February 28, 2020 By Christophe Veltsos 5 min read

Many in cybersecurity view the profession as a calling. Yet that same passion that brought you to your first cybersecurity job could also leave you feeling underappreciated and cause you to slide toward burnout.

The flame of our passion can bring warmth, but without proper handling, it can also consume many of the things we care deeply about, including our own health and our professional careers. Here, I’ll shed light on some of the signs of burnout in technical fields and provide strategies for security professionals to deal with them.

Recognize Burnout as a Condition

In 2019, the World Health Organization (WHO) included burnout as an “occupational phenomenon” in its 11th Revision of the International Classification of Diseases (ICD-11). While this move avoids classifying burnout as a medical condition, the term is now defined as a syndrome resulting from chronic workspace stress characterized by three dimensions:

  1. Depleted energy or exhaustion
  2. An increase in negativity and cynicism regarding the job — a “mental distance” of sorts
  3. A reduction in “professional efficacy”

How common is burnout? A 2018 Gallup study of 7,500 full-time employees in the U.S. reported that 28 percent felt frequent or constant burnout at work, and another 45 percent felt some level of burnout.

The Mayo Clinic even has a web page dedicated to spotting and dealing with burnout. Among the burnout risk factors listed there, several are common to those holding a cybersecurity job: working in a “helping profession,” being subject to a large workload, and identifying “so strongly with work that you lack balance between your work life and your personal life.”

Once we realize that our calling puts us at risk for burnout, we can better equip ourselves and our workplaces to deal with it.

Understand the Slopes of Burnout

To illustrate how both internal and external conditions can bring about burnout, imagine a skier ready to enjoy the rush of a good downhill run. There are countless variables that can influence whether the skier will have a blast or a frustrating experience, and they can be separated into three main areas.

1. The Ski Slope Itself

Think about how recent snowfall or artificial snow has been groomed into the current trail conditions. What is the depth and quality of the snow? Are the trails well-thought-out and clearly marked? While the skier might be expecting the same landscape as yesterday, today’s slope may just feature new dips, moguls and twists.

2. The Skier’s Own Physical and Mental Conditions

Is this the first run of the day? Is the skier fit and in a good mental space? Did the skier suffer a fall on the previous run, with all the accompanying physical and mental strain?

3. The Weather Conditions

Thanks to shifting weather, the same slope can feel different as the day goes on. How warm is it today? Is there a low December sun or a high March sun that will soften the snow? Is it a clear day, or is shade or snow compromising visibility and impairing the skier’s ability to see the path ahead?

Security professionals are the skier in this metaphor. How we experience each workday depends on how the business drivers and threat landscape (the slopes) evolve, how physically and mentally prepared we are for the day’s work (the skier’s condition), and the ups and downs of daily operations (the current weather conditions). Variables that fall into any of these categories — or more likely all three — have probably changed since you began working the job you have now. Recognizing those internal and external changes is a necessary step on the path to reconnecting with the value we derive from our cybersecurity jobs.

Be Honest With Yourself to Move Forward

Burnout happens over months or years, slowly eroding our coping mechanisms like a trickle of water gently carving a groove into a rock. Getting past burnout could also take a while, but a good first step is giving ourselves permission to feel the way we feel about the job, the work environment, the organization and its mission, and ourselves.

People change, and so do job responsibilities, whether due to promotions or scope creep. The aim of an organization can change as well, and the new direction may be out of alignment with your own goals. Ask yourself the following questions, and be sure to consider them honestly:

  • What are you passionate about? Compare when you started your first cybersecurity job to where you are now — has your inner drive changed?
  • Are you leaving yourself enough time and energy to do the work that is deeply important to you?
  • What are the things you care about at your organization? Do you still connect with its mission and vision? Are the business’ objectives and strategies still in line with the stated mission and vision?
  • How does your work align with your department’s security priorities and your organization’s business priorities? Could it be worthwhile to have a discussion with your supervisor about how operations align with security, or a discussion with HR about how security needs align with your personal life?

Identify the Causes of Cybersecurity Job Burnout

After doing some introspection to surface any disconnects between internal motivations and the reality of our workplace conditions, it’s time to look at what causes burnout and how we can balance those factors out. A 2019 article from the Harvard Business Review explores six causes of burnout, which are presented here along with some suggestions on how to remedy the situation.

1. Workload

A high workload once in a while is fine. However, when high workloads become the norm, as is often the case in cybersecurity — for example, due to daily firefighting in the course of incident response — it can take a toll on our ability to cope and recharge for the next battle. While you might have been able to handle such a workload in the past, you may need to communicate that this is no longer sustainable and negotiate a better balance.

2. Perceived Lack of Control

Do you have the autonomy and the ability to make decisions that affect your work? What can you change that would give you more say in how or when you do the work? How can tasks be prioritized so you spend less time working on things that aren’t as important? Are there tools or solutions that could help you work smarter?

3. Reward

Rewards are things that help us feel appreciated as team members. When there’s dissonance between the rewards we expect and the rewards we receive, that mismatch can sap our inner drive. Whether the issue concerns compensation, time off or promotion, you should take time to reflect on whether the rewards still fit your expectations and needs. You could state your concerns through workplace surveys or recommend rewards for those around you to begin building a more generous culture within your organization.

4. Community

How supportive is the environment where you work? Firefighters and law enforcement work in high-stress environments but lean on their strong communities so they can pull through together. If your current workplace doesn’t have a supportive community, can you help change that? Do you see the potential to create a greater sense of community together?

5. Fairness

Being recognized as a valued contributor can go a long way toward maintaining our desire to give everything 110 percent. But if the recognition doesn’t come consistently or fairly, it’s a slippery patch of ice that can easily derail our good run. Communicate with your peers and your supervisor to ensure that quality work gets the attention it deserves across the board and in a fair manner.

6. Values Mismatch

It’s now time to consider once again how our inner values — what drives us and brings us superhuman strength — are aligned with the values practiced by our organizations. Perhaps new leadership brought about changes that have reduced the focus on quality or resilience. Perhaps complacency has slowly crept in to replace the vigor of a younger company.

Is there wiggle room to adjust your own values and drivers so you can become better aligned with the organization’s new approach to business? Can you rekindle your team’s sense of excitement for their work? If not, are the issues tolerable, or are they dealbreakers?

Take a Proactive Approach to Address Burnout

Eight months after the WHO’s announcement about burnout, we’re now more aware of the condition, its symptoms and its root causes. Yet until businesses take on a more proactive role in detecting burnout and correcting any underlying organizational causes, employees will be responsible for monitoring their work-life balance for themselves. To revisit our metaphor from earlier: You may not be able to control all the conditions of your environment, but doing your best to take care of yourself can help you enjoy the slopes.

More from CISO

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today