Burnout is Real: Lets Talk About it

You can feel it in your bones, the little voice in the back of your head is especially loud today. Self-doubt begins to rear its ugly head, the impostor syndrome is vigilant today, and all you want is some peace.This, my friends, is what is called burnout. It is a real condition that can cause both physical and mental injury, so let’s talk about it.

Learn about the 12 competencies of the effective CISO >>

Take into consideration that you are not alone if you feel this way; rest assured that it is quite common. With this being said, we need to look at the factors that can send you down this rabbit hole, only then can we effectively combat it.First things first, however, some general overview is needed to provide a scope of sorts.In Cybersecurity, we have to understand that it is a world of its own with no real way to contain it. Unlike other IT projects or roles, there is no defined end, nor a clear beginning, it simply is; let this sink in, embrace it, and strive to work with it, not against it.This world can be one of two things: A world where you are content and could do some considerable good for the masses from behind the scenes, or it can be a recurring nightmare that you cannot wake up from. Data security is exceptionally stressful by nature, and when you step into this world, that is continuously stressful and uncontainable. It will take on a life of its own and attempt to take you with it.This is only exacerbated by the fact most CISOs and their teams report that stress is the main factor of career decline and mental health decline. If we look at the numbers from Nominet, 91% of CISOs and teams report “moderate or high” levels of stress on a routine basis. 60% of CISOs and teams rarely disconnect or can disconnect from their work, and an alarming 17% turn to alcohol or medication to help cope.The constant barrage of articles and headlines that show up in our faces almost daily of a new APT, a new attacker, or a data breaches happening here can give credence to the thought that our work is ultimately fruitless. The nature of a cybersecurity role is defensive. Our work continually keeps us alert and focused, but this tunnel vision of sorts can leave us exhausted and ready to throw it all away.As much as we want to help and be helpful, there are a few factors that contribute to the “doom and gloom” mentality of the cyber world, and it starts at the top with the C-Suite. Looking at Nominet numbers again, it is reported that 32% of C-Suite Executives do not understand that breaches and hacks are inevitable. Now workers in the field to have to live up to an almost impossible standard. Several answers are given, but a couple sticks out more than others. A large number of executives believe that an attacker is not paying attention to their company (it won’t happen to them). Many C-suite think that the CISO and team can and should protect them from all data breaches and hacks. More than a quarter of the surveyed CISOs believe that an attack will result in firing or official warnings, further raising the stress level and forcing workers to be almost super-human. Couple this mentality with the current talent shortage, it brings to light that most information security workers are continuously overworked.The majority of this article has been doom and gloom, but there are ways to work through the issue. Let’s talk about them.The number one way that we can beat burnout is simple yet deceptive: UnplugGiven the fact that two-thirds of us cannot or cannot unplug makes this the most challenging yet rewarding. There is a mantra we can recite to ourselves, so take a minute and say this out loud (or quietly in your head if that is your thing): “I am going to shut off now. I’ve done everything humanly possible. I have someone in charge while I am recharging, I’mI’m taking a break, and I will check in when I get back.”Even though it might feel hollow, or even crazy for saying it, try it. It’s tough for people in our industry to do this, but by doing it, you are leagues ahead of taking care of yourself and in turn, your company. Look at it this way; the CISO can take a vacation, the CEO can take a vacation, why can’t you?Another difficult thing to do when talking about burnout, or any other issue that may be occurring is to talk about it.It’s hard, it can feel weird to express emotions regarding feelings, but you have to do it, you know?The longer you hold in that grudge, that disenfranchised feeling, the more it will take you out and have your work suffer. This is an industry in which we are almost always on alert, and that can take its toll. Don’t be afraid to be vocal about your stress to both colleagues and family; the resources out there are surprising. For those who are chosen to be confided to, don’t take it lightly, don’t turn away. Offer that shoulder and be empathetic, you’d be surprised by what comes of it.While the majority of this article focuses on the worker, leaders can and should be involved with providing recognition and continuing education.Often, the ability to lighten the load does not exist in our industry. This quickly can bring down entire teams, so we must start taking care of those who are shouldering the burden. Companies who regularly use “Non-monetary compensation” have been proven to have more engagement and more overall happiness in the workplace. Non-monetary compensation is a reward that doesn’t have a dollar value to a person, but it is still valuable. This can be a training in a critical area that a worker can take with them on a new adventure; or a certification that somebody has been eyeing for a while. Some may call this a double-edged sword, but it is a win-win. If you invest in your workers, the return will be far greater than any capital investment. You, as a leader, can gain a more competent worker, and the worker gains self-value in knowing they have a new skill set that is immediately useful for any current problems the company may be facing.In contrast to most of this article, telling you to relax and unplug and whatnot if this isn’t possible, you should assert control wherever possible.When facing a DDoS, or ransomware attack, or (insert attack here), there is very little you can control. You do have control of backups. You do have control of your team, and you have control of the direction. With every major shakeup or merge, problems are soon to follow. Find where you can put checkpoints in place, and use them. By finding these areas, you expand your sphere of influence and to some extent, control the outcome of most situations.Finally, leaders need to implement the idea of rotating security roles in organizations. 

 Let’s take a look at a well-run water park; ideally, lifeguards are rotated out every 15 to 20 minutes. Which is purely for safety reasons since it helps maintain mental alertness and minimize stress. We can apply this same philosophy to our information security workers. I can tell you from personal experience that staring at logs for hours at a time can be mind-numbing. By implementing the idea of rotating roles, the SOC 1 Analysts at your company begin learning more about the company and what is expected in that role. Seasoned professionals get downtime from always being vigilant, and their in-depth knowledge can be passed on while working as a trainer or other low-stress role.The majority of most cyber incidents happen at the human level, often by our workers; however, it is not their fault. We have to blame the status quo of the industry and stress that is created by these roles. We need to get to those in charge to start making changes. Find the control you have and use it, take time off when you need it, step back and let someone else hold the reins ever so often to recharge. Leaders, take time and talk with your team, be a shoulder for all problems, and show your team that they are appreciated, don’t just make them “feel” appreciated. Using these tools and others, we can bring the industry up, rather than let it stagnate.