Cybersecurity Burnout: What it Is, Why It Matters, and What to Do About It
About a decade ago, I left my VP of Risk Management role at AT&T Wireless following a grueling merger project.
I took a two-week vacation, and I started my new job at Microsoft as their Chief Information Security Officer (CISO). But my assimilation into the Microsoft culture was rocky, and the stress was excruciating. One sleepless night I clearly heard a voice telling me I was a fake and a fraud. The episode startled me into making an appointment with a psychiatrist the very next day. After a thorough exam the doctor reassured me, “Karen, there is absolutely nothing wrong with you. You are probably sleep deprived, but you are completely healthy.” He then handed me three prescriptions and said, “Welcome to Microsoft. You have no idea how many of your colleagues I see here.”
I resigned five months later.
My story has a happy ending. I continued in my career, informed by my frightening experience but not totaled by it. I’ve since met so many people who are going through what I did, keeping it to themselves, and soldiering on, often at great cost to their own health and the health of their companies.
This article is about burnout: causes, how to identify it, what can be done to prevent it, and what to do if you are already there.
Is Burnout Real?
Burnout is a term that people have used and overused for decades, both in and out of the workforce. The dictionary describes it as ”physical or mental collapse caused by overwork or stress.”
Lately, it’s become a breezy euphemism or catch-all excuse for why a promising professional left a job or exited an industry.
“Sarah was doing so well. Why did she quit?”
“I don’t know; I guess she just burned out.”
The underlying message is, she just couldn’t handle the pressure. She wasn’t up to the job. In other words, it’s a personal failing, not a systemic one.
That’s kind of like saying when you drive your car across the desert without oil until the engine fails, it was manufacturer’s fault.
Burnout is a serious problem across many industries, but it reaches crisis proportions in what’s known as “high-adversity” ones like cybersecurity, where mistakes are costly, every task is mission-critical, and hyper-vigilance is everyone’s default state.
We who work in the industry are professionals who are ultra-sensitized to all the myriad things that can go wrong, constantly wondering when the next security breach or malware will strike, in a computing environment that couldn’t possibly have sufficient resources to make it 100% “hacker proof.” There is precious little mental “time off-duty.”
Cybersecurity professionals tend to take our work very seriously, even personally. This becomes detrimental when we are so focused at defending the mother ship we forget to keep things in proper perspective. Believe it or not, this kind of focus accumulates over time so that our body shifts into a sort of trauma response. We start to have a hard time seeing what’s good around us because our lens is in a hyper-vigilant state of disaster readiness.
This intensity gets dialed up by occupational hazards that come with the cyber-territory such as:
• Chronic insufficient funding to address security gaps that could lead to malware and breaches;
• Chronic talent shortage leads to a sense that even working 24×7 means it will never be enough
• Lack of authority to do what needs to be done;
• A sense that one’s voice would not be heard either due to lack of confidence or the absence of a channel to communicate security risk to the right levels of management
Many cybersecurity pros I’ve talked to and worked with tell a shockingly similar story: management routinely spreads resources too thin, and expecting too few people to do too much with too little. It’s like a football coach taking ten players off the team and expecting one player to carry the ball into the end zone. Naturally, there will be problems.
The well-known breaches at Equifax, JP Morgan Chase, Anthem, Target, and Home Depot were not cases of incompetence, but of basic operational processes breaking down. We know that when burnout is looming, attention to detail and routine suffers. Major breaches could well be one of the hidden costs of burnout in the cybersecurity/IT space.
Cybersecurity’s dirty little secret
Burnout is a silent adversary because those who need help the most are the ones who least want to talk about it. No one wants to appear weak or “unfit for duty,” or to be demoted to a less challenging job. And because everyone suffers in silence, everyone at risk for burnout believes they must be the only one.
I recently gave a keynote address about the problem of burnout in the cybersecurity space. My reception during the talk was positive enough, but what astonished me was what happened after. Audience members approached me, some furtively, many with tears in their eyes, a few even stopped me in the ladies room, to admit that yes, they were at the end of their ropes. They were so relieved that my talk had shown them it was an industry-wide issue, and not something wrong with them.
Why managers should care about burnout
Of course, burnout has human costs. It also has massive financial ones.
Turnover: Even though it’s widespread and chronic, burnout is still the metaphorical 800 lb gorilla in the room that no one takes seriously, while at the same time it’s causing valuable professionals to leave the cybersecurity workforce in droves. With the current and growing talent shortage, the industry (see our last article) cannot afford to lose more highly trained cybersecurity pros.
In today’s tight job market, even the most dedicated employees won’t put up with a job they hate, because they don’t have to. Millennials especially expect purpose and a chance to be heard in their companies, and they’ll eventually vote with their feet, either to leave your company or the industry entirely. Today it’s easier than ever for employees to quit the rat race and go out on their own, so employers face that “competition” for talent as well.
Not only is the loss of talent an immediate brain drain to the organization, replacing lost talent costs a scary amount of time and money. According to the Harvard Business Review, it typically takes about eight months for one new employee to reach full productivity, and in IT Security, with its specialized technology and regulations, the ramp-up is even longer.
And if you run a cybersecurity sweatshop, don’t expect that info to remain private. Today, unhappy employees can make their voices heard on social media and review sites like Glassdoor, making it even harder to attract new talent.
Performance declines: Ironically, the overwhelm, exhaustion and loss of concentration that happen when your employees work 24/7 to avoid a breach, are a perfect recipe to allow those breaches to happen. Plus, with resources spread thin, managers are more likely to cut corners on compliance procedures, just to keep their heads above water.
Even if no disastrous event or PR debacle takes place, cultures that foster burnout suffer from chronic slow performance, disengagement, and “presenteeism” — which some studies suggest costs companies ten times more than absenteeism, to the tune of $150 B per year.
What leaders can do to spot, prevent and fix burnout
The stress inherent in the cybersecurity field is never going to go away. Given that hypervigilance and the high cost of mistakes are baked into the job, what can managers do to help their teams, beyond the rubber-stamp response of referring them to employee assistance programs (EAP)?
Recognize the signs of burnout: Burnout doesn’t happen all at once. There are telltale warning signs like disengagement and cynicism, before outright exhaustion sets in. Are you seeing these crop up in your company?
Make it OK to not be OK: Make sure that your employees know that if they experiencing burnout, it’s not going to be seen as a fault or weakness, but as a hazard that comes with the job. Let them know it’s safe to express their concerns about what’s going on with them and in the workplace. This gives you a chance to head off the problem before your best people head out the door.
Understand what really helps: Employee Assistance Programs are OK but they only go so far. Show your people you empathize and care about them by investing in their well being. You can bring in resilience training workshops that will give them the tools to better handle the stressors that come with the job. You can also plan inclusive social events that make everyone feel valued. Most of all, you can listen, and make all your people understand that their work has a purpose and their contribution and input are valued.
Slow is Smooth and Smooth is Fast: In a world of “do more with less” and “faster, better, cheaper, friendlier” it is far too easy to be seduced in a 24×7 scarcity mindset. The prevailing belief system is that working harder and faster than anyone thinks is humanly possible is a badge of honor. Watch for language like, “I didn’t even get to bed last night but we got the code into QA” especially when that kind of banter shifts into a one-up competition. The Navy Seals know a thing or two about this. Show your team it is essential to learn how slow down and take enough time to be able to think things through – because it is good for them, and in the end, things will actually run more smoothly and effectively.
What if you’re the one experiencing burnout?
Cybersecurity pros spend their lives protecting others, and we often forget to keep an eye on our own well-being. You won’t be effective in your own job performance or in leading and influencing others if you’re burned out. Your mood is contagious, so it’s the farthest thing from selfish to engage in necessary self-care and cultivate your own resilience.
You may be on the verge of burnout if you notice any or all of these symptoms:
• Chronic fatigue: feeling physically and emotionally depleted, and waking up dreading the day.
• Insomnia: as exhausted as you are, you still can’t sleep.
• Forgetfulness or impaired concentration and attention.
• Physical symptoms that can include chest pain, heart palpitations, shortness of breath, gastrointestinal pain, dizziness, fainting, and/or headaches (be sure to seek medical help for any of these if chronic).
• Getting sick more often. With your immune system becomes weakened, you’re more vulnerable to infections, colds, flu, and more.
• Loss of appetite and weight loss
• Anxiety and/or Depression.
• Anger. You’re irritable and your fuse is only getting shorter.
Your emotional and physical state are completely intertwined and the net effect is something great management coaches like Tony Robbins calls “State.” Your state is a combination of your language, your focus, and your physiology. We teach specific techniques in our leadership development program (MOJO Maker), and here are a few suggestions I invite you to try:
Be mindful of the words you use. Instead of saying something like “I’m insanely busy! This is bananas!” it makes a world of difference to say “We’ve got so much opportunity ahead of us,” and do it with a truly positive point of view. Remember that big problems are the set up for huge wins. It isn’t a matter of, “We can’t do this,” it is a matter of “what will it take for us to succeed?”
Your focus. Do you dwell on the problems? It is common to believe you can’t take your eye off the ball and that is true for air traffic controllers on duty. Stephen Covey’s 7 Habits of Highly Successful People includes this habit: sharpen the saw. You can’t keep up sawing down trees if your saw gets dull. Take a break. Remember this: Slow is smooth and smooth is fast.
Your physiology. At Microsoft, even with a world-class company gym nearby, it was tough for people to take care of their physical body. There are all kinds of reminder apps to breathe, drink water, not slouch, etc. and just as many ways to ignore them. This is something you have to take seriously to stay in the game for the long haul. My favorite hack for improving my physiological state is a yoga breathing app (called Pranayama) to take a “breath break” in my office a couple of times a day and when I’m trying to fall asleep at night.
If you are the one who is already “so done with this” I invite you to believe that the problem is not you. You are not broken. There is nothing with you that needs “fixing.” This is a perfect time to invest in yourself – to find a coach or a program that will give you new perspectives and ways of handling adversity. You have encountered a major threshold in your career – and even if you back away like I did and feel that you’re failing, you have the opportunity right now to learn from this “fail” in a way that prepares you to succeed in the rest of your career. Remember always to fail “up.” That starts with you taking the next step and reaching out.
As cybersecurity professionals and leaders we must stop denying or dismissing burnout as not a real problem, and expecting people (including ourselves) to just “suck it up.” It’s causing too much suffering, too many mistakes, and costing our industry too many great people. These suggestions above are battle-tested. With awareness, empathy, and belief in a healthier more inclusive culture, we’ll all do well — all the better to keep the world’s data safer.
This series is the collaborative work of Karen Worstell, CEO of W Risk Group and founder of MOJO Maker for Women in Tech and Elaine Marino, CEO of Equili and founder of LadyCoders. We’re using our combined decades of experience as women leaders in Tech to bring you actionable, executive level strategies that you can use to build, develop, and retain your talent in an intentional way that contributes directly to your bottom line AND advances your company capacity for innovation and increase productivity. That’s what our initiative “Better Together” for RSA® Conference 2019 is all about. Follow us online, and let us hear from you! Learn more at www.karenworstell.com/rsac or engage with us on Twitter at @karenworstell.
Find more information about the RSA® Conference 2019 or to share the shorter blog published by RSAC click here