We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Regardless of the industry we work in or our title and role, the concept of burnout is not a new one. However, it can reach new heights in “high-adversity” industries such as cybersecurity, where individuals are prone to always being on high alert. The phrase “attackers never sleep” rings loudest for security teams constantly wondering when the next cyberattack will strike.
Speaking from my own experience, this state of being “always-on” can impact more than just our mental health. Burnout can permeate all facets of our lives, and it can be challenging to address without the right resources and support in place. Managers need to be able to spot signs of burnout, offer help and resources, and let their teams know it’s okay to not always be okay.
Addressing the skills gap to combat burnout
The business impact of burnout should not be ignored or underestimated. A recent VMware survey of incident responders and security professionals indicates that of the 51% who experienced extreme stress or burnout during the past 12 months, 65% said they have considered leaving their job because of it.
With security teams already spread thin, we can’t afford for more defenders to leave the industry. There’s a looming skills gap of almost 500,000 open security jobs in the U.S. alone, and nearly 60 % of organizations note being impacted by the cybersecurity skills shortage. With most teams finding themselves understaffed, there’s little time allocated for time off duty even if it’s on the heels of mitigating a major attack.
Talking about burnout in the cybersecurity industry without addressing the need to fill these critical jobs would miss a major piece of the puzzle. It’s such an important topic that the White House recently held a meeting with the private sector and requested companies better address the dire talent shortage.
Burnout is common, and ok to talk about
Security leaders must recognize that burnout is a serious issue — not a personal failure — and appropriately address it. To start, learn to recognize the early signs of burnout, like disengagement and cynicism, because burnout is not something that happens all at once. It starts off small and then gradually builds. Ask yourself, is a once attention-prone employee now making careless errors and mistakes?
Because our emotional and physical states are completely intertwined, frequent sick days could be another sign someone on the security team is feeling burnt out. It’s important that managers recognize burnout as a hazard that comes with the job, not a personal fault or weakness. The responsibility is on a company’s leadership to create a space where employees feel safe to express concerns and ask for help.
Look for opportunities to invest in your security team’s wellbeing. Resilience training workshops are a great option, as are inclusive social events. Many organizations also now offer wellbeing and coaching programs that can serve as another resource to help manage burnout. Leading by example sends the message to security teams that despite the high frequency of attacks, it’s ok to slow down and unplug.
Empowering security teams
Self-care and empathy are incredibly important, but the third leg of the stool to prevent burnout is empowerment. The only way the security industry can retain its existing workforce and attract future talent is to better empower security teams to take charge, work smarter, and achieve a feeling of accomplishment. This comes with improving processes, automation, and baselining the environment.
For example, a cloud-first strategy is only as good as the training that’s provided to systems engineers, operations staff, and the end users who will be leveraging it. Organizations should pace the implementation of innovative technology to match the available talent. There’s also an opportunity for security leaders to use the security operations center (SOC) as a learning assignment to teach those working in the SOC how to better manage stress when responding to security incidents. In addition to a “post-mortem” assessment following an intense security incident, arrange for a stress assessment so that the team can improve their awareness.
As the industry works to close the security skills gap, we must ensure that today’s defenders have the resources and support they need to actively prevent burnout. This begins with changing the stigma associated with it, valuing wellbeing, and empowering security teams to better protect their own health and the health of their companies.
Karen Worstell is a Senior Cybersecurity Strategist at VMware, where she advises customers, partners, and the security industry at large based on her more than 25 years of technology thought leadership. She has previously worked as a CISO for brands such as Russell Investments, Microsoft, and AT&T Wireless, and has served in roles at NIST, Aerospace Industries Association, US Department of Commerce Computer Systems Security and Privacy Advisory Board, and other organizations. She is passionate about improving representation and equity for women in the tech workforce and has spoken internationally about how organizations can retain their female brain trust.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even consider contributing an article of your own!