Taking Care of Business

Leave a comment

I remember back in early 1996 arriving home from work and telling the future ex Mrs Langford that was going to be very busy “for the next two to three months”. There was a project going on that I decided I was going to get involved in (outside of my normal IT Manager day job) and that it was going to be good for my career. In modern parlance, I had decided to “lean in”.

Those busy two to three months ended for me on the 10th September 2017. I had pushed myself professionally as hard as I could, burnt the candle at both ends, worked long hours, was only off work sick when I euphemistically “called in dead”, accrued millions of air miles, and was ostensibly successful in my career. Without wishing to dwell here on the events of that fateful night/morning in September 2017, I had reached the end of the line; all of that work and effort had ultimately netted my severe anxiety and stress, diabetes, alcoholism, and a desire to make it all stop very violently.

All of which brings us neatly to right now. I am currently off work sick. I’m very likely to head back tomorrow 9even though I am not 100%, but boredom is a keen medicine sometimes), but I have had the best part of five working days of, plus a weekend in between. I had been feeling under the weather for about a week or so beforehand, but at about midday on my first day off I decided to just switch off my computer and go to bed, and there I more or less stayed for the best part of a week. I had tested positive for COVID, but a few days later that was now negative and I still felt like a bag of rusty spanners had taken residence in my lungs, and my energy levels were depleting like a Death Star tractor beam. Looks like I worked through a second bout of COVID and then got taken down by another virus; but those are details for me and my GP and work HR I guess.

But “SO WHAT?!” I hear you cry? Well, throughout these last few days of being off I made a conscious effort to disconnect from work as much as possible and focus on my recovery. I learnt my lesson those few years back, and realised I needed to get myself back to fitness, despite the many pressing deadlines and meetings I was missing, and the importance of the work I was doing. I focussed on myself and my health as I knew I don’t want to go back too early and jeopardise not only my health but my work performance.

And you know what? Despite everything I had experience before and told myself, I still felt guilty about taking the time out.

This shouldn’t come as a surprise to anybody, anywhere though, not least the information security industry. A few weeks ago, my good friend and all round good chap Sarb Sembhi, who along with Peter Olivier and Paul Simms authored a paper on Mental Health in Cyber Security, and of which I was asked to peer review. I will leave you to read the paper yourself, but the figures in there are both unsurprising as well as making for uncomfortable reading regarding anxiety, depression, anger, alcoholism etc..

I was asked by a client over dinner recently “what keeps you up at night?”. Obviously they were fishing for gossip/insight into the state of our joint business, but I told them that basically nothing does because after my life changing experience back in 2017, I refuse to get stressed or anxious over work matters because it simply isn’t worth it, especially as I am not CISO for something that may save/take lives. And yet here I am feeling guilty about taking maybe another day off sick, and deciding to go back even though I am still not breathing right and feeling fatigued. Surely I should know better?!

To be clear, we are (normally) compensated well and a have privileged positions at work to get the job done properly; we have responsibilities to our colleagues and to the clients and markets we support to do the right job and put the effort in, and frankly most of us even enjoy our jobs. But I can absolutely guarantee you that none of that is worth anxiety, depression, anger, diabetes, alcoholism and suicidal tendencies if that pressure to perform is maintained indefinitely.

Taking care of business ultimately means taking care of yourself first.

I am going to be at InfoSecurity Europe in a few weeks time on stage with the Sarb and Peter, authors of the above mentioned Mental Health in Cyber Security paper.

Links to other interesting stuff on the web (affiliate links)

What Exactly is the Cyber Scheme?

Solving today’s Security Challenges With Device Centric SSE

Sneaky Tricks In Enterprise Pricing

Waving, Not Drowning

1 Comment

I have just stepped off the stage at the Pulse Conferences CISO 360 Congress in Rome having presented on “The True Cost of Security, A Personal Story”, recounting my experience of poor mental health. I published my life threatening experiences in my Blog, Drowning not Waving, published a few months ago, and those of you with good memories will recall those events also took place in Rome in September 2017.

I haven’t been back to Rome since then until now to do this talk, and so I am doing so with significant apprehension and unease. It’s an odd feeling, and one I haven’t experienced since my breakdown, but it is one that I will work through and will ultimately do me good. I also have to thank the incorrigible Clive Room of Pulse Conferences for giving me the opportunity to do this talk to a significant audience, and in Rome also. Personal stories are always so much more powerful, and if people in the audience either get the help they need, recognise others in their lives who need the help they need or even just understand that it is a perfectly normal thing to go through, then it will be worth it.

It is also the last time I will be publicly talking about this topic.

I have been approached many times since my original post by people thanking me, empathising with me or generally being extremely supportive as my post had a personal impact on them in some way. In short, the response has astounded me. However, I don’t want to be known as “the mental health guy”; the point of my story is that I recovered, got better, moved on and actually came out a better person. The point of my story was that it was a transitory period of my life and not one (for me) that I have to keep going back to in order to maintain my recovery. The point of my story was to let others know that they are not alone.

Does this mean that I don’t care about this topic any more? Obviously not, and I will always be happy to engage with people about it, help and support them if needed. I am always going to “available” if that is the word, to anyone that feels I may be able to help them.

It does mean that this will be the last time I blog about it, present or appear on a panel on the subject or make any kind of public appearances or endorsements on the topic. Some of you may think this is a bit odd, or maybe even callous and cold, and I understand that. However, this is what is the right thing to do for me in my pursuit of happiness, continued engagement with the InfoSec community and growth of my own business.

To be absolutely clear though, if you want to talk/DM/email with me about this topic then please do. If you feel the need to talk about your own struggles, or think I can help, then reach out, and I will make myself available to you as best I can. Depression and alcohol dependence is a an empty and lonely place to be, and if a kind word and a smile from me will help you then then don’t hesitate. You should also speak to a mental health professional as well of course, as you would have to be very unwell to think I am your best route to happiness!

Thank you to everyone who has shown support, love, compassion, empathy and friendship since reading my story, you know who you are, and I send it all back times three thousand

RSA 2019, and women finally had to queue for the toilets…

Leave a comment

If the streets of San Francisco are becoming more cluttered as the homeless problem gets worse year after year, the conference itself seemed to take a clear shift towards a more friendly and inclusive event.

The redesign of the conference wasn’t just limited to the Moscone Centre itself. To be sure , the revised layout meant even more vendors could be squeezed in (where do they all come from?!) and we could find ourselves utterly lost on the expo floor as it was no longer clear if we were in the North or South hall, and what direction we had to walk in for the West hall when we finally emerged, blinking into the weak Californian sun.

This redesign, if it can be called that, came across to me in two distinct ways, both of which are areas that are close to me. Sure, the talks were good, the Keynotes interesting (if occasionally sponsored), and the overall organisation was excellent. But the two areas I thought that stood out were diversity and wellness.

Of course, the more cynical of us will say that it was just a move that RSA made to keep the haters quiet and the ticket sales up, but it really did feel like a corner had been turned here. That is not to say they did it first, as there are thousands of events around the world that are supporting diversity and wellness, but to see it done at this scale is what made it stand out. RSA is undeniably a commercial conference, and many parts of the infused echo chamber deride it for being so, but it is also a litmus test of how the industry as a whole is performing.

 

Group_Male_Executives1

Therefore, seeing the demise of the all male panel (or “manel” as I heard it described) and seeing broadly balance panels, and a larger number of talks fronted by women is the direction that the community has been pushing for years. It takes effort to redress a balance like this, but when it reflects is a high profile show like this the benefits are greatly increased. As a direct result of this, my unscientific method of just using my eyes showed me there was a greater number of women attending as well. (I think I even saw a queue for the ladies toilets at one point as well – now if that isn’t scientific proof i don’t know what is). This greater balance is better for all of us in this industry, however you look at it.

As for wellness, I counted at least three sessions on the impact of infosec on mental health, including one keynote. I was informed just today that a straw poll found that 14% of CISOs found the stress of the job “unbearable and unsustainable”, and the associated decline in mental health a very real cause for concern. Our toxic mixture of being measured on failure and the requirements for us to 24×7 “keep secrets” means none of this reported or addressed, and people are suffering. Seeing this addressed by senior and well known people in the field in an open forum can only mean good things and result in better health overall.

Let’s be clear, diversity and wellness are still in the early stages of being addressed, but being addressed they are, and if more shows and conferences like RSA can continue to push the agenda, then the information security industry will become a friendlier place.

Let’s not forget (Will) Wheaton’s Law that applies to all of us here, and a mantra to live your personal as well as your professional life by:

“Don’t be a Dick”.

I was also involved in some media coverage, mainly because of the very fine folks at ITSP Magazine. I helped with a daily wrap up report and an end of show report as well. You will not I hope, dear reader, have missed the quite excellent T-shirts I happen to be sporting…

Thursday’s update was so good, we even did it twice ; if you ever get to meet Sean you can ask him why…

Selena, Marco and Sean did a fantastic job summarising every day, as well as carrying out a slew of other interviews and update. Please do check out their magazine and subscribe, i promise you won’t be disappointed.

I also did an interview with Matthew Schwartz of ISMG, under thier Bank Info Security brand. It focussed on wellness and mental health, and has yet to be published (if at all). This was an interesting choice for me as I do not wish to become the poster boy for this topic, but given the wholly positive response I have recieved from people who not only are affected by the issues I raised, now feel “safe” to talk about them, it is hard to not talk more about it. I have no doubt I will be talking more on this, so I guess i will have to hone the message more to not just get the point across but also avoid being placed in this niche itself.

Hopefully that interview will surface as Matthew is a wonderful interviewer and friend, and he helped tell the story in a very compelling and sensitive way.

Finally, i had the opportunity to knock around RSA with my old mucker Javvad. We absolutely did not plan any filming, and I absolutey did not help him script his film, or even hang around hoping to be filmed. But as luck would have it I happened to be in the right place at the right time to be interviewed.

In it I opine about the huge amounts of negativity aimed at vemndors during RSA, even hearing some commentators refer to it as a “vendor wank-fest” which is both disingenuous and frankly a somewhat disturbing image to conjur up. I will leave you to watch Javvad’s thoughtful film on the topic of vendors, suffice to say that without them we wouldn’t have half of the community we have now.

And then the week was over in a flash. Diversity, wellness, toilets, faulty microphones, vendors and filming, all wrapped up in a blog post, films and a bunch of fun memories.

<edit> Typos

Drowning, Not Waving…

5 Comments

Last week I attended The European Information Security Summit 2019 and spoke on the closing keynote panel at the end of the second day. The topic was “Unacceptable personal pressure: How senior Cyber Security Executives safeguard their own mental health, and those of their teams”, and as a panel we were surprisingly open about our experiences. Afterwards a number of people spoke to us about how pleased they were that we had been open and honest about a subject that is so often swept under the carpet as too difficult to deal with or just plain embarrassing. I have also seen the LinkedIn articles written since get a huge amount of traction with every comment a positive and supportive one.

I briefly told my story last week, and so have decided to elaborate a little more to a larger audience here. This is not meant to be virtue signalling, or jumping on the bandwagon, but rather a message to everyone out there who has suffered in silence and felt they were the only one with these feelings. These are the “highlights”, and some parts of the story are just between me and, well me, but I am sure this will paint the correct picture.

My last role was challenging to say the least; as a  newly minted CISO I was tasked with building a security team from the ground up (again) in a large global organisation that was as politically charged as it was not interested in security. We did well, growing to over 60 people at last count before I left, and were considered a high performing team who collaborated and never said no. People enjoyed working with us and we took on more and more work and constantly delivered.

The cost though was an intense environment where my main role was PowerPoint and politics, and constant air support for the team. Combine a tough travel schedule and the global, always on element, I never truly switched off. That said, one of my mottos was “Work Hard, Play Hard” so evenings with teams, internal clients and their customers in different countries were long, hilarious and helped us bond even closer to perform even better. Frankly it was exhausting and my sleep suffered.

So I did what every self respecting professional does, and started to self medicate with alcohol. It was, for the most part free from British Airways and Hilton, or on expenses (see above). It wasn’t a problem as I had a good tolerance, was a happy (maybe even hilarious) drunk, and while stupid things were done, it only bought us closer and more effective as a team.

And it wasn’t a problem for a number of years… until it suddenly was.

2017 was a very difficult year for me. In that year I drank almost every single day to excess as a result. I would get up in the morning and carry on working until the end of the day and I would start again. I wasn’t an alcoholic as I didn’t need to drink 24 x 7, so that was OK. I also managed to spend thousands of my own money on nights out with friends and team mates, pushing myself seriously into debt. My anxiety, stress and depression were getting worse, but I was able to medicate for that myself, so no problem.

Then came Rome. I will save you, dear reader, from the gory details, suffice to say that at 5am on a Monday morning at the end of September I found myself at the top of a building incoherent with emotion, raging at the universe, and willing myself to jump off. I had lost my third phone that year from the nights entertainment, had driven myself further into debt and I just couldn’t do it anymore.

Thankfully, an ambulance turned up, I was talked down, hospitalised for a few hours and then discharged. With no phone, in a foreign country, no idea of where my hotel was or where I even was, I managed (in a complete blur) to get back to the hotel, call my wife, get to the airport and get home only to spend the next four weeks in the care of the NHS and my family, and off work.

The irony of my situation wasn’t lost on me; here I was, a successful, well paid, C-Level Executive, ostensibly well known and regarded in the industry, and I am clinically depressed and suicidal. Therefore to say I was scared, lonely and emotional would be an understatement, and I decided to make some changes in my life.

Two of those changes are of direct relevance here;

  1. I stopped drinking alcohol. I was classed as a Non-Dependent Alcoholic and as a result was tasked with cutting down my intake dramatically. I decided to stop entirely, a choice I would have considered unthinkable, even laughable, just a few months before. I haven’t drunk alcohol since, not because I can’t allow myself to, but because it simply isn’t an important part of my life now.
  2. I decided to be more open about my mental health issues with not only my family, but my friends and work colleagues, and address them proactively.  I was not going to be defined by this event and lifestyle change, and I also wasn’t going to be held to ransom, mistakenly or maliciously, by the events I have just disclosed above. I have yet to discover anyone who I confided in who was at the very least supportive, if not understanding, be they family, friends and especially my team.

There is of course a damn good reason why I am sharing this with you. What follows is my takeaways for everyone who read the above and felt it resonated with them even just a little.

  1. Alcohol is a bad way to treat yourself for anything longer than a few days. Talk to a doctor or therapist sooner rather than later and save yourself a life threatening event to wake you up.
  2. There is no stigma in sharing your mental health struggles. I am constantly amazed at the overwhelmingly positive response from everyone I talk to about my personal experiences. If your friends and colleagues are not supportive of you, perhaps you should question why you are in the state of mental decline in the first place.
  3. If you work for a good company, and/or have a good team, your time out of the office will be dealt with and accommodated for allowing you to recover. When you come back, you will do so with more energy and vigour than most other members of the team. If you are not being supported, see point 2.
  4. If a member of your team is struggling, you don’t actually have to do much to help. Communicating to them that they should take whatever time they need to address their issues, and not asking questions is all that is needed. If your team can’t take up the slack, then how are they going to cope during an incident anyway?
  5. Be supportive if you can; it is difficult, but even small gestures like gifts of tea and chocolate (you know who you are…) or staying in touch over instant messenger to make sure someone is OK is also a great way to show your support. Humour helps too.

I’m going to close this with a call to action. This isn’t some virtue signalling programme that I will front up on Twitter and Facebook, but rather a call for everyone to include mental health topics in their team meetings, their management reports and metrics, as well as face to face meetings. The financial losses to our industry are probably staggering because of mental health issues, so we should be tracking and probing on it in our organisations as much as gender or racial diversity.

I want to reiterate, again, that if you are feeling it, someone else is feeling it too. Now you know what I have been through, I hope it means you now you have someone you can reach out to as well, or have to courage to seek help and support when before you didn’t.

As for me, I have never been better these last 18 months or so. I sleep better, I work better, I manage stress better, and I am pretty sure my jokes are better too. Therefore, I leave you with this unattributed quote:

I wouldn’t recommend suicide, it’s bloody dangerous. I nearly killed myself…

 

Note: I am going to be at the RSA conference in San Francisco in a 
couple of weeks time, as well as at a variety of other conferences 
over the coming months. Please do say hello and let me know your 
thoughts on this topic. Should it be as mainstream as I suggest, 
or should we just stick with the stiff upper lip approach?
Can and should we be doing something else?