Picture this: You’re fast asleep, but your mind is on a journey. In your dream, the president of the world has asked you to broker an agreement between 7 nations. You walk into the massive conference room and start to talk, but the confused looks stop you. Then you realize there are no interpreters. No one understands you. You can’t possibly succeed.
You wake up, relieved it was just a nightmare. Then the truth hits you. You’re a security Compliance leader. That nightmare is your reality.
Welcome to Compliance leader burnout.
So what is burnout? According to the Mayo Clinic, it is “a state of physical or emotional exhaustion that also involves a sense of reduced accomplishment and loss of personal identity.” Burnout is an issue across all sectors of Compliance, not just security Compliance. In fact, in 2021, 59% of corporate Compliance officers reported burnout with 72% of banking Compliance professionals reporting burnout. If you’re a Compliance leader feeling burned out, you probably have some idea what’s behind it, even if you’re not sure how to approach it.
Let’s delve into these and figure out a cure.
CISO burnout is clearly a reality: the average life cycle of a CISO is around 18 months. The CISO is held responsible when security is breached. Even if the incident was unforeseeable. That’s rough. But the CISO can be the hero, too, as they are the one who saves the company when a security breach arises. Then they get a sports-drink shower plus a ride on their colleagues’ shoulders through a ticker-tape parade.
The Compliance leader is never the hero. To the average long-suffering tech employee, you’re the one who keeps coming back with complaints and changes, who throws them into exhausting meetings with auditors. And then what happens? They do all the work, and you get the thanks for passing the audit. (Although you don’t. Leadership thinks you just did your job.)
Terry O’Daniel, who leads Governance, Risk, and Compliance within Infrastructure Engineering at Instacart, asserts that Compliance leaders often suffer from imposter syndrome. “I often say that my job is to be the hub of the wheel. I have to have knowledge of an insanely wide area and it has to be deep enough to have conversations with the subject matter experts in those areas. So a good deal of my function is translating between very different perspectives.”
As a Compliance leader trying to speak to everyone’s specialty fluently, it’s likely that the finance people, engineering department, and tech specialists may grow frustrated that you aren’t an expert in their particular area. But it’s not humanly possible for you to be an expert in every area of the business. And that can become a cause of tremendous frustration.
When it comes to the typical CISO–no matter how good–something is going to happen, and they are going to get blamed. But this is even worse for Compliance leaders. “There’s an inherent tension over the fact that you are considered responsible for Compliance: to get the certifications, keep them updated, don’t fail the audits, etc.” says O’Daniel. “But you have actually almost zero control over that happening. I can do everything I want to…remind people, and make it easy for people, and collect the evidence automatedly—and then one control owner fails a critical control and we fail the audit, and everyone says, ‘Why didn’t the Compliance people do their job?’”
So you’re responsible for everything, but at the same time, you lack the metaphorical levers and dials that can be adjusted to make anything happen.
Compliance leader burnout can result when you don’t have control—but you’re blamed—and you’re perceived inaccurately. If, however, you are properly valued by leadership and throughout the company, you can increase your control over the work you’re responsible for. And this can help change people’s perception of you.
How to do this:
By building a partnership with senior management, you begin to establish the clout needed to be included in conversations affecting Compliance. Ideally, company leadership should include your input on any significant proposed business change.
If you are merely perceived as the person who gets certifications, you’re limited in value. Some ways to change that:
- Use data-driven, automated tools - Reduce the human error factor and everyone wins. By pulling data from primary sources using automation, you’ll be alerted to issues quickly.
- Filter data to signal possible trouble - O’Daniel cautions that having “a ton of raw data” isn’t helpful. What’s needed instead is a way to find the outlier cases deserving of human eyes. Using automated tools to filter data, you can create signals to provide early warning that something is not working—not just from a Compliance perspective, but things which are operationally important to the company. Then your team can then sift through these and determine which deserve further investigation.
- Use risk as a decision-making tool - Hyper-growth companies often hesitate to record risk. According to O’Daniel, companies are better off when they note risks and show how they prioritized them. So determine risks and - prioritize them using risk quantification methods that put a dollar value on what’s at stake. Then take your recommendations to leadership, and they can then decide which risks are worth their attention and funding. You can’t mitigate every possible risk, but you can make the company think about the ones to focus on. You’re awesome!
Cooperation tends to work better than confrontation. Some ideas:
- Provide context, not control - An engineer may not care why something is considered a financial reporting risk for SOX, but they will understand there’s a risk in giving elevated access to people who don’t need it. Finding a way to speak the same language can give you better controls than just bothering people once again for screen shots.
- Exhibit empathy - Recognizing the pressure faced by stakeholders can go a long way. By being empathetic to their needs and schedules, you’ll show that you value their efforts, which breeds mutual respect and understanding. Acknowledge how busy they are, and try to accommodate their schedules, instead of slamming down deadlines.
- Cultivate a non-FUD culture - Getting employees to take Compliance seriously by sowing FUD—Fear, Uncertainty, and Doubt—is a losing game. The modern approach is a corporate culture that recognizes every individual is a “Compliance representative.” That is, it’s everyone’s responsibility to follow recommendations, implement appropriate controls, track them, and cooperate as necessary. And everyone deserves a shoutout when the company gets a new ISO or SOC 2 certification, because they all played a part.
Compliance leader burnout is a real thing, but there are ways to counter it. When you have a say in decisions that affect your work, and when you deliver operational value to the company, management will recognize the value of your contributions. And when you take into account the goals of departments you rely on, they’ll help make your job easier and more productive. It’s one of those too-rare win-wins: you can be happier and do better work by showing the importance of Compliance to the business as a whole.