meetings to a category. Since I did this audit after the week was over, I had to guestimate in which category to place the time between meetings. For upcoming weeks I will track this real-time with my tracker. This was one week and my schedule is still ‘developing’ as a I settle in, so it may not be representative of the ‘typical’ CISO schedule. It would be interesting to update this post with averages over a period of 2 months.

In conclusion

Do you think the way I’ve currently divided time in my CISO role makes sense? How do you divide your time if you’re in a similar role? And how do you steer your time or keep yourself accountable for spending your time right? I would be curious to hear your thoughts. Also, let me know if there are any future ‘CISO contemplation’ topics you would be interested in!



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Esther Schagen-van Luit

Esther Schagen-van Luit

Specialist in Security Architecture | Director @ The SABSA Institute’s BoT | Diversity & Inclusion Champion | Conference Speaker | Personal account