Chefs, CISOs and Self-Medication

In my long and varied career, I have come to understand something that many who have not shared my career path may not: hospitality workers and security professionals are some of the hardest working people I've ever met. For both groups, the hours are insanely long, very stressful, and there is little downtime to mentally recover from the daily grind.

At the higher levels of both fine dining and security, the demand for perfection is incredibly intense. In professional kitchens, it's not unusual to see alcohol or drugs used as a balm against stress. It appears this is also the case for Chief Information Security Officers (CISOs), as a study cited later in this article demonstrates – but first, please indulge me as I draw some comparisons between the two fields.

In the mid-90s I was working at a small winery in the Santa Ynez Valley, about an hour north of Santa Barbara. One of our guests and I got to talking one afternoon and he told me he was preparing to open a restaurant in Springfield, Missouri. After several more conversations he asked me to move to Springfield to manage that restaurant.

Two months later I got my first real taste of the restaurant business. My typical day began at 9am as I opened the restaurant and started going over inventory and orders for the next few days. Once the lunch rush started around 11am it was a breakneck pace until 3pm, then a couple of hours breather until the dinner rush, then the appetizer and bar crowd until about 11pm.

By the time we would close the doors at midnight, put everything back together and figure out the next day’s deposit to the bank it was usually 1am. At least once a week on my way back to my apartment I’d stop by the grocery store and grab a bottle of vodka, thinking it was the only way I’d be able to get to sleep in time to be up and back at the restaurant within 8 hours.

Some nights half the bottle would be gone before the electric feeling of stress in my neck and shoulders subsided enough for me to be able to shut my eyes and get some rest. I can tell you from personal experience that when your day unfolds at the pace of a busy restaurant, sometimes it feels like alcohol is the only way to feel like—to paraphrase the great Charles Bukowski—the world doesn’t have you by the throat.

Similarities Between Chefs and CISOs

I quit that job after about six months and moved back to California, where I started my career in sales. But the restaurant industry called me back, and in 2003 I graduated from Le Cordon Bleu in Pasadena, CA. For the next 10 years I worked in and around the culinary industry, and during that time I came to realize that my experience at that restaurant in Springfield was, unfortunately, very typical.

In the culinary industry, the reported rate of alcohol and drug use is about 12%. The average tenure in the hospitality industry is 21 months. I know of one chef who suffered a stroke at an early age, and I know of two who took their own lives.

According to a recent study by Nominet.uk (PDF), the number of CISOs abusing drugs or alcohol in order to manage stress is almost 17%, and their average tenure in a company is about 22 months.

The similarities between Chefs and CISOs struck me, and as I started considering the two careers, I started seeing even more similarities. For example, as a cook in a high-end restaurant (my last actual restaurant job was at a 5-Star—now Michelin-star—restaurant on the West Coast), here's how you spend your day:

Fine Dining Cook

CISO

  Make sure your tools are sharp and are the best you can afford

  Build and maintain your stack

  Mise en Place (daily food prep)

  Ensure your team is trained and capable

  Manage tickets (food orders)

  Manage alerts (security)

  Keep your station (and kitchen) clean

  Remediation

  Keep all your cooks on the same page

  Manage team dynamics

  Stay up to date on food trends/ new dietary restrictions (ask me about trying to feed raw vegans at a steak house!)

  Staying ahead of new threats/ new security dynamics

  Long term food prep (stocks, etc.)

  Security related projects and other related IT work


Now, add in a wedding, retirement party, problematic guest, etc. to the mix while still maintaining the same service level (for a CISO this would include non-security related projects). And just for fun, throw in a walk-in freezer breaking down, a plumbing or electrical failure, or some other mechanical issue that comes completely out of the blue—can you say “MALWARE”?

As the demands and hours add up, so does the stress. As the stress increases, so does the tendency to want to turn to quick fixes to help manage that stress. Hello, bottle of vodka. Hello, pills, caffeinated energy drinks or other substances.

I imagine many chefs would love to have a tool that would allow them to identify problems before they happen, and automatically fix the issue before it caused mayhem in the kitchen. But, like security professionals, some chefs simply love doing things the way we’ve always done it, like the time I made a 30-egg hollandaise with a whisk instead of using a VitaMix—thanks, Chef!

Time For a Change

It's clear we need to make a change in the cybersecurity industry. Some things are simple, like adopting new technologies that replace people-hours with machine-hours. Or using technologies that minimize the things that create busy-work and distract us from our actual jobs (I'm looking at you, alerts). Or embracing automation and artificial intelligence (AI) to manage many of the daily tasks that we burn so many FTE cycles on. And, of course, using tools that can predict problems and prevent them before they happen, rather than just alerting us afterwards.

Then of course, some things are harder. The Nominet study reveals that many board members or senior management teams still don’t understand “cyber”, let alone “security”, and don’t accept either as a strategic business function. Most of the CISOs polled in the study above indicated that, although their board understands the apparent inevitability of breaches, they still believed they would be fired as the result of one.

And of course, you have the predatory nature of the all-too-many security vendors whose motto seems to be, “why use one really good tool when a dozen of our mediocre tools will kind-of-do?” In short, defense in depth has become expense in depth.

Final word: if you’re in the 17%, or you have a peer who is struggling with addiction, please take my advice and seek help. No one should have to battle those demons alone. I miss my friends from the food-service industry who have left this world too soon, and I don’t want to see the same thing happen to my new friends in cybersecurity. 


The opinions expressed in guest author articles are solely those of the author, and do not necessarily reflect those of BlackBerry Cylance or BlackBerry.