Being a CISO is a highly stressful role. In fact, 90% of CISOs would take a nearly 8% pay cut for a better work-life balance. And a recent British 4-day work week trial resulted in employees experiencing a 54% decrease in “work-family conflict”.
So could the 4-day work week be the answer to cybersecurity leaders’ work-life balance woes? Is anything other than the usual 9-5 norm even possible in the cybersecurity space?
I wanted to know what others thought, so I asked my LinkedIn audience. 76% agreed that it was feasible to implement a 4-day work week in cyber with the right planning. But what might that planning look like in altering the hours of a role that has historically been “always on”?
Will a 4-day work week set more compassionate cyber-employers apart? Or will it just make CISOs more stressed when they’re on the clock? Is the appetite for a shorter week just as prevalent in the US as was proven in the UK? Time to explore.
Before we look to the potential future of a 3-day weekend, we need to refamiliarise ourselves with the status quo.
Any kind of exploration into working conditions needs to be assessed within the context of the role’s entire compensation. So let’s take a look at what CISOs can currently expect to receive in return for their efforts.
The majority of “knowledge worker” roles can be carried out remotely nowadays, and those in cybersecurity – especially leadership – are no exception. In our experience, CISOs are just as likely to work on a remote or hybrid basis on both sides of the pond.
However, the current state of US broadband connectivity may force some American CISOs into the office. British broadband connectivity is OK, but still lags behind many of its Western European neighbours (paradoxically, those European neighbours also include British dependencies like Jersey, the Isle of Man, and Gibraltar!).
These are commonly given on both sides of the pond. Not only does it help the CISO make their way to the office, it also means the CISO is more able to provide actual boots on the ground in the case of a cyber-emergency.
However, car-related benefits may be more essential in the US. Depending on where you are and where you need to go Stateside, public transportation may simply not be an option. Given the size of the country and that train and airport infrastructure varies heavily throughout, it’s often simpler and cheaper to just drive; even if it’s a 10-12 hour round trip. No big deal to an American, but a truly daunting slog for a Brit!
The downtime that CISOs get can vary wildly depending on which side of the Atlantic they are on. In the US, there is no federal law determining minimum annual leave – it is largely left down to states’ or even individual businesses’ own discretion. Many organisations work on a basis of around 2 weeks annual leave, regardless of your seniority within the company.
Compare this to the UK, where 5.6 weeks leave is the legal minimum for most workers, though top level leaders generally get given more than this.
It’s more common in the US to receive company shares or stock options, but it is something that is slowly gaining momentum in the UK too. Having stocks in the company you work for provides a great incentive to do your best work, because after all, when the company does well, your stocks increase in value. It also contributes to employees’ sense of being a part of something together with their colleagues.
Some companies like spreading out shares like this as it helps spread some of the financial risk in those crucial, initial few years. It could also provide a real nest egg for those employees if things go well (that’s not business or financial advice though!).
Both US and UK CISOs can expect generous health insurance benefits as part of their employment. Understandably this is more essential in the US which doesn’t benefit from a service like the UK’s NHS.
Some level of pension contribution can be expected on both sides of the pond. Both sets of pension systems are far too complex to navigate here, but a CISO can pretty much depend on an employer contributing to their old age.
So now we understand what CISO worker compensation generally looks like, let’s dive into the next possible perk on the table: the 4-day week…
When looking into a 4-day work week online, you can’t go far without bumping into chatter about the UK’s 4-day week pilot programme. For a 6 month period between 2022 and 2023, 61 British companies across various verticals experimented with working a 4-day week. This looked different between organisations – some had full fifth-day stoppage, some took a staggered approach (so there is always someone in the office across opening times), and others took a more blended or even an annual approach.
The findings are astonishing, yet not overly surprising:
It’s truly groundbreaking stuff. And there’s evidence that there’s appetite for a 4-day work week in the US too, with Robert Half reporting that 93% of US managers support the idea. But will it ever work in cybersecurity?
The answer to this is… complicated. To me, this sounds like the key to helping overworked CISOs redress their work-life balance and better look after themselves. But other than that, there are four things that immediately spring to my mind when the topic comes up.
This is the big one. Despite all of the buzz around staff shortages in cybersecurity, I and my fellow cybersecurity staffing experts have noticed that employers are still largely able to call the shots when bringing on new staff – for the time being, at least. There’s a real sense that it’s still a buyers’ market for these employers and that they have their pick of talent. The recent, highly publicised tsunami of tech layoffs probably hasn’t helped this situation.
In an industry that is acutely aware of working smarter, not harder with the help of tech, there are undoubtedly countless tech organisations out there who have taken notice of the 4-day week pilot’s findings. Some firms like DNSFilter have been working alternating 4-day weeks since 2021! And one Reddit thread shows that cyber workers throughout the org chart are already working some manner of 4-day work week (10 hours a day, 4 days a week seems to be popular).
But the 4-day work week is still the exception, not the norm. It’s still a novelty – and one that we’re sure more hardline employers have had a considerable knee-jerk reaction to. These dyed in the wool, 5-day-weekers may only consider
using a 4-day work week as an added perk or incentive in line with some of the others listed above. But if they’re also of the mind that cyber staffing is a buyers’ market, why bother with new incentives? Especially ones they may see as a bit of a media “fad”?
The 4-day week is a polarising issue for many, so more work and campaigning will be needed before it becomes an expectation rather than the exception.
You can’t go far online lately without bumping into news of some new AI advancement or a think-piece about ChatGPT. And naturally, automation and AI-driven tools are being touted as the next big solution to help give those in cybersecurity a much needed break.
I totally agree that automation and AI could prove a positive boon for overworked cybersecurity personnel. Issues like alert fatigue, burnout, worries about personal responsibility, and the sense of “always looking over your shoulder” can be considerably mitigated by automation, AI, and machine learning.
However, here’s the “but”. These tools are incredible for your hands-on cybersecurity staff. Operational teams will likely see great improvements to their productivity by using tools like these. But how will that shake down – or perhaps, more accurately, up – to higher management? You can’t automate the leadership skills needed to keep a whole company safe of cyber threats. You can’t use AI to steer a whole company through a serious security incident. Not yet anyway.
Sadly this leaves cyber leaders back at square one.
I believe that a 4-day work week in cyber leadership is possible. But it requires a lot of careful thought and preparation (and it seems my LinkedIn network would agree). Most of the time, and especially in more hands-on roles, moving from an 8-hour, 5-day model (5×8) to something more like a 10-hour, 4-day(4×10) model is just the easy part.
The things that companies will have to consider more carefully is how to navigate the minefield of CISOs and other senior cyber leaders “being on call” or “on duty” should a cyber-disaster strike overnight, or even on the day they are supposed to be strictly off-duty.
Most CISOs dread receiving that call at midnight on an idle Saturday; the one that means they have to suit up and wade into a mid-crisis SOC, though many consider these to be mere occupational hazards of being a cyber leader. Will these more “on call” senior roles move to more of a “work whatever hours you want, as long as your objectives are met” kind of approach? All food for thought for employers going forward.
Personally, I feel that job sharing could be the answer for some organisations – no matter how rare it currently is on both sides of the pond.
Job sharing is more commonly seen in the public sector, but I feel that the private sector needs to explore the possibilities of job sharing too. Even part-time security roles are a bit of a rarity – wherever there is a non-full time staffing need, private sector organisations tend to lean more towards using the services of a contractor or freelancer.
However, especially in the high-pressure world of cyber leadership, relying on a single leader who is always on call is incredibly stressful for that individual, and leaves the company spiralling if that leader is unavailable for whatever reason when disaster strikes.
But by having two CISOs who each work 3.5 days each a week (or even four days each with an overlap) the company always has at least one CISO on call at all times; those CISOs get to share some of what might sometimes seem an insurmountable burden; and once they are off-duty, each CISO is able to properly switch off and enjoy their downtime more fully.
There’s a feeling that the applicant appetite wouldn’t be there for such a role, but of the 43% of UK adults aged 55-66 years old who have taken early retirement since the pandemic, 15% wanted a change in lifestyle, and 18% wanted to spend more time with family and friends.
Those who have already taken early retirement may not end up returning to the workforce, but some may eventually thirst for their next challenge – but maybe just a part-time one (well it’s that or becoming a NED). And those who are still in the workforce and considering early retirement may have their heads turned by a promising part-time job share.
The whole 4-day week phenomenon is such a moving feast at the moment, so what do you think? Tag us on LinkedIn and let’s discuss!