Being in a leadership role in information security requires you to hold an odd mix of things in your head at the same time: enough technical depth to smell nonsense, enough strategic thinking to steer the ship, enough leadership to keep people moving in the same direction, and enough business and communication skill to make any of it land with the people who control budgets and priorities.

That’s a lot. And it’s on top of the day job: projects, incident noise, risk decisions, the “hot topic of the day”, and the never-ending parade of meetings that all feel urgent right up until they collide with each other in your calendar.

Over many client engagements I’ve tried all sorts of methods to keep myself from spinning out—some fancy, some simple, some frankly a waste of time. What follows is what I still use today because it actually works in the real world, not just in an executive coaching book.

Prioritising

One of the quickest ways to fail in security leadership is to treat everything like Priority One. It’s a trap. If everything is urgent, nothing is. The first step towards being properly organised is learning to prioritise in a way that doesn’t just feel productive, but genuinely aligns effort to impact.

When the inbox is overflowing and you’ve got five different people asking for answers “today”, the goal isn’t to do more. It’s to decide what matters most, and to be comfortable with the fact that some things will wait.

When I’ve got a lot on my plate, I still come back to an old, unfashionable trick: a quick 2x2 matrix. One axis is urgency, the other is impact. It’s not magic, but it forces a decision. It also gives you something solid to point at when someone inevitably asks why their pet project isn’t at the top of the list.

Where security differs from some other leadership roles is that impact isn’t just commercial. I lean heavily toward what’s public-facing, what’s exposed, what’s fragile, and what carries reputational blast radius. If you’re choosing between tidying internal process debt and fixing a genuine externally exposed risk, the choice shouldn’t be complicated.

Time Management

Time is the one thing you never get back, and leadership roles have a nasty habit of turning your day into a patchwork of interruptions. I used to kid myself I’d “catch up later”—on the train home, on the commute in, at the end of the day. It wasn’t effective. All it did was stretch the working day while lowering the quality of the work.

What actually helped was accepting that deep work needs protecting. If the day is full of meetings, then the only way you get real thinking done is to carve out space for it and defend it like it’s production availability.

I’ve used plenty of productivity techniques over the years, and the specific flavour doesn’t matter as much as the principle: work in focused blocks, do one thing at a time, and stop pretending multitasking is a skill. It takes just one phone call, one Slack message, or one “quick question” to scatter your concentration across three threads, and it can take ages to get back to the original one.

Deadlines are part of this too, and “realistic” is the key word. Overcommitting is seductive because it makes you sound helpful and responsive. But if you promise a paper “tomorrow”, what you’re really doing is stealing time from everything else to meet that promise—often without enough thinking space to do it properly. It’s better to be honest about timeframe than to deliver something rushed that creates more risk than it reduces.

Delegation

Delegation is one of those words people nod along to, right up until they’re under pressure—then they grab everything themselves and become the bottleneck.

As a CISO (or anyone in a senior security leadership role), you are not always the best person to handle everything that comes your way. Sometimes you’re not even the second-best person. Your job is to build a team you trust, and then actually trust them.

That starts with knowing your team’s strengths properly. When you understand who is brilliant at incident response, who has the patience for policy work, who can talk to engineers without turning it into a fight, and who can translate risk into business language, delegation stops being random task dumping and becomes a genuine force multiplier.

Clear communication matters here more than anything. If you delegate a task but leave the outcome fuzzy—no standards, no constraints, no definition of “done”—you don’t get delegation, you get confusion. And confusion is where risk hides.

Project management tools can help, but only if they are used as visibility aids rather than busywork. The real value is having a shared understanding of what’s in flight, what’s blocked, and what decisions are needed. Reviewing a board before a meeting is a quiet cheat code too: it lets you ask sharper questions and focus the conversation on progress and obstacles rather than status theatre.

Effective Note-Taking

Underpinning all of this—and I can’t stress how important this is—is keeping track of everything without relying on memory and luck.

I use an iPad to keep my notes organised. I’ve tried the whole range: paper notebooks, flash cards on the desk, the classic Moleskine. But as you take on senior leadership roles it becomes harder and harder to keep paper updated when priorities shift weekly and decision trails matter.

I can still remember an engagement over a decade ago where a senior leader got cornered by the board after a customer-facing outage. The questions weren’t unreasonable, but they couldn’t answer them: what changed, who approved it, what risks were accepted, what mitigations were in place. The response was predictable: weekly 50+ page packs covering everything—metrics, KPIs, incidents—lugged around “just in case”. It wasn’t sustainable, but it was a symptom of the real need: fast recall, with evidence.

Having your notes organised and searchable is essential. I use Standard Notes with a template I created to structure how I capture information. The iPad has become a laptop replacement for me in a lot of situations, especially for quick research or catching up on the day’s security noise during a commute. I also self-host a lot of my services—email, file sync, notes—with encryption and offline backups