Cyber Burnout, Tune out

“Burnout is a real concern, not only for security professionals, but for all IT-related talent. Given that enterprises are asking more than ever from their existing technology teams, IT leaders also need to be hyperaware of the need to retain those professionals.”
Christopher M. Steffen, Research Director at Enterprise Management Associates

I’m in countless advisory meetings where the discussion turns to “How do I retain my security staff?” Then the follow-on question, “I’m in need of more security professionals and I can’t hire fast enough. How do we solve the skills gaps and talent shortages we’re facing?”

Which leads to my serious response “Check out Netenrich solutions to modernize your digital operations. We can help.” Soft sales plug aside, the problems are real and focus on the most important factor, your people.

As a security leader and practioner for too many years to count, my concern focuses on frontline IT and security professionals toiling day in and day out, fighting the daily fires with no end at sight. I’ve seen too many instances of job burn-out and high-levels of stress and anxiety among workers – exasperated by IT pressures and remote work demands.

This year’s major ransomware attacks, Solar Winds, Colonial Pipeline and JBS, hit close to home for everyone. More fires to fight. More stress. Less budget and resources on hand to do the job well and resolve issues quickly.

As a security community, we need to prioritize on the care and health of our infosec teams. We’re talking about their mental, physical and emotional well-being. Recent reports cite the following stats which I’m not surprised to hear:

• According to a recent study, 40% of security workers already suffer from PTSD or another mental illness, so when coupled with the stresses of lockdown and a global pandemic, it is more important than ever that mental health support is prioritised within this sector.
• VMware’s 2021 Global Incident Response Threat Report found that 51% of surveyed security professionals experienced extreme stress or burnout over the past 12 months.
• Over half (51%) of cybersecurity professionals are kept up at night by the stress of the job and work challenges, according to CIISec’s 2020/21 State of the Profession report. The survey of 557 security professionals found that stress and burnout have become a major issue during the COVID-19 pandemic. This is partly due to overwork — the study found almost half (47%) of respondents work 41+ hours a week, with some working up to 90.

Job burnout also leads to a sense of complacency and lack of motivation. Both are not good for security nor for the business. Lackadaisical and sloppy practices set up weaknesses across your security operations. It may also create work cultures filled with finger pointing, disagreements and bullying types of behaviors where innovation and collaboration disappear.

“It’s more than monetary incentives or time off to retain IT and security professionals.
Ironically, most security professionals I know would much prefer to have additional help, reduced workloads, and less bureaucratic red tape than additional dollars or title promotions.” 
Christopher M. Steffen

So in my learnings of managing teams, here are some ways to empathize and care for your valuable professionals. It’s time to invest in your people and provide the resources they need to thrive. Their health, their frame of mind and motivation to work is in everyone’s best interests.

1. Ensure senior management exhibits regular care and concern by talking about stress affecting the security industry on a regular basis.
2. Be cognizant of behavior such as cynicism towards management which is indicative of stress and distress.
3. Establish an early warning tracking system to identify symptoms of disengagement and exhaustion in staff.
4. Create a corporate wellness program to promote a balanced work lifestyle.
5. Create incentives for security staff to take advantage of corporate wellness programs.
6. Make certain leadership promotes relationship building with team to provide secure forums in which staff can voice concerns free of retribution.
7. Be cautious of unreasonable security performance metrics on staff such as “no ransomware and no data bleeds” tied to compensation packages.
8. Force staff to utilize vacation time and flex days without being on call and revoke access to systems while staff is on vacation.
9. Invest in security technologies leveraging higher degrees of automation to lessen stress from manually intensive labor.
10. Leadership should consider the rotation of roles involved with threat monitoring to provide downtime and mentoring to other staffers.

Cybersecurity Awareness Month, #BeCyberSmart