“This is what I know about you. You are in this profession because you fall into that group of people who care a great deal about making a better world. You love finding a new way – whether it is figuring out how a cyberattack works or a better way of preventing attacks. At your best, you are reliable, hard-working, responsible, and trustworthy. You are an agent of change. You are especially adept at foresight: you have the expertise and thought patterns to see what can go wrong before it does, and you typically will sacrifice yourself during difficult circumstances to drive action that will prevent terrible things from happening.”
When I shared that perspective toward the end of my keynote at a regional conference of cloud security experts, I was stunned to see tears in the eyes of people throughout the room.
It was clear that the personal connection had resonated. It became apparent from their comments there were many people in the room on the edge of leaving cybersecurity as a profession for good because they had sacrificed until they could not do it anymore.
The good news is that most people who work in cybersecurity see their work as a calling. The sad news is that we are all working against highly unfavorable odds. Advanced persistent threats are having a renaissance, contributing to an uptick in incidents and breaches that are increasing in materiality. The security team works in an arena that can result in a state of continual hyper-vigilance and research shows that has adverse impacts on health, quality of life, and relationships. According to VMware’s recent Global Incident Response Threat Report, 51% of cybersecurity professionals self-identify as burned out. Of that group, 67% had lost work hours because of stress and 65% of them were considering leaving cybersecurity as a profession.
Cybercrime is a $2T industry funded by crime rings and nation-states. On the defender side, cybersecurity often feels like an unfunded mandate competing for resources with other business-critical priorities. The result: emotional and physical exhaustion and a sense of ineffectiveness and futility.
The World Health Organization defines burnout as a syndrome resulting from unmanaged workplace stress. Physical exhaustion and emotional exhaustion are critical components of that. In addition, ineffective work processes and workflow while “doing more with less,” can lead to a sense that decision-makers do not get it, or they do not care. That is when cynicism sets in.
“People working in security and intelligence roles are afraid to let others know they are not OK for fear of being labeled as ‘weak’ and possibly even ‘unfit for duty,’” paraphrasing Richard Thieme’s presentation takeaway at DEFCON in 2017.
When burnout is considered shameful and people see no way to fix it, it becomes the definition of suffering. That is why people leave.
With a shortage of cybersecurity professionals in the range of millions worldwide, we should do all we can to address this serious situation now. I suggest using three major pillars as a guide: Self-care, Empathy, and Empowerment.
What can you do today to make a difference?
For managers
1). Make it OK to not be OK. (Empathy) Acknowledge the stress of the job. Be sure to talk about it in staff meetings and become proficient in the art of listening and presence when people need to talk. Managers are frequently uncomfortable with this role so seek specialized training to equip people in the art of empathic listening instead of automatically making a referral to EAP (Employee Assistance Programs). This helps with emotional exhaustion.
2). Counter the physical exhaustion. (Self-care) Enforce vacations and consider work arrangements that allow for a periodic extra day of decompression time. Provide comp time after the extended intensity and pressure of incident response.
3). Demonstrate that you care about people by making it easier for them to shine. (Empowerment) Remove barriers and seek improvements in workflow and handoffs between teams. Become a process improvement ninja and wherever possible, improve workflow and workload by automation. Use efficiency and effectiveness as the leverage for the budget to acquire, implement, and train on new tools. This helps with the sense of ineffectiveness.
4). Pace the implementation of innovative technology to match the available talent. (Empowerment) While a framework of automation for many aspects of a cloud-first strategy is essential from application to endpoint, a clear strategy, plan, and implementation approach needs to be accompanied by sufficient training to ensure the technology is effective and both systems engineers, operations staff, and end-users are proficient before moving on to the next new thing.
5). Consider adopting resilience-building techniques as part of the organizational standard operating procedure. (Empowerment) Career development strategies can utilize the SOC (Security Operations Centre) as a learning assignment with the understanding that rotations of the SOC team are expected as part of stress management and career growth. After the intensity of an extended incident, arrange for a debrief that not only includes the “post-mortem” assessment but a stress assessment for the team to build empathy and awareness.
For cyber professionals
1). Know and care for yourself. (Empowerment) Know what makes life most meaningful to you and ensure you set boundaries around your many obligations to make space for those priorities every week. Know your why.
2). Remember that your worth is not tied to your performance. (Empathy) Many of us struggle with personalizing our productivity, recognition (or lack thereof), and achievement to our intrinsic worth. Be driven by what you love to do, not by fear of failure. Skilled coaches and mental health professionals can be immensely helpful in navigating this challenge and the benefits are significant.
3). Recognize the warning signals of burnout. (Self-care) Physical and emotional exhaustion, a sense of ineffectiveness and detachment from the job, or cynicism.
4). Find the practices that help you reset. (Self-care) Use them as preventative measures: singing, dancing, connecting to nature, watching the sunrise – whatever feeds your spirit, do that for yourself each day.
It is an exciting time for people to be a part of cybersecurity. Burnout is an occupational hazard and one we need to deal with effectively. It is critical that we learn how to stay in-the-game and provide a strong set of shoulders for the next generation. By acting appropriately, we can all enjoy our work and help each other to stay healthy in this high-stress occupation.
Download the full Global Incident Response Threat Report here to read about the developments in threats that make a resilient cybersecurity team essential.