Hacking burnout: Addressing stress among security professionals

Over the past 18 months, a bright spotlight has been cast upon the increasing levels of burnout across every industry. This is inherently true for the cybersecurity industry, but unfortunately, the feeling of burnout is nothing new to security professionals.

For the past 24 years, I have firsthand seen the impacts of burnout among my teams as a security leader and former chief information security officer (CISO). I have experienced burnout myself too. All too often, CISOs feel they need to push their personal limits at work, at the expense of their mental, physical and emotional health. Major cyberattacks like those recently affecting Colonial Pipeline and JBS not only have a lasting effect on the general public but also on the defenders that are fighting to prevent and mitigate them. In fact, VMware’s 2021 Global Incident Response Threat Report found that 51% of surveyed security professionals experienced extreme stress or burnout over the past 12 months.

One of the most concerning and ongoing causes of burnout is the talent shortage within the cybersecurity industry. During a cybersecurity summit recently held by the Biden Administration, the industry’s talent shortage was brought to light as there are currently 500,000 open cybersecurity roles across the country. This leaves organizations vulnerable to cyberattacks, leading to major disruptions for millions of citizens. As we continue to see an increase in cyberattacks due to the largely anywhere-work environment, many factors contribute to cyber professionals’ burnout. Let’s explore these further and what managers can do to help prevent burnout across their teams.

The build-up to burnout

The shift to anywhere-work due to the pandemic changed the way many companies operated almost overnight. The migration to the cloud-accelerated while business communication platforms and other workforce tools became synonymous with productivity. While these moves were imperative for businesses and employees to remain operational, they also gave cybercriminals a number of new avenues to launch sophisticated attacks.

As a result, defenders were forced to react quickly, ensuring that these new tools were properly protected across all endpoints while also attempting to gain visibility into new environments such as the cloud and containers. This process proved to be exhausting for defenders despite their best efforts. In the same VMware report, 65% of cyber professionals said they have considered leaving their job because of this added stress.

Four steps for hacking burnout

Because security talent is so valuable, it is crucial for security leaders to encourage their teams to nurture their mental health and personal development. Right now, many individuals are burning the candle at both ends, and it’s impacting not only their ability to do their own jobs well but also their physical well-being. Managers need to find ways to support their teams and guide them through a career in infosec. Here are four tips managers can implement to increase resilience and boost morale for their teams while preventing burnout:

Encourage PTO or mental health days: Time away from screens, and work stress can be vital in preventing burnout. It’s more important than ever that leaders take proactive measures to ensure their teams are not only productive but healthy and able to withstand the stresses of the job.
Consider rotations of work or flexible work hours: This gives teams the flexibility to work when convenient for them and unplug when needed.
Adopt nonstandard working activities: Walking meetings and mindfulness training are two great examples of practices that help employees focus on their mental and physical health while at work.
Take time to operationalize: On the technical side, giving teams the time to operationalize a piece of technology before implementing a new one can significantly reduce confusion and stress among team members, ensuring everyone is on the same page.

As the impact of COVID-19 continues to be felt in cyberspace, adversaries are exposing new platforms’ vulnerabilities, weaponizing new technologies such as deepfakes, and delivering attacks that are more targeted than ever before. In order to stay one step ahead of attackers, the industry must combat burnout across security teams by prioritizing their well-being. For security leaders, the focus must remain on building resilient, cyber-vigilant teams that can proactively detect, prevent, mitigate and remediate these malicious attacks.

Rick McElroy, Principal Cybersecurity Strategist for VMware, has 24 years of information security experience educating and advising organizations on reducing their risk posture and tackling tough security challenges. He has held security positions with the U.S. Department of Defense, and in several industries including retail, insurance, entertainment, cloud computing and higher education. McElroy’s experience ranges from performing penetration testing to building and leading security programs. McElroy is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CSIM), Certified in Risk and Information Systems Control (CRISC) and Certified in Cloud Security Knowledge (CCSK). As a United States Marine, McElroy’s work included physical security and counterterrorism services. His current role takes him all over the world working with organizations to improve their security strategies and speaking on security and privacy.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.