Many in cybersecurity view the profession as a calling. Yet that same passion that brought you to your first cybersecurity job could also leave you feeling underappreciated and cause you to slide toward burnout.

The flame of our passion can bring warmth, but without proper handling, it can also consume many of the things we care deeply about, including our own health and our professional careers. Here, I’ll shed light on some of the signs of burnout in technical fields and provide strategies for security professionals to deal with them.

Recognize Burnout as a Condition

In 2019, the World Health Organization (WHO) included burnout as an “occupational phenomenon” in its 11th Revision of the International Classification of Diseases (ICD-11). While this move avoids classifying burnout as a medical condition, the term is now defined as a syndrome resulting from chronic workspace stress characterized by three dimensions:

  1. Depleted energy or exhaustion
  2. An increase in negativity and cynicism regarding the job — a “mental distance” of sorts
  3. A reduction in “professional efficacy”

How common is burnout? A 2018 Gallup study of 7,500 full-time employees in the U.S. reported that 28 percent felt frequent or constant burnout at work, and another 45 percent felt some level of burnout.

The Mayo Clinic even has a web page dedicated to spotting and dealing with burnout. Among the burnout risk factors listed there, several are common to those holding a cybersecurity job: working in a “helping profession,” being subject to a large workload, and identifying “so strongly with work that you lack balance between your work life and your personal life.”

Once we realize that our calling puts us at risk for burnout, we can better equip ourselves and our workplaces to deal with it.

Understand the Slopes of Burnout

To illustrate how both internal and external conditions can bring about burnout, imagine a skier ready to enjoy the rush of a good downhill run. There are countless variables that can influence whether the skier will have a blast or a frustrating experience, and they can be separated into three main areas.

1. The Ski Slope Itself

Think about how recent snowfall or artificial snow has been groomed into the current trail conditions. What is the depth and quality of the snow? Are the trails well-thought-out and clearly marked? While the skier might be expecting the same landscape as yesterday, today’s slope may just feature new dips, moguls and twists.

2. The Skier’s Own Physical and Mental Conditions

Is this the first run of the day? Is the skier fit and in a good mental space? Did the skier suffer a fall on the previous run, with all the accompanying physical and mental strain?

3. The Weather Conditions

Thanks to shifting weather, the same slope can feel different as the day goes on. How warm is it today? Is there a low December sun or a high March sun that will soften the snow? Is it a clear day, or is shade or snow compromising visibility and impairing the skier’s ability to see the path ahead?

Security professionals are the skier in this metaphor. How we experience each workday depends on how the business drivers and threat landscape (the slopes) evolve, how physically and mentally prepared we are for the day’s work (the skier’s condition), and the ups and downs of daily operations (the current weather conditions). Variables that fall into any of these categories — or more likely all three — have probably changed since you began working the job you have now. Recognizing those internal and external changes is a necessary step on the path to reconnecting with the value we derive from our cybersecurity jobs.

Be Honest With Yourself to Move Forward

Burnout happens over months or years, slowly eroding our coping mechanisms like a trickle of water gently carving a groove into a rock. Getting past burnout could also take a while, but a good first step is giving ourselves permission to feel the way we feel about the job, the work environment, the organization and its mission, and ourselves.

People change, and so do job responsibilities, whether due to promotions or scope creep. The aim of an organization can change as well, and the new direction may be out of alignment with your own goals. Ask yourself the following questions, and be sure to consider them honestly:

  • What are you passionate about? Compare when you started your first cybersecurity job to where you are now — has your inner drive changed?
  • Are you leaving yourself enough time and energy to do the work that is deeply important to you?
  • What are the things you care about at your organization? Do you still connect with its mission and vision? Are the business’ objectives and strategies still in line with the stated mission and vision?
  • How does your work align with your department’s security priorities and your organization’s business priorities? Could it be worthwhile to have a discussion with your supervisor about how operations align with security, or a discussion with HR about how security needs align with your personal life?

Identify the Causes of Cybersecurity Job Burnout

After doing some introspection to surface any disconnects between internal motivations and the reality of our workplace conditions, it’s time to look at what causes burnout and how we can balance those factors out. A 2019 article from the Harvard Business Review explores six causes of burnout, which are presented here along with some suggestions on how to remedy the situation.

1. Workload

A high workload once in a while is fine. However, when high workloads become the norm, as is often the case in cybersecurity — for example, due to daily firefighting in the course of incident response — it can take a toll on our ability to cope and recharge for the next battle. While you might have been able to handle such a workload in the past, you may need to communicate that this is no longer sustainable and negotiate a better balance.

2. Perceived Lack of Control

Do you have the autonomy and the ability to make decisions that affect your work? What can you change that would give you more say in how or when you do the work? How can tasks be prioritized so you spend less time working on things that aren’t as important? Are there tools or solutions that could help you work smarter?

3. Reward

Rewards are things that help us feel appreciated as team members. When there’s dissonance between the rewards we expect and the rewards we receive, that mismatch can sap our inner drive. Whether the issue concerns compensation, time off or promotion, you should take time to reflect on whether the rewards still fit your expectations and needs. You could state your concerns through workplace surveys or recommend rewards for those around you to begin building a more generous culture within your organization.

4. Community

How supportive is the environment where you work? Firefighters and law enforcement work in high-stress environments but lean on their strong communities so they can pull through together. If your current workplace doesn’t have a supportive community, can you help change that? Do you see the potential to create a greater sense of community together?

5. Fairness

Being recognized as a valued contributor can go a long way toward maintaining our desire to give everything 110 percent. But if the recognition doesn’t come consistently or fairly, it’s a slippery patch of ice that can easily derail our good run. Communicate with your peers and your supervisor to ensure that quality work gets the attention it deserves across the board and in a fair manner.

6. Values Mismatch

It’s now time to consider once again how our inner values — what drives us and brings us superhuman strength — are aligned with the values practiced by our organizations. Perhaps new leadership brought about changes that have reduced the focus on quality or resilience. Perhaps complacency has slowly crept in to replace the vigor of a younger company.

Is there wiggle room to adjust your own values and drivers so you can become better aligned with the organization’s new approach to business? Can you rekindle your team’s sense of excitement for their work? If not, are the issues tolerable, or are they dealbreakers?

Take a Proactive Approach to Address Burnout

Eight months after the WHO’s announcement about burnout, we’re now more aware of the condition, its symptoms and its root causes. Yet until businesses take on a more proactive role in detecting burnout and correcting any underlying organizational causes, employees will be responsible for monitoring their work-life balance for themselves. To revisit our metaphor from earlier: You may not be able to control all the conditions of your environment, but doing your best to take care of yourself can help you enjoy the slopes.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…