Burnout in IT security professionals is a real issue with potentially grave consequences.
Security teams often feel they are not listened to and are often unfairly positioned as a blocker to IT progress. Overall, priorities of a typical technology delivery team such as speed of delivery, functionality and cost are often at odds with risk management objectives of the organization leading to the need for regular challenging conversations.
For those security professionals that hold the line and continue to act as the conscience of the organization, stress becomes a reality of daily life. For those who become apathetic, corners are cut, risks are inappropriately accepted and significant security issues can occur.
In addition, major changes to the security world, ushered in by the global pandemic, have put a huge strain on IT security professionals’ mental health.
Increased demands by organizations to adapt to a remote-first way of working meant that these individuals had to work overtime to ensure not only quick but secure digital transformations.
On top of changes to their work routines, including upticks in their workloads, extra personal responsibilities–such as childcare, eldercare and so much more only added to their exhaustion.
“We face the uncommonly high risk of burnout due to the nature of security work,” said Sounil Yu, CISO at JupiterOne, a provider of cyber asset management and governance solutions. “First, it is a 24x7x365 endeavor. We’re not just paranoid; there really are bad people out to get us.”
Yu pointed out it doesn’t help that major security events often have a nasty habit of revealing themselves on Friday afternoons or before holidays.”
“We all need restorative time to avoid burnout and, unfortunately, the demands of the job and the constant feelings of being behind do not lead us to feel as though we can take a break,” Yu said.
This stressful situation is often exacerbated by insufficient staffing, outdated technologies, or a lack of executive support; all factors that conspire to leave many security professionals feeling depleted, exhausted and overwhelmed.
“It is incumbent upon those with the power to change those conditions to be responsible for recognizing the signs of burnout and heading it off before it gets worse,” Yu said. “Of course, CISOs can reduce job demands, but one counterintuitive solution to burnout is to give those employees at risk from burnout more work.”
However, Yu explained this new work should be specific assignments that give individuals more autonomy and help them see clear purpose and impact from their contributions.
This could include volunteering and mentoring opportunities to get immediate, positive feedback from their work.
Yu added it is also important to recognize and celebrate small wins, even if those wins are quickly swept away by the next raging fire or virus outbreak.
“CISOs should become familiar with WHO’s burnout guidance and respond to employees who display symptoms such as disengagement, chronic exhaustion and reduced productivity,” Yu added. “CISOs should also use regular 1-on-1 meetings to foster trust and let them know they can expect help and support to avoid burnout. These proactive measures can help them feel more confident to bring forth concerns when they encounter symptoms of burnout.”
Joseph Carson, advisory CISO at Delinea, a provider of cloud identity security solutions, pointed out it is critical to identify and recognize signs of burnout and act immediately, giving employees all the support they need to recover and rebalance.
“Time is the most valuable asset we have, and once taken, it can never be recovered,” he said. “Therefore, organizations must recognize burnout signs and ensure the employee can balance the work and find ways to automate as much as possible.”
Carson stressed organizations, and the leadership team, should be talking about burnout openly and have an open door policy for all employees.
Chris Morales, CISO at Netenrich, a digital IT and security operations company, said reducing burnout requires a fundamental shift in expectations of how an analyst should spend their time to be most effective in managing risks to the business.
“I propose a shift to risk operations, instead of security operations, which would provide a better sense of connection between analysts and mission, thus leading to a higher level of satisfaction in work and reduced burnout,” he said.
As Morales sees it, “risk operations” is the daily tasks of maintaining situational awareness of high value and targeted assets through ongoing quantitative analysis to understand dynamic risk to digital operations at any given moment.
“Instead of parsing data to reduce noise, analysts examine long terms patterns to identify hotspots with prescriptive information that is actionable,” he said. “ The fact that the topic of burnout is a constant in the security industry seems like a strong indicator the process of threat detection itself is flawed.”
Morales said the skills shortage, and thus overload of work on the people tasked with managing it, reflects how manually intensive and complex the threat detection and response process is.
“This vigorous, time-consuming process limits analysts from being effective in managing risk to enable business growth, which should be the primary of any security program,” he said.