There is one risk cybersecurity experts often overlook: burnout. We can build on threat detection and incident response capabilities and use cybersecurity risk management frameworks, such as NIST CSF, to improve our overall risk posture all we want without ever looking inward. Because burnout is internal, we may not always see it. But left unmanaged, it can be a serious problem for workers.
Walking The Peaks and Valleys of Stress In Cybersecurity Risk Management
The Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) report, The Life and Times of Cybersecurity Professionals 2020, provides insights into the current mood of cybersecurity professionals. Some highlights include:
- The skills shortage is getting worse.
- Career guidance is lacking.
- Many people are competing for the very few leadership positions, which require management and business skills not often possessed by those who focus on technical skills.
- Job happiness and salary concerns.
- Career choices leading to personal issues.
- Threat actors still maintain the upper hand.
In other words, even though your employees surge to meet business demands and become cybersecurity risk management experts for the systems they protect, their baseline for personal stress is pretty high.
Cybersecurity Risk Management: Not Just About Technology
There is a very good case for integrating technological support into your operations. For example, artificial intelligence can assist your staff immensely if implemented correctly. Similarly, a well configured SIEM and SOAR and policies and procedures that balance out security-related responsibilities between users across the enterprises can significantly reduce the time employees need to address alert overload and repetitious menial tasks. These solutions can certainly help during peak times when staff feels as though they are being overwhelmed.
But in the basket of cybersecurity tips, digital tools are only part of the solution because they are not magic wands. And despite the advancements over the last decade, the ESG/ISSA report states the mood hasn’t changed much. But, why?
Cybersecurity Burnout is Real
The World Health Organization and Mayo Clinic have dedicated resources that draw awareness to burnout in the workplace. Within the cybersecurity space, there are some specific issues that could lead to burnout:
- Workload, most notably if it’s constant, such as in incident response
- Perceived lack of control and chance to make decisions
- Reward, or lack thereof
- Team dynamics
- Problems with fairness
- Mismatched values
These are all valid issues. Can we look elsewhere for solutions? Emergency services may be a good place to start.
Addressing Burnout in Emergency Management Sectors
The Federal Emergency Management Agency conducted a research study on firefighter burnout and workplace safety. The findings are revealing and applicable to the cybersecurity field, even though they don’t get talked about as much as other aspects of cybersecurity risk management.
First and foremost, understand the drivers of burnout: exhaustion, distance from co-workers and bitterness toward people and goals being served. These issues have follow-on effects, too, such as poor sleep, feeling zombie-like, avoiding exercise, and in the worst cases, increased use of tobacco, alcohol or even drugs.
In the case of the firefighter burnout study, there were three main findings that could help reduce burnout:
- Place an emphasis on a safety-conscious transformational style of leadership.
- Require team leaders to provide rest and healing while fighting fires, and allow for post-event rest.
- Promote health and wellness goals and a positive safety climate.
Can these findings be applied to cybersecurity staff and reduce the stress endemic in the cybersecurity industry? They can.
Set Your Team Up for Success, Not Cybersecurity Burnout
Make the project as easy as you can. Don’t create bottlenecks, avoid delays, and don’t put your staff in a position where they can become compromised or left out to dry. Remember, your staff will be focused on the cyber incident, meaning they don’t need to be chasing down tasks outside their job description or outside of their strength areas. This demonstrates you have your staff members’ backs.
Post-event rest is critical. The cyber world has a different type of exhaustion: eyes tire, mental acuity drops and minds can wander. Reviewing alerts, forensic evidence and logs on a screen all day does that. Leadership needs to make rest time essential.
Health and wellness mean different things to different people, too. Be mindful that your preferred method to decompress is not necessarily the same as everybody else’s. Give everyone the latitude to rest in the form they feel is best for them. Don’t impose on them, and respect their boundaries.
Emotional Intelligence Skills for Cybersecurity Risk Management
Cybersecurity leaders, this is your opportunity to up your game through communication and/or emotional intelligence improvement by focusing on:
- Self awareness
- Self management
- Social awareness
- Long-term team management
- Valuing people as ends in themselves, not seeing people as means of production
Cybersecurity risk management requires handling resources. This industry has a lot going on at all times: staffing, money, tools, cost, time management and people. Be mindful if somebody needs to tag out by following what they are doing, because there’s always the risk they won’t speak up. And consider flexible work schedules, too. For example, if somebody has been going hard for three weeks, including over the weekend, give them a few days as a break during the week.
Trust your staff. Expertise in this field is hard to come by. They’re part of your team for a reason. So keep in mind, as you are holding them to account and delegating tasks to them, to give them the magic key: authority. Restricting your staff while they are already doing a difficult job will just contribute to the burnout. Letting go of power should not be treated as a zero-sum game if you’re looking to bring out the best in your team.
How Cybersecurity Leadership Can Model Mental Health
Be ready to jump in yourself. I grew up in the restaurant business (an entirely different sort of chaos, not for the faint of heart).
In the basement office, my dad has a sign that said, “work eight hours a day and don’t worry, one day you’ll become the boss and work 24 hours a day and have all the worry.”
Team leaders, be ready to jump in and get your hands dirty. In the restaurant business that meant cooking, serving, washing dishes and mopping floors. In the cybersecurity business, that means getting behind a keyboard, reviewing logs, conducting interviews, reading through forensic evidence and writing reports.
Lastly, one final idea for cybersecurity leaders to help avoid burnout: be the hardest working member of your team by being in the fight with them and showing your passion. It’s more evidence that you have their back when it comes to the mental health side of cybersecurity risk management.
Senior Director, Educator and Author