According to the World Health Organization:
“Burn-out is a syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed. It is characterized by three dimensions:
- feelings of energy depletion or exhaustion
- increased mental distance from one’s job, or feelings of negativism or cynicism related to one’s job
- reduced professional efficacy
Burn-out refers specifically to phenomena in the occupational context and should not be applied to describe experiences in other areas of life.”
There has been an ongoing conversation in the CISO community about stress and burnout. Heck, I’ve even covered the topic several times—including during my talk at RSA with Gary Hayslip (@ghayslip), “Why the Role of the CISO Sucks”—and I’ll be covering it again in two weeks at CB Connect London. It’s something I’m always happy to talk about, but thinking about it recently has brought something else to my attention that is not as frequently touched on: It is not enough as leaders to manage our own stress. We must help our teams manage theirs in order to have long term success in the industry.
To that end, today I wanted to discuss effectively managing the stress of a team. People change. People get married. People get divorced. Family members die. Children are born. Breaches happen. This, of course, is in addition to all of the general stress felt on a daily basis in infosec. Alert Fatigue is real. Burning the candle at both ends is real. Taking time away from your family and going above and beyond a normal 9-5 isn’t just the norm—it’s expected. In most cases, compensation doesn’t come close to accounting for the loss of time spent at home or the weekend, holiday and vacation hours spent working. So how do we—as leaders—help our teams?
- Schedule 1 on 1’s. I am a big fan of 1 on 1’s, however, they must be used correctly. A 1 on 1 should not be scheduled to discuss your agenda as the leader. It is your team’s time to speak with you about what they need. The agenda is theirs let them bring up whatever they want.
- Show that you care. Make sure your team knows you are invested in the people side of the equation. Nothing rings worse to an employee than a fake boss who clearly just wants to get work done. Think back on the various ineffective leaders you have experienced in the past. Don’t be like them. Truly invest in and care about your team. No, we won’t always be able to give them the answers they want to hear, but investing in them as people will help you and them in the inevitable hard times down the road.
- Focus on employee personal growth and development. This doesn’t mean you have to be all infosec training all the time. I have personally benefited more from leadership and personal development courses than I ever did getting another certification. Help your employees grow as people.
- Encourage non standard activities like meetings outside, walking meetings, mindfulness training. Mindfulness training is designed to help people deal with stress. Encourage your team to take classes.
- Give your team time to operationalize a piece of technology before implementing a new one. Yes, you need to move fast—but people need time to adjust to any new piece of tech. They should be allowed to fully operationalize it before ramming in the next one. Thoughtfulness around how much work they are actually capable of without becoming overwhelmed will go a long way for your team.
- Give your team the ability to take mental health days. This has benefited me greatly in my career—we all know that sometimes you just get spun on security. Forcing people to interact with others under already stressful conditions is a recipe for disaster. Allow them space to work. An “always on” mentality is not only dangerous to the people involved, but can lead to poor/reactive decision making.
- Consider rotations of work. Would you want to be in a SOC for three years mindlessly clearing alerts? Would that make you feel as though your career is progressing? The idea of work rotations is one of heard most recently at the CISO Summit at BlackHat 2019—and it’s an intriguing one. I would love to hear from anyone who is doing this today.
- Give the team a real break after a high stress event, like a breach. I have had the experience of dealing with 42 hours of compromises and breaches and then being expected to walk into a meeting eyed and smiling. While one can fake being okay for a while, this will absolutely lead to burn out.
- Make sure your team is getting up from their desks and taking breaks. Walking meetings are a solid way to facilitate this.
- Be a resource. Be there for your team as people, not just for their work. This will ensure you have a happier and healthier workplace overall, and will likely lead to higher employee retention.
Remember, how we act under stress and how we create proactive mechanisms within our teams goes a long way in ensuring the team is productive, healthy, and can handle things when times become stressful. As leaders, we must take care of our teams and help guide them through a career in InfoSec. Helping them deal with their ongoing stress and burnout will create a more resilient workforce—one in which 38% of us aren’t just up and quitting the industry. Take care of yourselves and your teams. Until Next time…