A couple years ago, Grace had landed her dream job. It was something she had dedicated years to and it was finally paying off. The boss had recognized Grace as a dedicated and skilled professional and she was promoted after just a few months. She was happy, earning well above the market average, with a future full of great opportunities. It all happened so fast she was still dazzled. Mike had left her last week, saying she was not the same person and that he would not live with someone so distant and self-centered. In fact, as yet another alert blipped on her screen, she was trying — and failing — to remember the last time she spent with her family and friends. Her thoughts were abruptly interrupted when her supervisor entered the office, shouting. “Grace, what did you do? They got us! All files and databases are encrypted!” As they investigated the several hundred ignored alerts, it became clear what the problem was. As the usual corporate background images were replaced on every computer by a smiling skull asking for a huge amount of bitcoins, Grace went into panic mode. Her career had barely started and was already over.
Cybersecurity and burnout
As with any high-responsibility job, working in cybersecurity can be something quite exhausting. Not only is this a career that demands a constant development of knowledge and skills, but that in many cases requires long working hours (including many late nights, weekends and holidays) and where the pressure for results is constant. After all, for a cybercriminal to succeed, all it takes is a single failure from the cybersecurity team. All of these factors, especially when accumulated over time, can result in burnout. This damages not only the physical and mental health of professionals but can also have a high impact on business. This is not just because of the obvious issues related to labor problems, but due to the fact that, in most cases, burnout situations are not identified early enough. To put it simply, strictly thinking in information security terms, hardly anything can be worse than having a physically and mentally devastated professional as the organization’s main line of defense against tireless cyberthreats. Understanding burnout as a real problem in the cybersecurity career is something very important for both professionals and employers. There are countless measures that, if taken in time, can completely avoid this very delicate situation. Here are five practical tips on how to deal with burnout in a cybersecurity career and other similar areas.
Dealing with burnout, the simple way
Recognize burnout as a major problem and face it head-on
The first step to solve any problem is accepting it exists and making a conscious decision to deal with it. Recent publications such as Deloitte’s marketplace survey indicate that 77 percent of respondents say they have experienced employee burnout at their current job. In cybersecurity-related jobs, the situation is even worse! In 2019, research by the Ponemon Institute pointed out that IT security personnel say that working in the SOC is painful, with 73% stating the main reason is “an ever-increasing workload that may cause burnout.” In the case of CISOs, yet another recent survey found out that their role is stressful, with “91% saying they suffer moderate or high stress and 60% adding they rarely disconnect” and that it is a job that has “had an impact on their mental or physical health, with the same stating that it has had an impact on their personal and family relationships.” To put it simply, burnout is a problem that needs to be recognized, both by the company and by the affected professionals. The longer it takes for you to accept this reality, the greater the chance of losing control and turning something simple to deal with into a critical situation for the organization and devastating for its employees.
Understand the root causes of burnout in your organization
There are countless situations that, in the long run, can lead to burnout. Common examples include work overload, crunch time, pressure for results, lack of recognition and no perspective for professional growth. In the cybersecurity area, the pressures can be significantly higher. With the current widespread talent shortage, many organizations are understaffed. Worse, there is minimal room for error, since a single click can be all the difference between preventing the next attack or letting the organization be owned by cybercriminals. Of course, all of this is specific to the context and culture of each business. This means that a smart strategy is to invest time to analyze the scenario of your organization and understand the situations that increase the stress in your cybersecurity team. Letting people know that you care and that you are already taking the necessary actions to deal with stress at work is a quick win.
The sooner you start treating the problem, the greater the chances of success
It goes without saying that treating stress situations early will bring the best results to your organization. Burnout is a silent problem that, in most cases, does not just happen overnight. Management should pay close attention to the usual signs, such as employee chronic fatigue, lack of concentration and ongoing health issues such as insomnia and anxiety. These “early warnings” usually occur long before extreme situations, such as outbursts of anger, mental exhaustion or even acts of violence. There are several options for dealing with job stress, many of which can be implemented in a short period of time. For example, in larger teams, you can adopt role rotation or even designate a specific time for employees to focus on self-development or simply be “unplugged.” For smaller teams, this may be a challenge. But with the advances of security solutions, there is always the option of using technology to automate basic activities and let specialists focus on more challenging tasks.
Talk with your cybersecurity staff about stress
A disconcerting truth is that many cybersecurity professionals have a strong tendency to think of themselves as unsung heroes, able to deal silently with all types of pressure. This is far from true. Good security professionals are expected to be resilient but they can also be quite introspective and avoid talking about problems, especially when they feel it can hurt their professional development. An important action is to demonstrate that the organization openly deals with stress-related problems, precisely to ensure that employees can develop and have access to the best opportunities within your company. It is important to remember that cybersecurity professionals work to protect the interests of the company, often leaving aside their own interests. A good strategy is to clearly demonstrate that the organization recognizes the importance of their work and will do everything possible to also protect the interests of its cybersecurity team. Encouraging these professionals to recognize the symptoms of stress and burnout early, as well as having an open channel for them to let their organization know what they are feeling, is one of the best ways to ensure that adverse situations will not happen.
Having a good succession plan is essential to avoid burnout
If your company has an ill-defined career path, members of your cybersecurity team are probably expected to be performing the same tasks, over and over, indefinitely. If they are already experiencing high levels of stress, this can amount to a feeling that “it will never go away,” leading to symptoms such as fatigue, anxiety and disengagement. On the other hand, if your company has an effective and clear cybersecurity career path, even an employee who is currently under high levels of stress knows that a replacement is being prepared so that he can move on to a new and better position with a different set of challenges. In fact, an ill-defined career path is among the top reasons why good professionals resign. And, of course, the high demand for cybersecurity talent creates many opportunities, which can prove increasingly tempting, especially when your company does not offer something similar. Your organization should always be open to dialogue and be frank about professional development expectations. Again, not only listening, but also understanding the needs of your cybersecurity team is an excellent way to reduce stress and avoid any chance of burnout. In addition, this is also a fantastic strategy to retain the experts and talents that are already part of your company.
Conclusion
There is no denying that stress is part of the vast majority of cybersecurity-related roles. After all, the “simple” responsibility of protecting an entire organization from cyberthreats already carries a huge weight. The good news is that this is not only expected but often sought by professionals, who live to face this challenge. As mentioned before, good cybersecurity professionals are resilient and develop their careers fully aware of how much will be expected of them. Of course, even unsung heroes have limits and it is important that your organization actively seeks good conditions so that experts can perform at their peak. The best way to avoid burnout situations is maintaining a proactive posture and always dealing with problems while they are still manageable. Remember that extreme situations never happen overnight, keep the dialogue open and focus on demonstrating that your organization protects the professionals who protect it. That way, your cybersecurity team will certainly do the best in return.
Sources
Workplace Burnout Survey, Deloitte Improving the Effectiveness of the Security Operations Center, Ponemon Institute Life Inside the Perimeter, Nominet Cyber Security (ISC)² Finds the Cybersecurity Workforce Needs to Grow 145% to Close Skills Gap and Better Defend Organizations Worldwide, (ISC)²
