As Director of Cybersecurity Operations at Children’s National Hospital in Washington DC, Sharon Finney wears many different hats on any given day. In addition to overseeing incident response, the hospital’s security operations center (SOC), security analytics and IOT, she runs a 12-person cybersecurity team and a strategic partnership with TrustWave, their MSSP.
But her leadership goes well beyond responding to cyber threats and protecting critical patient data from theft and exposure. Like the trauma staff at a hospital, Finney not only mobilizes her team during cyber emergencies, she makes sure they understand how their work affects hospital patients and staff, while also ensuring that their mental health is a top priority.
And in recent years, mental health has become a much bigger issue for CISOs and their teams. Cyber professionals in general are under more intense scrutiny and pressure — with 84% worried about their personal liability for cyber incidents. The added, and often constant, stress is compelling security professionals to reconsider their career choice: 76% say that the risk of personal liability is making cybersecurity less attractive, and 70% say they’ve considered leaving the industry altogether due to job stress.
“When you have a team that goes through trauma together, it creates a bond that’s deeper than just friendship. You all survived,” she says. “That’s what I need to build on my team — I need to build a team that’s highly resilient and highly reliable. Because that’s what builds trust within the organization.”
We sat down with Finney to discuss how she brings teams together, protects their mental health and keeps them resilient in the face of high pressure. Here are three of the most important guiding principles of her leadership that have kept her team strong, motivated and mentally fit.
Be aware of how your work affects real people
On Finney’s team, there is no hiding behind anonymous screens and dashboards. While it may seem obvious, Finney holds fast to the fact that everything the team does affects someone else they can’t see — that each data point, node or device actually represents a real person.
“The most challenging reality I face every day is that every device I touch, every action I take, there is a person — either a caregiver or a child — on the other end,” says Finney.
Finney makes it a point to humanize her team’s job as much as possible, allowing them to see how protecting sensitive medical data and building cyber defenses directly affects hospital patients, doctors, nurses and other staff. At least once a month, she brings her team into the hospital to see the devices and the people they protect first-hand.
And it makes a difference. The team gets to see up close how their cyber defenses keep the hospital safe from threats that could cripple systems and prevent access to care, and protect personal medical information.
She also encourages her team to listen and learn from other teams and hospital employees who are successful — a principle she acquired from being a third degree black belt in karate and a competitive martial artist for 20 years. “I learned during that time that you have to train with people better than you. You have to challenge yourself to not be the smartest person in the room and listen and apply principles you never imagined would be impactful,” she says. “I say to my team ‘we can only act on what we know. Therefore we have to know as much as we possibly can.”
Prepare for the worst to ensure your team’s best
Staving off everything from ransomware to nation-state attacks, Finney’s cybersecurity team deals with more than its fair share of surprises.
When the alarm bells go off, Finney’s team springs into action and she goes into what she calls “commander” mode. The security team has to be ready to work together without a hitch — and at a moment’s notice — with singularity of purpose: to shut down the cyber threat as fast as possible.
But it requires a lot of training and discipline. Finney says that she prepares her team for the unexpected by running them through regular monthly cyber exercises and drills to keep them in a constant state of readiness. Some of those exercises are communicated in advance, others they won’t know about ahead of time. Some of the exercises are individually focused while others are group drills. And although once in a while the team will face a major attack, it’s often the smaller incidents that will catch them off guard.
“It’s the little things that we hit everyday that will be their training ground,” she says. “If they’re not responding well to those, they definitely are not going to be ready for a major incident.”
Keep calm and model mental health
It’s hard enough to do a job under duress. But doing a job under duress while keeping airplane-pilot calm is another matter entirely.
That’s where Finney comes in, modeling cool and collected behavior so that her team follows suit and can do their jobs with laser focus in the middle of a crisis.
“The challenge for me as a leader is to make sure that my team is calm when everyone else is going to be panicking, so that they can do their job,” says Finney. “I’m calm, they’re calm. If I'm excited or upset, they’re going to be stressed. If I’m terrified, everyone around you is going to be terrified, and that just blossoms out to everybody in the organization.”
Finney manages her own stress with regular exercise. Her dogs and animals are also sources of peace that help her self regulate. She also encourages her team to have hobbies and healthy outlets, as well as build downtime into their schedule so they can enjoy time to themselves or with their families and friends.
Modeling calmness and self care as a leader for the team is just as important after a cyber attack as during, even when they’re off the clock entirely.
Because going through a breach is often an emotionally exhausting experience, Finney says she treats it like one. Children’s National Hospital provides mental health treatment and therapy for patients and employees, and Finney encourages her team to use the resources that are available to them. She also encourages her team to reach out to her at any time, for any reason, especially if they are struggling. “Going through a severe breach is a trauma. Everybody experiences that trauma differently,” she says. “You don’t have to do this alone. There’s strength in numbers.”
To learn more about how security leaders are responding to staffing shortages, advanced threats and mental health on their teams, download the Splunk 2024 State of Security and Splunk’s CISO Report.
