All posts
Leadership Reflections

The Closet Floor

Assaf Keren|May 18, 202611 min read

It was the Wednesday before moratorium. The week before Black Friday and Cyber Monday at PayPal, when the part of the year you spend the rest of the year preparing for is forty-eight hours away. Engineering teams across the company were trying to ship the last of the changes they wanted in before the freeze. Some of them should have shipped two weeks earlier. A few of them shouldn't have been shipping at all.

I was head of security operations. The phone started at midnight.

By twelve-thirty I was in the bathroom walk-in closet. Not because the closet was where I wanted to be. Because my wife was asleep, the kids were asleep, and the rest of the house had hard floors and bad acoustics. The closet was the only room where I could be on calls without waking everyone up. I sat on the floor with my back against the wall, the laptop open across my legs, my phone in my left hand and a charger snaking out under the door to the outlet in the hallway.

The Calls

The first call was a site issue. Traffic patterns on one of our payment processing endpoints had spiked in a way that didn't match any expected behavior. The shape of the spike looked, on first read, like a denial of service attack. Our network team had already started mitigating, but the question coming up the chain was whether we should treat it as a confirmed attack and escalate, or hold and watch for another fifteen minutes while the mitigation took effect.

The call ran about half an hour. The shape of the spike was wrong for a DDoS on closer inspection. The traffic was real customer traffic, badly distributed, hitting a part of the platform that hadn't been load-tested for the kind of volume we were going to see in seventy-two hours. The mitigation we'd started was the wrong mitigation. We unwound it carefully so we wouldn't break legitimate transactions, then escalated a different concern to the engineering on-call about why customer traffic was distributing the way it was. Not an attack. A capacity problem with a similar signature.

That call ended a little after one.

The next one came in within a few minutes. A security incident at one of our offices on the other side of the world. The local team had triggered our crisis protocol, which meant the full crisis management bridge was up: physical security, HR, legal, communications, the regional GM, and me. I was on the call because the protocol said I was on the call. The substantive decisions belonged to the people closer to the situation. My job was to be present, to confirm we were aligned on the security implications, and to flag anything the people closer to the situation might be missing from a global lens.

Most of it was listening. I asked two questions toward the end about whether we should brief our broader security leadership in the morning and whether there were any signals we needed to watch for in adjacent sites. Both answers were no, with reasoning. The call ended with clear actions assigned to the right owners, none of which were mine.

In between the named calls, there were others. A page from our monitoring tooling that resolved before I'd finished reading it. A short call with our network on-call about whether a slow query on a database read replica needed a second pair of eyes. A Slack DM from a director in another timezone asking if we'd seen something in their region, which we hadn't. None of these took long. None of these were nothing.

By two I was on a text chain with one of our SOC analysts about a bug bounty submission that had come in through HackerOne. A researcher was claiming a vulnerability in one of our customer-facing flows that, if real, would have been the kind of thing you escalate immediately and treat as an incident. The initial triage was ambiguous. The reproduction steps in the report were sparse. The analyst had done what SOC analysts do: walked through the report, attempted the basic reproduction, flagged the ambiguity. He wanted my judgment on whether to escalate to the broader response process or hold while the night shift in application security took a closer look in a couple of hours.

The bug bounty call was different from the others. The two earlier calls were about confirmed events that needed a decision. This one was about a possible event where the cost of escalating wrongly was real. Paged engineers. Customer notification protocols engaged. Post-incident review process kicked off. The cost of not escalating, if the report turned out to be real, was worse. We talked for twenty minutes. I asked what he had tried and what he hadn't. I asked what would change his mind one way or the other. We agreed on a path. He would hand it off to application security at shift change with the specific reproduction angles I asked him to flag. If anything in the next ninety minutes shifted his read, he would page me back. If not, we would respond to the researcher with a request for clarification in the morning.

By morning it was a false positive. The researcher had misunderstood the flow they were testing. False positives are part of how you get the real ones.

There were more calls after that. I won't catalog them. By four I was tired in the specific way you get when you've held focus through the back end of a long night on a closet floor. My back hurt. My eyes had that grit you get from looking at a bright screen in a dark room. I'd eaten half a granola bar at midnight and nothing since. The laptop was down to twelve percent battery and the charger only reached the wall if I sat exactly where I was sitting, which meant I hadn't stood up in two hours.

The calls slowed sometime after four-thirty. I sat against the closet wall for another twenty minutes in case anything else came in. Nothing did. I closed the laptop, set the phone to silent but not off, and went to bed close to five. My wife didn't wake up. The kids didn't wake up. As far as the house was concerned, the night had been quiet.

The Morning After

I had an alarm set for 6:45.

By 8:30 I was in the office. T-shirt and jeans. I'd had coffee. The morning's calendar had me in a 9am with the engineering leadership team to review the moratorium-week posture, a 10:30 with our compliance group about an upcoming examination, an 11:30 with a vendor whose contract was up for renewal, and a 1pm with my own team to walk through the queue of escalations from overnight.

I do not remember the 9am very well. I remember that I delivered the security update, that I answered the questions that came up, that the engineering VP made a joke about how everyone was running on too little sleep and the room laughed in a way that suggested most of the room had also slept in pieces. I remember the 10:30 better, because compliance conversations are unforgiving. You can't fake a regulatory examination response by being tired, and so the part of my brain that wasn't sleeping was the part that was answering. The 11:30 vendor meeting I half-floated through. The 1pm with my team I locked back in for, because they had been in the trenches the night before too and they deserved a leader who was actually present.

I went home that night and slept ten hours. I had two days before moratorium, and three days after that before Black Friday, and the rest of the week would have nights like the one I'd just had and days like the one I'd just had stacked next to them.

The Visible Work and the Actual Work

Most senior security executives reading this know exactly what I'm describing. The closet is sometimes a hallway, sometimes a hotel bathroom, sometimes a parked car in the office garage. The cascade is sometimes a site issue, sometimes a crisis bridge for a site on the other side of the world, sometimes a researcher report, sometimes a regulator, sometimes a board chair asking why the news story is what it is. The next morning is the same. T-shirt and jeans. Coffee. Calendar. The room laughs at the joke about sleep and you laugh too because you've all been on the closet floor at some point this month.

This is the part of senior security work that doesn't show up in the keynotes or the board decks or the LinkedIn posts about the conference circuit. The visible work is the slide. The actual work is the closet floor, and the room the next morning where you're expected to show up as if the closet floor hadn't happened.

If you're early in your career and you're reading this thinking that sounds awful and you don't want that to be your future, I understand. I also want to be honest with you. At the senior levels of this profession, you will have closet-floor nights. Maybe not every week. Maybe not every month. But predictably, around the moments when the work matters most, the conversations compress and you find yourself somewhere you didn't expect to be, doing work that no one will see, in a posture that doesn't match the title on your business card.

The senior leaders who last figure out a few things. They figure out how to absorb the closet-floor nights without letting them define the next day. They figure out which conversations actually need them and which can be handled by their team. They figure out how to be present for the team the morning after, even when the team doesn't know they were up at 2am holding the line. They figure out how to come home to their family and be a person, not just a function, even when the function had a hard night.

When to Stop

The other thing they figure out, and this is the one nobody wants to talk about, is when to stop. Not stop the work. Stop themselves. The closet-floor nights compound. The compounding is invisible until it isn't. Burnout in this profession does not look like collapse. It looks like a leader who is still functional, still delivering, still showing up for the meetings, but who has slowly lost the bandwidth to be present in any of them. By the time anyone notices, including the leader, the recovery is much harder than it would have been if the leader had taken the long weekend three months earlier.

The leaders who last build recovery into the rhythm. They take the vacation when the calendar makes it possible. They protect the long weekend when the team is stable enough to hold without them. They notice when the cumulative weight of a stretch of closet-floor nights has crossed a line, and they correct before they have to correct from a deeper place. The work requires presence. Presence requires recovery. The two are not in tension. They are the same discipline.

I don't have a tidy framework for how to do any of this. I'm not sure anyone does. I'll say this. The closet floor is part of the job. So is the meeting at 9am. So is being the person your family wakes up to on the Wednesday before moratorium. So is the long weekend when you actually let yourself stop. The leaders who do all four for years are the ones who've made peace with the gap between the visible work and the actual work, and who've stopped expecting the two to look the same.

The Work Held

The site stayed up that week. Customers transacted. Black Friday came and went. The number that mattered most went the right direction. None of that was because of the closet floor specifically. All of it was because of dozens of closet floors, mine and other people's, the week before.

The work held.

Get new posts in your inbox

Frameworks and frontline lessons for security leaders. No spam, unsubscribe anytime.