How to Reduce Burnout in IT Security Teams
Key points to remember
- Burnout is not a self-care issue
- The expectation of working 24/7/365 is unsustainable
- Tools do not solve a human element problem; they can make things worse
- Incident response plans should be updated often; otherwise, violations can escalate and increase employee stress
- Organizations and managers can reduce individual and team burnout by providing more flexibility, reducing meetings, creating active feedback loops, and respecting boundaries.
In 2020 and 2021, burnout has become a popular topic of interest in information security; however, conversations about the widespread issue of burnout existed long before the pandemic. Industry leaders and practitioners have been shouting from the rooftops how our industry needs to take a closer look and create change to allow workers more flexibility and the ability to have a life. personal and professional balance.
Instead of just talking about it…let’s actually start tackling the problem. This article serves as a starting point by explaining why burnout exists in InfoSec, why old solutions no longer work, and how to actually reduce team burnout.
Burnout in information security
Burnout occurs when we do not balance our personal and professional life. In terms of security as a whole, we operate 24 hours a day, 7 days a week, 365 days a year, 24 hours a day to protect. In return, we are expected to work all hours and anytime.
Therefore, it is almost impossible to work within InfoSec without burning out, as one cannot reconcile personal and professional life. Our industry does not allow it.
In turn, industrial workers begin to develop additional symptoms if burnout is not addressed, such as depression, anxiety, and/or major physical health risks.
Overall, if we don’t change the structure of our industry, we will continue to have an unhealthy work environment, which in turn reduces our ability to lead a healthy and balanced life.
Burnout among security professionals
There are several reasons that lead to burnout among security professionals:
- The indirect application of work 24 hours a day, around the clock and longer than most industries. Research has shown that executives expect security teams to be available around the clock and work an average of 10 hours more per week than other departments.
- A lack of investment in security services. Usually, unless there is a breach, a company does not invest heavily in security. Security has been viewed as a reactive strategy, as opposed to investing in prevention strategies, which can help a team deal with a breach by reducing the stress of not having invested enough in prevention.
- The lack of personnel in the security teams. It can take over three months to hire someone to join a security team. During these three months, other team members do more work than they should be for their job to compensate for the missing team member.
- A lack of knowledge across the company about safety and colleagues with safety apathy. It is a recurring problem. There are many who don’t care about security or invest in security until they experience a breach themselves. When we personally experience it, we don’t want to experience it again. It can feel like an invasion of privacy and can have a profound impact on our mental health. Therefore, sharing our personal experiences of offense can challenge the apathy of others if they are open to self-reflection. It is important that they do so because all it takes is for a colleague with certain access to click on a malicious link or document. As security professionals, it keeps us awake at night and puts more stress on the job.
- A lack of incident response plans or plans that are outdated or do not include the latest updates. In turn, the response becomes ad hoc when a violation occurs. About 73% of organizations do not have incident response plans or do not have up-to-date plans. We know a breach will happen at some point, but we don’t know when. This reinforces the stress factor knowing that ad hoc will be enforced when this happens.
- Recognition and respect. When we don’t recognize the work that our team members do, it can lead to resentment at work. Whenever we don’t feel respected at work or employers don’t respect work boundaries, it stresses us out. If the employer does not recognize or respect the employees, it means there is an unhealthy work environment. Not having a healthy work environment and high stress levels will wear teammates down extremely quickly.
- Porter. The act of control is prevalent in our industry. This produces a lot of stress for those trying to get into a role or stay in a role. It is important that we practice DEI to reduce access control and elevate our colleagues instead of firing or undervaluing them…otherwise we will continue to have a revolving door problem because of access control access leading to burnout.
Cybersecurity tools and platforms
Usually we throw tools at a human element situation. It’s just a band-aid that can make things much worse than the original problem. Instead of collaborating across teams on how to improve processes and structure, we’ve seen management unable to come up with solutions that work because they lack feedback, so in return they buy more products.
Collaborating across the team on what tools are needed and why helps us build a stronger security team. A stronger team feedback loop allows for better coordination and stronger safety plans.
Another reason why too many tools and platforms can lead to burnout is the constant situation of having incident response plans that do not incorporate new tools/platforms or a change in staff. Given that these plans are largely outdated, this remains a fear; a fear that when the flaw occurs, it will be ad hoc to fix it, which is extremely stressful. This fear and stress can contribute to feelings of being overwhelmed and produce burnout.
Work at home
Again, burnout occurs when we don’t balance our work and personal life. When our work and personal life interact or become a blur between personal and professional life, that’s when we need to look at our setup.
Working from home allows employees to have more flexibility and focus on their work. It also reduces travel hours.
However, some of us are still trying to separate our professional life from our personal life throughout the pandemic. Think about it. We sometimes take calls in our kitchen or bedroom. The kitchen and the bedroom are personal living spaces and not professional living spaces.
Having a separate workspace helps a lot with balance. But not everyone has this privilege; therefore, the blurring of work and personal life can affect us, and burnout can creep in. However, if you divide part of the room into a workspace and only use that particular place for work, it helps. Finally, no matter what, set work limits, such as turning off work equipment at 6 p.m. during the week and all weekends, and keep those limits in place.
Also, make time for your personal needs in the morning and evening. That means not checking work emails when you wake up and go to bed. This means that during certain periods, you will be looking at your device in the morning and afternoon, and not outside of working hours. Sometimes it helps at the end of the work day to take a walk or exercise to recognize within your being that it is personal time for the rest of the day.
Reduce the risk of burnout
To reduce the risk of burnout, organizations can do five things:
- Hold weekly 1:1 meetings of up to 10-15 minutes with each employee. It’s a chance to be on the same wavelength on projects and priorities. This is not the time to micromanage. This is an opportunity to establish a relationship of trust with your colleague.
- Set a weekly non-meeting day or a fixed time block over several non-meeting days. I recommend a Monday and/or Friday. Wednesday is another possibility.
- If you can, offer one day off per month for everyone to take a break. I know of a few companies that do this and the employees feel valued in their workplace because their employer understands the importance of mental health.
- Host a roundtable with your team to discuss what can be improved in the team and to review incident response tools and plans together. If you collaborate with your team, it brings everyone together and helps build trust between the team and the manager. Additionally, it is a DEI practice and a solid pathway to creating more strategic plans and vision.
- Work across the company to combat safety apathy. As stated above, security apathetic people make your security much more difficult and put your security teams at risk.
Overall, it’s wonderful to see organizations taking the initiative to finally recognize the role that mental health plays in the daily lives of employees. More and more professionals are making changes to leave employers who don’t take steps to reduce burnout. Hopefully this article encourages organizations to empower employees to have a more balanced lifestyle.
About the Author
Chloe Messdaghi is an award-winning changemaker that innovates across the technology and information security industries to meet current and future demands by accelerating startups and delivering solutions that enable organizations and people to differentiate themselves from the crowd. crowd. She is an international speaker at major information security and technology conferences and events, and serves as a trusted source for journalists and editors. In addition, she is one of Business Insider’s 50 Power Players. Outside of work, she is co-founder of Hacking is NOT a Crime and We Open Tech. She spoke about burnout among security professionals at The Diana Initiative 2021.