All posts
Leadership Reflections

The Three-Day Draft

Assaf Keren|May 7, 20266 min read

In the spring of 2020, I drafted a message to a public PayPal Slack channel and sat with it for three days.

The message disclosed that I had been living with PTSD since my time in the Israeli military. Up to that point, the only people who knew were my wife and my kids. Not my parents. Not my extended family. No one at work.

The reason I wrote it was simple. One of my leaders had come to me about an employee on their team who needed to go back on medication and was scared they would lose their job over it. The reason I held it was less simple. I was a senior security executive at a public company. I had been told for most of my career, implicitly and sometimes explicitly, that the job is performed without seams. I was afraid disclosure would cost me authority. I was afraid people would re-read every prior decision I had made through a different lens. I was afraid of what security leaders sometimes face when they admit to being human.

I sent it on day three. The response was unlike anything I had experienced in twenty years of work.

People wrote back privately. Not generic notes of support. Specific, often years-long admissions of what they had been carrying. Several told me they had never said any of it inside a company before. PayPal knew about my PTSD before my parents did, and the place I had been most afraid would punish me for it was the place that received it.

May is Mental Health Awareness Month. I am writing this for the security leaders who have a draft of their own sitting in their notes app right now, ready and unsent.

Let me explain what produces the draft.

The Control Trap

There is a pattern that catches senior security leaders, and I call it the control trap. Pressure produces the urge to hold more. Holding more produces volume. Volume produces pressure. The loop runs on its own and rewards itself in performance reviews. From the outside it looks like commitment. From the inside it stops feeling like anything at all.

I lived inside that loop for close to a year before I admitted it. By the time I did, I was the bottleneck I was supposed to be preventing. My team had stopped making decisions because every decision came back to me anyway. My judgment was worse than it had been a year earlier with half the information. I was being rewarded for the exact behavior that was eroding me.

The Numbers

The numbers are real. A 2023 Wakefield study commissioned by Devo found that 83% of cybersecurity professionals say burnout has caused errors that led to breaches, and 85% expect to leave their role because of it. A 2022 study by the Australian nonprofit Cybermindz, conducted with the University of Adelaide, ranked cyber professionals below frontline healthcare workers on professional efficacy, with some scores on the broader burnout scale exceeding the healthcare cohort.

We report worse mental-load metrics than people who work in emergency rooms and intensive care units. That is the population this job is producing.

What This Looks Like

What surprises people outside the field is that prolonged operation in this environment produces symptoms that look clinical. Sleep that does not restore. Hypervigilance that does not switch off when the laptop closes. Incident replay that intrudes on family time. A baseline anxiety that does not lift when the latest fire is out, because there is always another fire. You do not need combat to develop those patterns. You need years of feeling personally accountable for outcomes you cannot fully control.

Which is, more or less, the role.

Breaking the Silence

The Slack message did not solve any of that. What it did was break a specific kind of silence. The senior person in the room had said the quiet thing out loud, and the rest of the room exhaled.

If any of this maps to where you are right now, do something about it. Call a therapist. Talk to a doctor. Tell one person you trust who is not on the org chart. There are programs built specifically for people in our industry, and there are peer networks of CISOs who have been through it and will sit with you for an hour. None of this is hard to find. The barrier is not access. It is permission, and you are the only person who can give it to yourself.

None of this means you have failed at the role. It means you have been running too long under conditions the role produces, and the instincts that made you good at the work have started to work against you. Treating that as information instead of as character is the move.

The shame that keeps security leaders from asking for help is not really shame. It is inheritance. We grew up in a culture that treated visible struggle as a credibility problem, and we passed that culture to the people we hired. You do not break that pattern by waiting for it to break on its own. You break it by being the senior person in the room who tells the truth about their own bandwidth and gets care when they need it. The next person who watches you do it skips the five years of denial most of us spent before getting there.

Mental Health Is the Work

Mental health in security leadership is not a personal accommodation that interrupts the work. It is the work. You cannot run a security organization from a state of depletion and expect the calls to be careful. You cannot model healthy operating tempo for a team while breaking yourself in front of them. The leaders who build long careers in this field, the ones who shape the next generation of operators, are the ones who figured out that their own sustainability was part of the job description, not separate from it.

If you are sitting on a draft, this is the month to send it.