Burnout: Destabilizing Retention Goals and Threatening Organizational Security Chloe Messdaghi MICHAEL: We’ve got a whole bunch of development talks. In fact, the upcoming talk by Chloe Messdaghi and a topic that many of us can probably relate to. Burnout: Destabilizing Retention Goals and Threatening Organizational Security. Before we start, I would like to take a moment it thank all of our sponsors. We have iNE and eLearn Security, Axonius, MongoDB, Juniper Networks, Corelight, Google, We Hack Purple, BridgeCrew.
Thank you to all of them for making this event possible. Also, don’t forget to check out all the other things we have going on. We have awesome villages like the IoT village and the mental health village. We have the expo booth that has not only our wonderful sponsors, but also there’s people who are looking to do hiring, community organizations that you can join. They’re not for profits that we support that many of you may not know about and be interested in.
Different booths have swag, contests and raffles. Check out all of these wonderful things. And now we have our speaker. Someone I’m honored to have the opportunity to introduce. Chloe Messdaghi is an award winning changemaker, innovating tech and innovation security sectors to meet today and future demands by accelerating startups and empowering organizations and people to stand out from the crowd. She is an international keynote speaker at major tech conferences and events and serves as a trusted source to reporters and editors such as Forbes and Business Insider.
Additionally, she’s one of business insider’s 50 power plays. And outside of work, co founder of Hacking is NOT a Crime. And We Open Tech. So, without further ado, here is Chloe Messdaghi. CHLOE: Hi, en. And thank you so much, Michael, for the wonderful intro. I’m very touched. Thank you so much for that. I’m gonna play these slides now. For everyone, welcome to this burnout session. And I want to just put one thing in here. Now, slides I’m gonna talk a lot about how we need to be better and how we as an industry can be better.
But there’s one part that I left out in it, and I wanted to speak on that really quickly. A lot of times when we think of burn out, it is when it comes to our companies. The workload and not balancing our personal life. But I also want to mention a particular thing, which is our industry. And particularly on social media. Burnout doesn’t just occur in our work, in our daily life. It also happens when we’re on Twitter. We are non stop seeing a lot of really concerning things happening on Twitter within InfoSec.
And it’s really important that we keep an eye out. There’s so much cyber bullying that is happening. And that also leads to burn out. But also, it can lead to people leaving our industry. So, we need to do better on that front. I wanted to bring that up really fast. Because I know it’s not in the slides. Talking about social media. But I have seen people get burned out from it because they’re seeing the drama unfolding and just can’t believe what they’re seeing.
So, let’s try to be better with each other. Because that’s how we are as a community. And I think this is the time where we need to come together a lot more than ever before. So, let’s dive into the slide deck now. So, welcome to Burnout: Destabilizing Retention Goals and Threatening Organizational Security. And overall, just think of it this way, burnout can be a security threat. So, let’s dive into that, shall we. But first, for those that do not know me, Michael did a fabulous job sharing a little bit about myself.
But I’m the co founder of We Open Tech, and hacking is not a crime. And we have been working to get organizations to sign a pledge guaranteeing that they’re going to do whatever they can to increase the voices of marginalized representation in leadership positions. Because leadership is the one in charge of vision. And in order for us to actually have diversity, equity and inclusion, we must have representation at the top. Because there is a trickledown effect and that’s what we do.
I really recommend for everyone to check that out. Because we need this. We need this a long time ago. And time’s up. The other organizations you may have heard of, which is We Open Tech which is an organization for marginalized genders to all come together in tech and security. And for allies too. Because allies, we’re not going to get anywhere. It’s really to bring a welcoming environment for all of us, whatever our gender is, that we can get whatever role we want in life and have the career that we should have.
Regardless of who we are. Hacking is not a crime is another organization that I cofounded with my friend Brian. And we’re basically trying to change things by challenging public perception of the hacker community. So, then we can get a change when it comes to out of date legislation. Because hackers deserve protections, and they deserve rights. And it’s about time that we’ve had it. Because it’s been since the ‘80s since we’ve had legislation. And it’s even before Y2K.
It doesn’t even add up to even today’s standards. We need to revisit that. Other than that, just giving you the spiel of all the things I do. I’m a consultant at this time. I basically do product marketing. Mostly looking at organizations to help grow and be more strategic with their growth internally as well. I do provide an advice column for Security Boulevard called Ask Chloe. Every Friday it’s a new one. Feel free to ask a question so I can answer it.
It’s also anonymous. Host of the Changemaking podcast on ITSP Magazine. If you want to roll up your sleeves with the changemakers that are doing the work, this is a perfect place for you to learn about them. And if anything else that I’m missing out, go ahead and visit standoutintech. com. You’re not here to learn about me, you’re here to learn about the industry and what’s going on right now. This room may look really familiar to you. This is RSA conference actually about a year ago.
We’re all in this room. We had absolutely no idea what was heading our way. Some of us had doomsday idea. But we didn’t think it was ever gonna be what we have seen in the past year or so. But we were all in this, you know, going to events. We were like shaking hands, we were giving each other hugs. We were like yelling in each other’s ears because it’s noisy and crowded around us. And we have no what’s going to happen. That’s what happened later on.
And at that point by the end of 2020, we’re just wanting it to end. And even in 2021 at this time, there’s this glimmer of hope. And we can actually get there if we work together collaboratively. Because we have to. We have to come together. When we’re so broken up, we have to come together. But let’s also be real. To be able to come together, we have to recognize that right now we’re walking a very fine line of just being barely okay and terrible. And all of us have been dealing with burnout at some point this year.
Okay. Well, maybe not all of us. I’m looking at you, New Zealand. But even New Zealand, even before 2020, we’ve had ongoing issues. And it’s been because of our industry. The way that it’s set up is not for us to succeed. And that’s one of the reasons that we have to look at this. That this has been an ongoing problem before all the chaos in 2020. So, it’s best that we actually do something about it instead of just talking about it. And with burnout, we need to understand that we’re placing ourselves and our organizations at secure risk.
And we’ll most likely click on a link because we’re not 100% who we are. And we may not patch right or be overwhelmed by what is needed to be patched ASAP. But let’s also be real, sometimes we’re seen as bots and not as humans. And humans cannot handle 24⁄7 work. It’s just be realistic with each other. Because we’re working all hours and we’re expected to be on all calls. So, how do we even balance a personal life and a work life? Because burnout occurs when we do not practice self care.
And when our work demands more from us and we spend less time on our personal life, the balancing is completely gone and stress increases. We feel really guilty, and we struggle to sleep because we feel like we’re trying so hard not to drown. And you may even notice changes on your team such as your employs are withdrawn, and become angry or sad. Or delays in the email responses or projects. This can be seen in remote too. You don’t have to be present to not see it.
And right now, working from home and remotely has increased the number of work hours. It’s also increased this expectation and really increases the blurriness of work time and limits. And some people have quit at this point because they cannot handle the juggling of work and personal life because their company failed them. I want you to understand that. The company failed them. Because they couldn’t be more flexible. And they don’t practice inclusion and equity as well.
And that’s one of the things I’ll just quickly touch on is that we are all able to get burned out. But the ones that tend to get burned out the fastest are the ones that are always seen as the type A. The ones that always get their work done on time. And it’s very hard for them to recognize sometimes when they’re already feeling burned out. But also, when it comes to those marginalized persons inside our community, they are striving to be on top of everything and will take additional work and jobs because it’s already hard as it is to have that job.
Because job security isn’t there. So, that also is a contributing factor to always having this off balance lifestyle of life and work. Because we’re not doing any actual proper diversity, equity and inclusion at this time. And let’s be blunt. We haven’t had a 9 to 5 job for ages. It doesn’t exist anymore. And this is a contributing factor of why employers are pushing employees to work from 9 to 5. And yet they still send emails at all hours. They Slack you at all hours.
And this places you and your team at a losing situation because they feel obligated to respond. And this is why the burnout cycle continues. And for those who are not aware of what burnout starts to form and look like, it can be that it used to take a few minutes to respond to an email. But now it takes an hour or so. You feel exhausted and trapped. And you may even feel empty. You push yourself to your breaking point. And where you’re no longer coming up with ideas.
But rather, you’re taking meds to help with the aches. You’re overly anxious. And that could be over events. Like over deadlines, anything. And you can easily cry or get angry fast than usual. You may not respond to your friends or family when they call or text for some time. And then that’s when that guilt starts entering a little bit because your personal life is slipping, and your life is now your work. And you start to feel unappreciated for your work. And that gets even worse because you then start getting resentful at your job and you end up hating it.
You start dreading your job. And this is the moment where you may lose your team members. And sometimes it can get so bad that we have people that leave our industry because it’s left such a bad taste. And this is the thing that we have to understand and recognize. Because what we have been doing is putting employees at a huge health risk. And if you don’t believe me, here we go in here. So, something to keep in mind is no matter how much sleep, you just feel exhaust when had you’re burned out.
You feel also emotionally depleted. It can mimic depression. And have trouble falling asleep or staying to sleep. When we’re stressed out and cortisol levels increases, it is hard to shut down our minds. This causes us to toss and turn, and reduce deep sleep or even get enough REM. And when we don’t get proper sleep, the stress levels increase. And mental state can start shifting to depression and anxiety systems. When we’re overly anxious or experience depression symptoms, we start to get sick a lot more often.
And we start having gastrointestinal issues, headaches, infections, cold source, rashes, lower immune system. When our immune system is low and the stress is high, the bones and muscles are getting stiff. Your body is on survival mode, thinking it’s a perceived threat. It can even turn into muscle weakness and fatigue. If left untreated, this increased high blood pressure, heart attacks and strokes because there’s too much adrenaline and cortisol over an extended period.
So, overall, clearly burnout is not a joke. It’s actually very serious. And if we don’t take care of this right now, we are keep putting our colleagues in a huge risk. And ourselves as well. So, let’s start looking at the results of our industry. Of what happens when the reality of working in security. Because the high demand 24⁄7. So, these facts are taken from Dark Reading and I’m gonna read them to you. Please remember these stats in this research was collected priority the pandemic.
This article did come out in 2020. However, it does not reflect what we’ve gone through too this date point. So, please note that these statistics are probably much higher than what is being reported on the screen or what I’m reading out loud to you. 21% of CISOs said they taken a leave of absence due to job stress. 41% took the step even though many report being afraid to take sick days. 35% neglected to take all their time off. 48% of CISOs said their work stress impacted their mental health.
45% said this impacted their physical health. And 40% of CISOs said that their work stress impacted their relationships with their families or their children. And 32% said that it impacted their relationships with spouses or romantic partners. 32% said it’s impacted their relationship with their friends. 23 said they’re using medication or alcohol to manage stress. Once again, I want to reiterate. These stats are probably a lot higher than what I’m reading right now.
And it should also be stated that the other reason is that simply we’re also scared to be transparent with other people about the situation that we’re in. Especially when it comes to mental health. We don’t really talk about it with each other. And this is a problem. Because if we don’t talk about it, then how does it ever get addressed? So, here are some more stats around CISOs. 94% of the American CISOs and 95% of the UK CISOs reported that they worked beyond their contracted hours.
On average 10 hours a week or more. In addition, 83% of American C Suite execs and 73% of UK execs confirmed they do indeed expect security teams to work longer hours. In other words, we are expected to work beyond normal work hours. In other words, everything that we’re doing, we’re always gonna be expected to be on call. That means there’s never a moment to relax. Because you never know when you’ll be on call and it’s expected of you. This is not normal for most roles.
But it is for our industry. Now, the thing to understand is that the CISO is your manager and your leader. And having somebody who is burned out that leads can become very dangerous to employers. This can lead to security risk and increasing possibilities of managerial issues. Coping with such issues can lead to them self medicating on the job and making a very of what is appropriate. But once again, this is not the CISO’s fault. I want to reiterate. The CISO’s job is hard because whenever there’s a breach, they’re the first to be blamed and the first to be cut.
It is extremely stressful to have this role. And most CISOs only spend one year in the role in the first place. Those know once again, we have a system that is very, very broken. We have an industry that isn’t sufficient in the long run. And it’s never matured. And it’s in this industry that it continues to fail us. And it runs on people being burnt out. And I want to take a moment here. We have a foundation that doesn’t empower us. At all. We have a foundation that disempowers us in every single way.
And there’s no wonder we have a rotating door and a mental health crisis in our industry. And I’m about to show you why it’s like this. So, why are we so burned out? Well, of course, being in security, we monitor and operate 24⁄7. And sometimes we work throughout the middle of the night. And sometimes we cannot sleep well because we’re always at the edge of our seat. And when it comes to security. Because we know attackers work at all hours. And we’re always worried of when that breach will occur.
Because we all know that if there was a breach, it would be an ad hoc style to fix it. Don’t believe me? According to the Institute, while response planning is better over the years, the vast majority of interviews were 74%. And they’re reporting their plans are Ad Hoc or applied inconsistently or they have absolutely zero plans at all. And additionally, more than half, 52% of the security response plans said they never reviewed it since it was created.
Or it had no set time period of reviewing or testing those actual plans. So, with COVID 19 and working from home, how many of these plans have been updated? Yeah. This is one of the reasons why we had a 300% increase of breaches last year. And you know what we tend to do about it in our industry? We don’t we don’t think of better planning and having less disruption. We throw tools at it. Because it’s so much easier to understand the human element role that plays here.
It’s it’s so it draws it just I don’t know. As someone who came from outside the security world and came in, it is always the thing that we do. Which is like, oh, we have a problem. Let’s just do let’s just throw another tool in. The thing is, is that if you don’t have a proper foundation of understanding the human element plays a huge role in security, because security is built by humans in the first place, how are we gonna be successful? Throwing tools at it is not going to be helpful.
If anything, it’s going to make the situation a lot worse. Because when we add tools to it, guess what happens? It’s not in the plan and coordination is off and these third party tools. We don’t know how secure they really are. Are you feeling stressed out yet? Perhaps cortisol levels rising? No. Well, then I want you to imagine another situation. You know, cruise ship. You know this is going to get one of those type of stories. But I want you to imagine.
You’re a part of a crew. And you just found out your ship is sinking. But you found out after for some time because you weren’t alerted by your system. And your customers are on board trusting you for their safety. And your team is scared. And some are actually paralyzed by the fear of failing. But they’re trying their best. But there’s one thing you need to know. Your crew hasn’t slept at all for quite some time, and they have a bit of seasickness. I mean, you could actually say that they’re not exactly 100% state of mind.
They’re not 100% charged battery. If anything, you could say they’re kind of functioning as if they have burnout. Because it’s kind of the same rate and scope. Okay. So, now you have the back story. That’s your situation that you’re in. Now, imagine your captain pulls out the binder. This safety binder that you’re like, oh, thank god, there’s a protocol here. An incident response plan. And it’s up to date, right? No. Unfortunately, that binder that was updated is not on the ship.
And you’re actually having you are actually using a old procedure, but have new features to this ship. Are you stressed out now? Because this is what it’s like when we’re dealing with bad plans. And when the human element is not taken into account of. It leaves you with a wreckage. The truth is bad actors are everywhere. And they attack at all hours. And they drop often, and we constantly need to be up to date of what bad actors use. That takes energy and time.
And this is why we’re struggling. We’re a part of the crew and we don’t function well or communicate well, and it becomes a really scary situation. The reason we’re insecure is because we know how incredibly important it is. But we also need to come to terms that if we work around the clock and don’t practice self care, or even promote employee wellness, what’s the point of all of this? Because then we could be a danger to the organization. As well if we’re running on low battery and feeling not well.
And this is why burnout matters. It’s not just a trendy thing. It’s a very real thing. And this is why we keep turning to tools to try to fix our problem. And not find time to plan, prep, practice self care. We become that security team that sinks. We won’t be able to fix a breach fast. And it’s scary. And I really want to just reiterate here that, please, whatever you do, do not turn around and blame your employees for this. And because they’re not performing as well.
Because the majority of you, that is what you tend to do. You let go of a team member without checking to see what you could have done that that probably could have reduced their performance. Because chances are, they’re probably burned out and feeling very much alone. With COVID 19, we’re taking care of family members opinion on camera daily. Unable to leave our homes. Can’t see our friends and family. Some of us live alone. Some of us put off important life events.
We’ve also lost people. We’ve also are seeing our colleagues struggling. We’re trying to be there. We’re always worried about our ability to perform and keeping a job. We’re worried about affording the life that we have, and we’re worried about COVID. We’re worried we may not make it through either. We’re not a machine. We are human. The human element created security and runs security. We were all struggling with staying okay before COVID and during COVID.
And I want you to acknowledge that. Except New Zealand. Okay. I’m just going to be real with you. New Zealand had it pretty well. And there’s a reason why. And I want to talk about that. So, how can we lead like the Prime Minister of New Zealand? Think about it, she worked with people and planned. And when you plan, there’s less disruption. So, we’re going to go through a couple of investment things. So, here’s the first investment. Listen. Take action together.
In other words, be strong, be kind. Ask your team what they need. It’s so simple, right? Whenever people are like, how can I do better? Ask your team. Don’t ask me. Ask your team. They’re gonna tell you how to be better. Because they live in that environment. They know that environment. They are in there every single day doing the job they’re supposed to be doing. They’re hearing from their colleagues. They know how to do better. You just have to ask and listen.
And not just listen also, I just to want to reiterate this. Take an action. When we listen to each other and strategize together on how to improve the team and our department, it reduces stress for everyone. Because stress happens and we’re not being listened to. Or we feel uncomfortable to speak up. Your colleagues may share that certain tools aren’t needed. Or that there’s a tool that does like five things all in one that is better. And they may share what is missing on the team.
Perhaps less meetings are needed as well. By working together on what are the issues, we could collaborate together on how to reduce the issues or completely resolve them. Investment number 2. Plan together. Strategize together. With collaboration and listening, working together with the team to make strategies revisit your security response plans. Make it up to date. Revisit that plan every time a new tool is added or removed or there’s a team member change or environment change and so on.
It is so critical that by creating and making solid plans, it helps speed up your recovery. Reduces the stress of when a breach occurs. That there’s a plan to follow that’s up to date. You owe it to yourselves and your colleagues, your organization, your customers. I mean, look at what New Zealand did. They planned. Not only that, they strategized together. They had 25 deaths. You know how about we have had in the US? Over 560,000 deaths in the US. Because there were people that didn’t to want to listen to the people around them that knew how to do better.
And they didn’t want to take action on how they could do better. I know that’s controversial what I just said. But it is the truth. Because we have to work together. We have to listen to each other. We have to do that. Otherwise, we’re gonna fail all together. So, keep your ego in check on that one. Investment number 3, encourage self care. When dealing with burnout, taking one week off from work or anything related to work provides recovery for burn out.
And I want to say for like a mild to moderate burnout. If you have severe burnout, that could take two weeks or more. But that one week does help you recover slowly. So, if your employee is burnt out, allow them to take time off. And a lot of times we don’t want to take time off because we worry about our team members when we’re going. Or we’re more nervous of the thought we’re going to walk into when we come back. When you take time off, it helps a lot because we have a lot more clear space in our head so we’re able to take it on a little bit better.
So, it’s really important that we always encourage self care and taking time off and being flexible. That also means looking at work hours as well. And lastly, you should probably make sure to have one day per week where you have absolutely zero meetings. And this allows your colleagues to catch up on any items or projects. For investment number 4, be kind and respect boundaries. Please be kind to one another. It is so frustrating to see throughout a pandemic where people are being cruel to one another.
It’s not when the whole world seems like it’s in chaos, that is the time where we need to come together. We put our egos to the side or behind us. And we start thinking about how our actions impact others. It’s important that we understand that what we say and what we do can impact another individual. So, think it over before you take an action. It’s so important that we do this. Because we need to be kind to one another. Like seriously. It shouldn’t be like this sometimes.
Because from what we have learned, is that when we work together and understand how we impact others, we are then starting to practice empathy. And empathy is certainly missing at our times. In our industry. But by listening and being there for one another, it remind us that there’s people who care for each other. Because we cannot assume how one person is doing just by how they look. Or how they’re doing on their performance. You could be a high achiever and be in a really, really hard place.
So, it’s really important that we don’t know what each other is going through. But we can always be there for one another. And try to understand. So, instead of going at someone, refrain from that. And think before you speak or act. Because you really don’t know how that will impact another person. So, as New Zealand shares their be kind message, it’s because there’s an element that we need to stick together to protect the world together. But also, know that being kind is respecting work boundaries such as 6 feet distance and a mask.
So, what can you do right now? Okay. So, this is what I would love for you guys to do. Take a screen shot of this, or take a photo of this. Share it with the people around you. Share it with your employer. Share it with your boss. Share it with your colleagues. Because this only takes 15 minutes to do all these things right now that you see on here. Set up a weekly one on one for 15 minutes with each employee. If you’re a manager, you should be doing that.
And then after that one on one with them, don’t have any more meetings with them. Just do it once a week for up to 15 minutes. This is how you build a relationship. This is how you build trust. Because when you’re micromanaging, which was a really big issue throughout the pandemic for many folks. Because there’s this belief that if I don’t see you in the office, then I don’t think you’re working. So, micromanaging has been very high up there in a lot of complaints these days.
So, do this instead. Set up a weekly one on one for 15 minutes with your employee. And on that, talk about the products that are, you know, on the roadmap. And also, what are the items to prioritize? Make it a conversation. Be there for your employee. This is a great way how to start a trust. Now, the next thing you could do is make a Monday or a Friday a no meetings day. The reason I say Monday or Friday, because it doesn’t really impact the week that much.
Because usually a Monday or a Friday falls on a holiday. So, it doesn’t hurt as much. So, making one of those days as a no meetings day is great. Because that could be that day that everyone uses to conquer any projects that they’re behind or their emails. I don’t know about you, but I like interesting a zero inbox person. That would help a lot for the folks. The next is set up a meeting with the team to explore ways to improve together. This is important.
If you don’t have an incident response plan or it’s out of date or you don’t know if you have one, now is the time to talk about that. Meet, discuss. What tools do we have right now? What tools do we need? What tools do we not need? What things do we need on our team? How can I be a better manager? How can I be a better leader for our department talking to other departments? What can I do to make things better? Because as a manager, it’s your job to be a coach, a mentor.
It’s not your job to dictate how things should be. It’s about working together collaboratively and making sure that your team can thrive by pushing them up there. And also, the last thing that you can always do is create an unanimous survey. And I mean that, anonymous. And there might be not everyone who wants to respond because they’re worried if it actually is anonymous and they’re worried something is going happen. You want to try it, but you can’t enforce it.
You need to build trust. And trust is shown over time through actions. Now, lastly, remember, when we work together and listen to each other, magic does happen. And when we work together making sure people get personal time off without the fear of taking time off, we’re then becoming collaborative. And when we collaborate, we reduce the stressful items that hold back the team from thriving. When we focus on balancing work and personal life for everyone, that’s when we no longer have this dumpster fire.
And burnout is no longer a security concern for us. Because we know we are human, and we know that the human element rules the world that we live in. And whenever in doubt, just remember. If New Zealand can plan so well, so can you. Because in all of us, there’s a Frodo who is on a journey to get rid of some malicious threat. So, quick overview over this whole talk. If you spaced out at all. Turnout does place you and your team at a huge risk. Not just mentally, but physically as well.
The best way how to actually deal with burnout and reduce it is to collaborate to form strategies to improve the team by asking your team how to do better and listening and taking action. Start making plans and revisit secure response plans. Seriously. We need to do better at that. And I know we don’t really have enough time sometimes to go into a response plan and try to make it better. But we have to do this. We owe it to ourselves and everyone around us who are impacted by it.
It will help us. Because if there is a breach and we have an incident response plan that is up to date, we’re gonna be feeling a little bit better. Because we will know that we have everything covered as much as we did have it covered. And most importantly, promote self care by being kind and respectful to boundaries. Please respect one another, you guys. Please be nice to each other. It is so important that we do that. Because we’re in this community together.
We’re a small community. And it whenever something happens to someone, it does impact other people. So, we have to be aware of this. That our actions and words do hold value. And can also impact another individual positively and negatively. So, we must do better as ourselves. I just want to say thank you all so much for attending this talk. And if you want to ask any questions, I’m here. I do have over time. So, I’m going to stop sharing now my screen and answer any questions that you guys may have.
MICHAEL: So, haven’t seen many questions. That was that was actually a wonderful talk. There was a few things you mentioned in there that I noticed a lot of people, you know, personally related to. Especially the zero inbox. Yeah. That that’s like a myth as far as I know. So CHLOE: Yeah. There are strategies to get there. But I have to admit, how I do this actually might be a good skill for some other folks that have issue. So, what I do is I open my emails.
Every time I get an email, I open it. If it’s something that’s going to take longer than a couple minutes to respond, I have to review or look up or something, I star it. So, then I have a zero inbox at all times. But I go back to the star items when I have more time throughout the day. This helps me don’t get overwhelmed. Because I’m a type A person. I have to answer emails. So, it’s one thing. One way how to go about that, you still have that zero inbox thing.
But just note that it’s not the unread. It’s also knowing what to prioritize. That’s gonna help you out with that zero inbox idea. MICHAEL: Another thing that you actually, I’m going to take that into consideration. I have a tendency to star too many things. But another thing you mentioned that I really liked was you were you were saying that about how companies, you know, how they use tools and things. And I mentioned it in chat that they tend to when they have these breaches, you know, they want to add a red team.
And these are things that are very costly when, you know, the real truth is, if they had took, you know, took the time to, you know, pay attention to their employees and offered, you know, some sort of service, which would be a lot cheaper, they could probably avoid that and to some degree and it would be a lost more cost effective to them and a lot more healthy to them and the people that worked for them. CHLOE: Yeah. It’s like this constant situation of, I always think of like firefighting in some ways.
Where we’re so into putting out the fire that we don’t do preventive work. Because we’re like, well, I don’t see any return of investment. So, I don’t need to add money to this. But however, oh, my god, when there’s a breach. Suddenly, oh, here’s all the money in the world. And you’re like, where was this money before? We could have avoided this situation. I mean, as someone who worked in like marketing and PR, I feel like it’s better to do preventive work over reactive work.
Because a breach is gonna happen. No matter what, a breach is gonna happen. You don’t know when. But being prepared helps a lot. MICHAEL: Definitely, definitely. I agree. We do have a question. Somebody wanted to know, they said, how do you support employees in staying offline when they’re on PTO? I made it clear I don’t expect people to be online. But some still carry their laptops around on their days off. CHLOE: Yeah. It’s one of those things where it’s a tricky thing.
You can’t really tell them, stop responding to messages. But I have to admit, I remember last year I took my first vacation in two and a half years for one week. And the first day I was responding to emails. And then my manager is like, stop responding. You’re on your time off. I’m going start telling people to stop writing to you. It just hit me in that moment. Oh, wow. I felt like I was a workaholic in that moment. So, the trick is, when you’re talking to your employees about taking time off, remind them that is a good time to disconnect.
Meaning like, you know, this might be a good time for you to turn off your devices, get off of social media for a bit. Or just get away from InfoSec in general and don’t try to study for a cert test. Do something for yourself. I want to learn to play guitar, paint. That’s a good question. We have to be encouraging them to understand that it’s okay. We have to be reinforcing them, it’s okay for you not to respond. You’re on your time off. But do remind them that they should put in their calendar that they’re going to be away.
And also have that out of office message. And the trick for that for everyone who is concerned about that, I’m going to tell you something that’s easy to do. First thing when you’re about to take your break, make sure you have your out of message scheduled. Your message. Now, you want to make sure in there that you state one or two days after the date that you come back. So, say if you are coming back on the 14th, you’re gonna say, I’m coming back on the 16th.
This helps you so much because no one’s expecting you to respond until after the 16th then. Also on your calendar, take the whole day, the first day you come back, block it. Completely block it. Meaning no one can set up any meetings with you. You just have that day for you to respond to emails and catch up on what jobs you need to do. And when you come back on your first day, also make sure that you look at your emails, kind of get a sense of what’s going on.
But then what you’re gonna want to do is message your teammates and ask if there’s any pressing issues that you need to respond within the next 24 to 72 hours. So, then you can also draw your attention to that. This helps you be on top of everything. Gives you about two day period of catching up. And without having any impact or stress on you. MICHAEL: Very true. I personally one of my main worries when it comes to taking time off is can I afford it? You know? And questions like that.
Instead of, you know, realizing that, you know, regardless of whether I can, you know, quote, unquote, afford it, my mental health is more important because it will affect me more long term than, say, a short term problem that I could, you know, fix in other ways. CHLOE: Exactly. MICHAEL: Go ahead. CHLOE: Exactly. It’s like that completely. If we don’t take off, you’re gonna start failing a little bit more in work. And the last thing you want to do is lose your job.
So, always put your mental health first. MICHAEL: We have another one. How have you successfully communicated the value of self care business cultures to higher ups? In my experience, culture trickles down from the executive level. CHLOE: Kate, I love you. I don’t know you. I think. But I have to admit one thing to you. You are completely right. When it’s the executives, they’re the ones that set the vision. They’re the ones that dictate how it’s going to impact the rest of the company.
This is one of the reasons why I strongly believe we’ll never have DII until we have those in leadership positions filled with people that are marginalized. You’re completely right. But the good news is you have a manager. And your manager is supposed to be there to support you. And it’s so important that they support you. If you have a boss that isn’t gonna be there for you, that isn’t wanting to coach you, mentor you, and see you thrive beyond them, you have a bad boss.
I hate to break it to you. A good manager is someone who is like, so, what do you want to do for your career? Excellent. I’m gonna help you get there if you want me to help you out. You tell me what you need from me, and I will be there. That’s a manager that you want. You want a manager that understands be flexible, but also wants to see you thrive. That is the job of a boss. And they can’t really do too much other than go to the executive teams and say, hey, we have this problem.
I have been there before. I go to an executive team. We have this problem, we need to fix this. And it gets ignored because they’re thinking of profit. They have to understand that sometimes you don’t see the profit immediately. It takes time to show it. MICHAEL: Definitely, definitely agree. And, you know, when I read that question, I personally can relate to that because, you know, a lot of companies, it always you would go to a meeting, and you would hear whatever the higher ups are telling you about safety and this or that.
And, you know, and that goes, you know, for most things at businesses. But having a business that actually, you know, can reverse that process and let it flow in the other direction and pay attention to what the employees are saying and the problems that they’re having. You know, that’s that’s just as important. CHLOE: Yeah. MICHAEL: Well, that let’s see here. We… I’m trying to read through these. Yeah. It seems like a lot of people can relate to this.
And I know I know personally. Yeah, it’s a big thing. I’m one one of those people who I can’t say no. So, I end up agreeing to this and to that and to this and to that. And before I turn around, all I have are deadlines. And I look at the calendar for today and oh, no. And so, here I am at 2:00 in the morning still working. And then, oh, I’ll take a day off to catch up. Well, that day off, like you said, is meant to not work and to relax. And I just you know, I really do I really can relate.
And I feel like a lot of people in here can too. I personally have been following Chloe for quite some time now. She has a very a very avid interest in people. All people. And I really like how, you know, she goes for it and tries to not only change the opinions and the views of people that are, you know, you know, higher up in government all the way down to the average person so that we can all relate to each other and have better mental health. CHLOE: Thanks, Michael.
MICHAEL: Yeah. One last question we have is how can you set those boundaries after you have been doing it and is now and it is now expected? CHLOE: That is a great question. Hi, Miki. I would say that… that’s a really good one. I’m going to be honest. There’s going to be times when your employer is not going to be happy that you put down boundaries. But the thing is, I want you just to know that if you have other team maybes that have similar boundaries, this maybe a good thing.
Having kind of like a All Hands in for your team or having those like weekly one on ones with your manager, it might be a good time to reiterate like, hey, I just to want to let you know. When you send me a Slack message after 5 p. m. ? I’m not gonna respond to it. If it’s something urgent, I would prefer that you text me. That’s gonna let me know that I need to respond to it. Because I’m gonna be off of Slack during my off hours so I can do all the things that I want to do.
And I don’t want to be attached to my laptop. That’s kind of how the way I’ve done it in the past. Which is like I’m gonna be offline. I’m always offline at this hours. But if it’s ever an urgent thing, text me, call me to let me know. I think that’s one way we can do it. Always give them one thing to note. Like this is my this is my boundary. I’m not gonna respond during this time. But if there’s something urgent during those non work hours, you can do this instead.
I think that’s really helpful for everyone. Because let’s be real, I feel like all of us want to be off Slack and Discord for an hour because we just need to turn off our minds. MICHAEL: Yeah. Definitely. I personally have learned a lot from this. And I’m gonna try to apply a lot to them. First thing I’m going to do is get on my phone and unpin Discord and Slack. They’re pinned. I can’t turn them off. I think are we out of time? Do we have time for one more question? Or is I don’t know.
I think the cutoff is… okay, yeah. We’re out of time. CHLOE: Okay. MICHAEL: All right. If any of y’all do have any further questions for Chloe, I know she is going to be in the the Hopin in the different areas. And Chloe, maybe tell them where you’re going to be? CHLOE: I’ll check on the comments and respond in the comments. If you want, you can also DM me on Twitter, Instagram or LinkedIn. Either of those work. I’m also gonna be in the booth on and off for hacking is not a crime and for We Open Tech.
If you have questions about those two orgs, I will be in there too. MICHAEL: Thank you for showing up, all and thank you, Chloe, for the awesome conversation. CHLOE: Thank you. MICHAEL: We’ll see you later on in the conference. CHLOE: Take care, everyone! Thank you!.