Managing Infosec Burnout: The Hidden PerpetratorJune 10, 2019
The secret of the burnout epidemic lies in how we feel about our stress, not the things that stress us out.
A recent global study of cybersecurity professionals found that one in six CISOs (17%) said that they had turned to medication or alcohol to help deal with work-related stress. Another study from Symantec found that 82% of cybersecurity professionals are feeling the effects of burnout and a staggering two-thirds of them are thinking about leaving their current role. These statistics are alarming and intimidating – but hope is not lost. As we come to focus our efforts in combating burnout, we have got to ensure we are aiming in the right direction.
A Note on Wording: In this writing I am going to use terms like stressful events, difficult tasks, and burnout. These, and the solutions proposed, are not to be mistaken for trauma or ‘fixes’ for trauma.
A Bad Rap – Is Stress the Villain?
As it turns out, stress isn’t always harmful. Sometimes it can be really helpful. Moderate amounts of stress can cause athletes to push themselves to their limits and the rest of us to get our brains into gear. Ironically, in the same study from Symantec about burnout, 90% of practitioners said that they thrive under pressure. So, what’s actually happening when we get stressed?
A study involving a computerized forest firefighting simulation found that subjects participating in the simulation who were distracted by stressful stimuli performed about the same as those in the control group. The difference was how those subjects made decisions. The group experiencing the stressful stimuli (in this case an extremely distracting noise) made decisions based on a general outline of the problem, meaning they rarely stopped to perform in-depth analysis on challenges simulated by the game. Surprisingly, the stressed group actually made fewer errors when triaging priorities – while the non-stressed group did better when managing operations (which required attention to minute detail).
To put it plainly, stressful stimuli can help or hinder us to different degrees based on our roles (for instance, losing sight of minute operations details can cause difficulties for a CISO). But if stress isn’t always a bad thing, where is all this burnout coming from? It’s not singularly CISOs getting overwhelmed: two thirds of interviewed practitioners aren’t thinking about jumping ship for no reason. The secret of the burnout epidemic lies in how we feel about our stress, not the things that stress us out.
The Real Culprit of Burnout
The truth is, it’s often not difficult situations that wind us up but our experience before, during, and after those events that can burden us with long-term fatigue and tension, what we think of as “burnout”.
In Real Terms: Life as an in-house secure coding expert can be difficult – what with competing projects and back-to-back delivery dates. However, finding that decision makers don’t appreciate the work being done or that there’s no one with whom to vent or address concerns can apply a force multiplier to the negative feelings surrounding the hard parts of the job, leading to frustration and diminishing personal investment.
Conversely, stress often becomes more manageable with sufficient support – and when stress is correctly managed, it doesn’t build up and collapse into burnout and can also help keep us focused.
This is why, while we continue to address pain points like the talent gap, we need to target the feelings surrounding stressful phenomena in our jobs as much as the phenomena themselves. The origin of burnout lies in the response (and the environment that response occurs in) to difficult tasks, not the tasks themselves. As Captain Jack Sparrow said, “the problem is not the problem”.
Turning a New Leaf
If it’s the feelings that emanate from stressful events which contribute to burnout, not the events themselves, how can we fight back? There’s been mountains of research on practices which genuinely help individuals take control of their feelings – from meditation and biofeedback, to nature baths and exercise. However, there’s only so much meditation can do for you if you work in a crushing office environment. This is where the crux of the burnout problem lies.
To get rid of burnout, direct action needs to be taken by decision makers to own the climate the company creates for its people. That way, those people can properly tackle the challenges arising from their various duties. Here’s how:
As a beginning, it’s important to challenge the assumption that no one on the team is run-down because employees aren’t verbally speaking up. Imagining that work being completed means everything is fine ignores the fact that the symptoms of burnout can be subtle and easily mistaken for something more commonplace.
Look Again: An alert isn’t actioned properly – is it due to lack of sleep or hunger, or is it part of a pattern of anxiety and strain? Here’s a helpful table on common indicators of stress in others.
Next, policies should be introduced to create an environment where people feel safe about speaking up. This is done by scheduling regular openings for employees to privately or collectively hash out concerns – and here is the kicker, truly hearing them. It doesn’t count if you’re doing it to check off a box. Note, this doesn’t mean actioning everything that gets brought up. But it does mean that those concerns are authentically considered when decisions are made.
Knowing We Matter: Digital Shadows supports a crew of Mental Health First Aid (MHFA) volunteers who are on hand for those of us who need it. At any point in the day these volunteers are a quick stroll or direct message away to chat about any difficulties stemming from work or our personal lives that may need discussing. This not only provides a real resource to employees but also supports an atmosphere of validation.
Finally, organizations need to practice transparency at all levels. How often do feelings of frustration and confusion crop up for you when a new policy is implemented which upsets the normal workflow or makes your task more difficult – and there’s no indication as to why it was enacted? Or perhaps the reasons seem vague or illogical?
One of the first things I learned when I entered the workforce is that my managers almost always had a valid reason for the decisions they made – sometimes I didn’t agree with those reasons, but I often understood and appreciated them. What can be difficult is when organizations grow too large or too busy to spare the time to explain the reasoning for policy shifts or decisions. Companies are a team effort and if only a small percentage of people are on board, the rest are going to get frustrated. This idea of transparency is especially important in InfoSec where real-time dissemination of information can be the difference between staying agile and responding to threats or pulling a Titanic and hitting the iceberg.
An Open Channel: Two-way communication such as Ask Me Anything’s (AMAs) or State of The Union’s with time for questions during or after can be extremely effective in dispelling the fog of war that creeps in during company transition periods or when big (or small) policy changes are announced.
Tending an environment where the people who make up an organization feel valued, understood, and trusted directly counterbalances and often does away with large portions of the bad “burnout” symptoms we display when we get run-down.
For instance, the experience of pouring over firewall logs can evolve from an unappreciated and mind-numbing task to something that’s genuinely seen as appreciated and understood by decision makers. This is how burnout is fought, not simply by targeting pain points (like lack of resources) but with real change on an operational level to shift the focus of an organization to value the feelings of the people make the work possible. It sounds like fluff – but has concrete impact.
Burnout Doesn’t Need an Accomplice
Owning Up: I’ve personally skipped out on some solid rock-climbing or much-needed meditation in the mornings (which I know historically helped me a ton) to just relax or think about upcoming TO-DO’s. At the time of writing, I’m taking a break to go get some tacos and do yoga, so I can put my money where my mouth is before I start the editing process.
A last word – while organizations learn to institute wiser, more human-centric policies, the onus is still on us as individuals to make time and take better care of ourselves. Too often we ignore feelings of burnout, resentment, sleep deprivation, and anxiety and try to focus on our jobs. We imagine that “Once I get done with my current workload, I’ll feel better”. But as we’ve found out, that fundamentally misunderstands how burnout happens.
There is always going to be more work –but if we want to stay in this industry (and stay within an acceptable level of stress) we have got to take the actions that give us the best daily start possible. Here are some science-backed practices we can start doing immediately to pick up our end of the emotional slack.
To hear more from our team, subscribe to our newsletter below.