Do I Actually “Do” Anything?

By Allison Henry. (Originally posted in Medium, September 16, 2020.) A few months ago my daughter was working on a school assignment involving career exploration, and as part of her research she asked me, “Mom, what do you do at work?”

Feeling very important I answered, “I’m a Chief Information Security Officer, so I’m responsible for protecting all the computers on the UC Berkeley network from hackers.”

“Okay I get that, but what does that mean? What do you actually DO when you’re at work?”

That took some thought. Long gone are the days when I was writing scripts to process IDS alert output files, or running NMAP scans for unauthorized telnet services, or uploading samples from compromised workstations to virustotal. I thought a bit about my daily work and then answered honestly, “Well, I go to meetings and I write emails.”

“Oh,” she replied in a tone heavy with disappointment, “That sounds really boring.”

Boring? There are many words I might use to describe my job — stimulating, challenging, frantic, stressful, and a couple others I’ll leave out to keep this family-friendly — but boring isn’t one of them. And yet even to me, talking to people and writing emails all day sounds…well, pretty boring. After the conversation I was left wondering, is it actually boring and I just don’t realize it? Do I actually “do” anything, anymore? With this opportunity to analyze a day in the life of a CISO, I decided to take a closer look at my daily work to find out.

Early Morning

I’m a naturally early riser (no alarm needed), and I’ve found that sunrise is a great time to get through my email backlog, before the work day unleashes a fresh torrent of urgent requests. On this Tuesday I woke up at 5am, got the coffee brewing while reading through the morning news, and browsed my schedule for the day. By 6am with coffee on board, I dove into my inbox and spent an hour on the “boring” task of writing emails. But is “writing emails” really the best way to describe my morning’s work? Taking a closer look at the hour, I found I was actually:

• Sharing approaches to vendor risk management with colleagues at other campuses
• Reviewing and responding to feedback on our draft Incident Response Plan
• Developing a communications strategy for implementing changes to passphrase requirements

After finishing up with email and coaxing my daughter out of bed for another day of distance learning, I headed to the pool for a morning swim workout. In the times of COVID I spend more time driving to the only pool where I can get a lane reservation than actually swimming, but exercise is important to me so I take what I can get.

Morning

Showered from the pool and back in my home office, I started in on the daily schedule of Zoom calls. Like most days, every time block from 9 to 5 was occupied by a scheduled meeting, with only a few short breaks to grab water and snacks, visit the bathroom, and check in on my kid (who is most likely back channeling with her classmates on Discord instead of paying attention to her teachers’ talking head in the Zoom window).

This morning I had three meetings before the lunch hour, covering topics such as implementing our new information security policy framework, coordinating next steps for updates to our Minimum Security Standards. Does that sound boring? Okay maybe a bit, and I will admit to multi-tasking at times when I checked the inbox messages piling up during these calls. But when I examined the outcomes from my Tuesday morning calls more closely, it looked a lot more interesting:

• Crafting our unit assessment surveys so that we are collecting enough information to adequately identify key risk areas, without overburdening security leads with unfunded mandates and generating resistance and push-back
• Brainstorming ways to best identify and outreach to campus officials with sufficient budget authority to address information security risk
• Optimizing word choices for inclusivity in our job posting language, so that our security positions attract a higher percentage of diverse candidates

Lunch

My lunch hours are typically occupied with one (or more) of these three activities: 1) social Zoom lunches with colleagues, 2) webinars/threat briefings/lunch-and-learns, 3) last-minute Really Important Meetings where lunch was the only available time. On this Tuesday it was a threat briefing, which I tuned into while upping my daily step count on the treadmill — one of the advantages of working from home during the pandemic.

Afternoon

I rounded out the afternoon with another series of meetings, including a community engagement for identity management services, weekly team meetings and check-in conversations, and drafting responses to audit findings. Afternoons grow long and tiring, with the lack of adequate climate control in my home office keenly felt as the afternoon warms up (no chance of opening a window with the current wildfire smoke situation.) Despite the difficulties in maintaining focus through a long and hot afternoon, I took some time to look past the monotony of being stuck in one place and reflected on the afternoon’s accomplishments:

• Building stronger relationships with the consumers of our identity management services, through both open communication and occasionally exchanging jokes through Zoom private chats
• Connecting with key partners across the campus and offering insights on the challenges they face, including securing symptom tracking/testing data analytics platforms and engaging with external vendors to increase revenue during challenging budget times
• Working with Internal Audit on MCAs for audit findings based on…okay I’m giving up on making this one sound interesting. Sometimes the job really is tedious and boring!

Late Afternoon (Happy Hour)

Once I make it to 5pm and scheduled meetings have concluded for the day, I like to take another hour to finish off correspondences and other tasks that I couldn’t get through during the daily Zoom Parade. Unlike the early morning hour, I select the most pleasant and enjoyable activities for my late afternoon Happy Hour, perhaps including a refreshing beverage for gin o’clock. The work might include catching up with a colleague I respect and admire but have neglected to stay in touch with, sharing my opinions on controversial issues, or on this particular Tuesday, analyzing a day in the life of a CISO and sharing these musings with whoever might happen to stumble upon them.

Looking at my daily work from this alternative perspective, the outcome rather than the actions, has helped me reconnect with what I find most stimulating and energizing about my work. It might not be the movie image in my daughter’s head — her mother as a hooded figure hunched over a glowing terminal screen and frantically typing to stay ahead of the adversaries — shattered when I explained what I’m really doing in my office all day. But despite the lack of theatrics, it’s a rewarding career that offers daily challenges, a meaningful purpose, and authentic human connection. In these unusual times, I find that’s more than enough for me.

Reposted with permission from Medium, which is edited by Mike Corn, CISO at UC San Diego.