- Burnout isn’t a selfcare problem
- An expectation of working 24x7x365, around the clock, isn’t sustainable
- Tools don’t solve a human element problem; they can make it much worse
- Incident response plans need to be updated often; otherwise, breaches can become much worse and increase employee stress
- Organizations and managers can decrease burnout in individuals and teams by providing more flexibility, reducing meetings, creating active feedback loops, and respecting boundaries
In 2020 and 2021 burnout has become a popular topic of interest in information security; however, conversations about the prevalent burnout problem have existed way before the pandemic. Industry leaders and practitioners have been yelling from the rooftops about how badly our industry needs to take a deeper examination and create changes to allow for workers to have more flexibility and the ability to have balanced personal and work life.
Instead of just talking about it… let’s actually start tackling the problem. This article serves as a starting point by breaking down why burnout exists in InfoSec, why past solutions don’t work anymore, and how to actually reduce burnout on teams.
Burnout in information security
Burnout occurs when we don’t balance our personal and work life. In security as a whole, we run 24x7x365, around the clock protecting. In return, we are expected to work all hours and anytime.
Consequently, it’s nearly impossible to work within InfoSec without experiencing burnout because one cannot balance personal and work life. Our industry doesn’t allow it.
In return, workers in the industry start developing additional symptoms if burnout is left untreated, such as depression, anxiety, and/or major physical health risks.
Overall, if we don’t change how our industry is set up we are going to continue having an unhealthy working environment, which in return, reduces our ability to have a healthy, balanced life.
Burnout among security professionals
There are a few reasons that lead to burnout among security professionals:
- The indirect enforcement of working around the clock, at all hours and longer hours than most industries. Research has shown that executives expect security teams to be on call at all hours and work on average 10 hours more per week than other departments.
- A lack of investment in security departments. Usually, unless there is a breach, a company doesn’t heavily invest in security. Security has been seen as a reactive strategy, versus investing in prevention strategies, which can help a team when dealing with a breach by reducing the stress of not having invested enough in prevention.
- The lack of personnel on security teams. It can take more than three months to hire someone to join a security team. During these three months, other team members are doing more work than they should be for their job to make up for the missing team member.
- A lack of knowledge throughout the company on security, and colleagues with security apathy. This has been an ongoing issue. There are many out there who don’t care about security or investing in security until they experience a breach themself. When we personally experience it, we don’t want to go through it again. It can feel like an invasion of privacy and can deeply impact our mental health. Hence, sharing our personal experiences of being breached can challenge others’ apathy if they are open to self-reflection. It’s important that they do so because it only takes one colleague who has certain accesses to click on a malicious link or doc. As security professionals, this keeps us up at night and puts more stress on the job.
- A lack of incident response plans or having plans that are out of date or do not include the latest updates. In return, response becomes ad hoc when a breach occurs. About 73% of organizations have no incident response plans or don’t have up-to-date plans. We know a breach will happen at some point, just don’t know when. This furthers the stress factor knowing ad hoc is going to be applied when it does happen.
- Recognition and respect. When we don’t recognize the work our team members do, this can lead to resentment on the job. Whenever we don’t feel respected on the job or employers don’t respect work boundaries, it stresses us out. If the employer isn’t recognizing or respecting employees, it means there is an unhealthy work environment. Not having a healthy work environment and high stress will burn team mates out extremely fast.
- Gatekeeping. The act of gatekeeping is prevalent in our industry. It produces much stress for those who are trying to enter a role or stay in a role. It’s important that we practice DEI to reduce gatekeeping and raise our colleagues instead of dismissing or undervaluing them…otherwise, we will continue to have a rotating door problem because of the gatekeeping leading to burnout.
Cyber security tools and platforms
Usually, we throw tools at a human element situation. This is only a bandaid that can make things much worse than the original problem. Instead of collaborating across teams on how to improve processes and structure, we have seen management unable to find solutions that work because they lack feedback, so in return, they purchase more products.
Collaborating amongst the team on what tools are needed and why assists us in building a stronger security team. A stronger feedback loop on the team allows better coordination and stronger security plans.
Another reason why too many tools and platforms can lead to burnout, is the constant situation of having incident response plans that do not incorporate new tools/platforms or personnel change. Since these plans are overwhelmingly out of date, this remains a fear; a fear that when the breach occurs, it will be ad hoc to fix it, which is extremely stressful. This fear and stress can contribute to the feeling of being overwhelmed and produces burnout.
Working from home
Once again, burnout occurs when we do not balance our work and personal life. When our work and personal life interact or become a blur between what is personal life and what is work life, this is when we have to look at our setup.
Working from home allows employees to have more flexibility and focus on their work. It also cuts down on commute hours.
However, some of us are still trying to separate our work life from our personal life throughout the pandemic. Think about it. We take calls in our kitchen or bedroom at times. Kitchen and bedroom are personal life spaces, not work life spaces.
Having a separate space for work helps a lot for balancing. But not everyone has this privilege; as a consequence, the blurriness of work and personal life can impact us, and burnout can creep in. However, if you section a part of the room as a work space, and only use that particular spot for work, it does help. Lastly, no matter what, have work boundaries set, such as turning off work equipment at 6PM during the week and off the whole weekend, and keep those boundaries in place.
Additionally, give yourself some time for your personal needs in the morning and evening. This means not checking work emails when waking up and going to bed. This means that during certain time frames you will look at your device in the morning and afternoon, not during non-work hours. Sometimes it’s helpful at the end of the work day to take a walk or exercise to acknowledge in your being that it’s personal time for the rest of the day.
Reduce the chance of burnout happening
To reduce the chance that burnout occurs, organizations can do five things:
- Set up 1:1 weekly meetings for up to 10-15 mins with each employee. This is a chance to get on the same page on projects and about priorities. This is not an opportunity to micromanage. It’s an opportunity to build trust with your colleague.
- Set a weekly no-meetings day, or a fixed time block on multiple days for no meetings. I recommend a Monday and/or Friday. Wednesday is another possibility.
- If you can, offer one day off a month for everyone to take a break. I know a few companies practicing this, and employees feel appreciated in their workplace because their employer understands the importance of mental health.
- Set up a round table meeting with your team to discuss what can be improved in the team and to examine tools and incident response plans together. If you collaborate with your team, it brings everyone closer and contributes to increasing trust amongst the team and manager. Additionally, it’s a DEI practice and a strong path to creating more strategic plans and a vision.
- Work across the company to address apathy towards security. As noted above, people who are apathetic to security are making your security much harder and placing your security teams at risk.
Overall, it’s wonderful to see organizations taking initiatives to finally recognize the role mental health plays in the everyday lives of employees. More and more professionals are making changes to leave employers who are not taking actions to reduce burnout. Hopefully, this article encourages organizations to allow employees to have a more balanced lifestyle.
About the Author
Chloé Messdaghi is an award-winning changemaker who is innovating tech and information security sectors to meet current and future demands by accelerating startups and providing solutions that empower organizations and people to stand out from the crowd. She is an international keynote speaker at major information security and tech conferences and events, and serves as a trusted source to reporters and editors. Additionally, she is one of the Business Insider’s 50 Power Players. Outside of work, she is the co-founder of Hacking is NOT a Crime and We Open Tech. She spoke about burnout among security professionals at The Diana Initiative 2021.