Compliance Leader Burnout: Causes and Fixes | anecdotes

Terry O'Daniel
May 23, 2024
February 9, 2022
Discover how to prevent Compliance leader burnout with anecdotes
Table of Contents

Picture this: You’re fast asleep, but your mind is on a journey. In your dream, the president of the world has asked you to broker an agreement between 7 nations. You walk into the massive conference room and start to talk, but the confused looks stop you. Then you realize there are no interpreters. No one understands you. You can’t possibly succeed.

You wake up, relieved it was just a nightmare. Then the truth hits you. You’re a security Compliance leader. That nightmare is your reality.

Welcome to Compliance leader burnout.

What is Compliance Leader Burnout?

So what is burnout? According to the Mayo Clinic, it is “a state of physical or emotional exhaustion that also involves a sense of reduced accomplishment and loss of personal identity.”  Over the course of my nearly 2 decades in Compliance, this is an issue I've seen across all sectors of Compliance, not just security Compliance. And if you’re a Compliance leader feeling burned out, you probably have some idea what’s behind it, even if you’re not sure how to approach it.

Common reasons for Compliance leader burnout:

  • The tech people consider you an intrusion.
  • You don’t speak the language of the people you interact with.
  • Leadership blames you for failures but doesn’t value your contributions.

Let’s delve into these and figure out a cure.

The tech people consider you an intrusion

We have all heard about CISO burnout; the average life cycle of a CISO is around 18 months. The CISO is held responsible when security is breached. Even if the incident was unforeseeable. That’s rough. But the CISO can be the hero, too, as they are the one who saves the company when a security breach arises. Then they get a sports-drink shower plus a ride on their colleagues’ shoulders through a ticker-tape parade.

The Compliance leader is never the hero. To the average long-suffering tech employee, you’re the one who keeps coming back with complaints and changes, who throws them into exhausting meetings with auditors. And then what happens? They do all the work, and you get the thanks for passing the audit. (Although you don’t. Leadership thinks you just did your job.)

You don’t speak the language of the people you interact with

Another contributing factor I've noted, is that Compliance leaders often suffer from imposter syndrome. I often say that my job is to be the hub of the wheel. I have to have knowledge of an insanely wide area and it has to be deep enough to have conversations with the subject matter experts in those areas. So a good deal of my function is translating between very different perspectives.

As a Compliance leader trying to speak to everyone’s specialty fluently, it’s likely that the finance people, engineering department, and tech specialists may grow frustrated that you aren’t an expert in their particular area. But it’s not humanly possible for you to be an expert in every area of the business. And that can become a cause of tremendous frustration.

Business leadership blames you for failures but doesn’t value your contributions

When it comes to the typical CISO–no matter how good–something is going to happen, and they are going to get blamed. But this is even worse for Compliance leaders. There’s an inherent tension over the fact that you are considered responsible for Compliance: to get the certifications/reports, keep them updated, don’t fail the audits, etc,. But you have actually almost zero control over that happening. I can do everything I want to…you know, remind people, make it easy for them, and collect the evidence automatedly—and then one control owner fails a critical control and we fail the audit, and everyone says, ‘Why didn’t the Compliance people do their job?'

So you’re responsible for everything, but at the same time, you lack the metaphorical levers and dials that can be adjusted to make anything happen.


Fixes for Compliance Leader Burnout

Compliance leader burnout can result when you don’t have control—but you’re blamed—and you’re perceived inaccurately. If, however, you are properly valued by leadership and throughout the company, you can increase your control over the work you’re responsible for. And this can help change people’s perception of you.

How to do this:

  • Get a seat at the table
  • Deliver operational value to the company
  • Align your goals with those of the departments you interact with

Get a seat at the table

By building a partnership with senior management, you begin to establish the clout needed to be included in conversations affecting Compliance. Ideally, company leadership should include your input on any significant proposed business change.

Deliver operational value to the company

If you are merely perceived as the person who gets certifications, you’re limited in value.

Here are some ways to change that:

- Use data-driven, automated tools - Reduce the human error factor and everyone wins. By pulling data from primary sources using automation, you’ll be alerted to issues quickly.

- Filter data to signal possible trouble - Having a ton of raw data isn’t necessarily helpful on its own. What’s needed instead is a way to find the outlier cases deserving of human eyes. Using automated tools to filter data, you can create signals to provide early warning that something is not working—not just from a Compliance perspective, but things which are operationally important to the company. Then your team can then sift through these and determine which deserve further investigation.

- Use risk as a decision-making tool - Hyper-growth companies often hesitate to record risk. Over the course of my career, I've seen how companies are better off when they note risks and show how they prioritized them. So determine risks and prioritize them using risk quantification methods that put a dollar value on what’s at stake. Then take your recommendations to leadership, and they can then decide which risks are worth their attention and funding. You can’t mitigate every possible risk, but you can make the company think about the ones to focus on. You’re awesome!

Align your goals with those of the departments you interact with

Cooperation tends to work better than confrontation. Some ideas:

- Provide context, not control - An engineer may not care why something is considered a financial reporting risk for SOX, but they will understand there’s a risk in giving elevated access to people who don’t need it. Finding a way to speak the same language can give you better controls than just bothering people once again for screen shots.

- Exhibit empathy - Recognizing the pressure faced by stakeholders can go a long way. By being empathetic to their needs and schedules, you’ll show that you value their efforts, which breeds mutual respect and understanding. Acknowledge how busy they are, and try to accommodate their schedules, instead of slamming down deadlines.

- Cultivate a non-FUD culture - Getting employees to take Compliance seriously by sowing FUD—Fear, Uncertainty, and Doubt—is a losing game. The modern approach is a corporate culture that recognizes every individual is a “Compliance representative.” That is, it’s everyone’s responsibility to follow recommendations, implement appropriate controls, track them, and cooperate as necessary. And everyone deserves a shoutout when the company gets a new ISO certification or SOC 2 report, because they all played a part.

Ease Burnout, Work Happier

Compliance leader burnout is a real thing, but there are ways to counter it. When you have a say in decisions that affect your work, and when you deliver operational value to the company, management will recognize the value of your contributions. And when you take into account the goals of departments you rely on, they’ll help make your job easier and more productive.

It’s one of those too-rare win-wins: you can be happier and do better work by showing the importance of Compliance to the business as a whole.

(The views and opinions expressed here are the author's own and do not represent the views of his employer.)

Terry O'Daniel
Terry O’Daniel leads Security & GRC at Amplitude. His specialty is building teams focused on applying technology to solve GRC problems at scale via automation and instrumentation rather than compliance-by-spreadsheet. Prior to Instacart, Terry built the Security Assurance function at Netflix, the 2LOD Technology Risk & Compliance functions at Salesforce, and the GRC function within Production Engineering at Yahoo! In his spare time, he enjoys music, fencing, and gaming with his daughters.
Link 1
Link 1
Link 1