Seventy-seven percent of U.S. corporate employees have experienced burnout at their current job, according to Deloitte's Workplace Burnout Survey. In the same survey, almost 70% of professionals said their employers were not doing enough to prevent or alleviate burnout.
It's no surprise that information security professionals — tasked with preventing hundreds of attacks — also suffer from burnout. In fact, a study found that most burnout-prone technology firms had numbers higher than 70%, and a high percentage of these professionals have considered quitting their jobs due to stress.
Here, David Bradbury, Chief Security Officer at Okta, who has built an international reputation for leading both cyber and physical security programs, explains how hiring globally can help reduce the burden on security employees that are already overworked.
Security: What is your background? What are your current responsibilities as chief security officer (CSO) at Okta?
Bradbury: I have spent my career leading security teams in my native Australia, the United Kingdom, and the United States at some of the world’s largest banks and software companies, including Barclays and Symantec. Currently, I am the CSO at Okta, where I lead the overall security execution for the organization. My team is responsible for navigating the evolving threat landscape to best protect employees and customers. In addition, I play a role in helping Okta’s users continue to adopt and accelerate Zero Trust security strategies. I was excited to join the Okta team last year. Identity has always been an integral consideration in my previous roles, and I see it as a critical factor in accelerating the growth of all companies.
Security: Are security teams suffering extreme burnout?
Bradbury: Burnout is a pressing issue — especially for cybersecurity teams. Recorded Future estimate that 65,000 ransomware attacks occurred last year just as a huge portion of our workforce transitioned to remote work. Other studies suggest that 51% of cybersecurity professionals have experienced extreme stress burnout over the last 12 months, and 65% said they have even considered leaving their jobs. Data from the use of the Okta platform shows that among users, there has been a 5-7% increase in logins between 10 p.m. and 6 a.m. The data paints a clear picture of a profession needing clear solutions and protocols to reduce some of the intense stress practitioners face. On a more macro level, the race for talent and the volume of unfilled cybersecurity jobs exacerbates that burnout and leaves businesses and organizations more vulnerable to attacks. President Biden recently cited cybersecurity as a ‘core national security challenge,’ so sourcing, training and retaining cybersecurity professionals is poised to continue as a top priority for the tech industry.
Security: How can hiring globally help alleviate some burnout?
Bradbury: Considering both the risks of burnout and the hiring challenges we face in cybersecurity, it’s important to look beyond traditional approaches to recruitment and seek out pockets of talent that have been underutilized. One of the handfuls of approaches that have worked well for Okta is hiring globally, as that expands the available talent pool and brings in diverse perspectives and skillsets that can tackle the increasingly nuanced and complex attacks we’re seeing emerge. Attackers don’t honor U.S. working hours, so it’s wise to employ detection and response teams that span every time zone. Timely handoffs ensure that these operational teams are fully functioning around the clock. It also ensures that people don’t feel like they are working alone on complex issues.
So, for example, a complex event that requires an immediate response halfway through the working day in APAC might be handed off to colleagues in Europe that evening and onto teams on either side of the U.S. This fosters some operational discipline around documenting and presenting findings to others, and the whole process benefits from the unique skills and experience of everyone involved. Problems are addressed collectively rather than in isolation.
Security: How can hiring globally, in general, give security teams a leg up?
Bradbury: By shifting away from hiring in one or two core locations, we’ve been able to tap into a broader set of backgrounds and perspectives on what good security looks like. Taking a remote-first approach to workforce planning allows us to hire the best people, no matter where they live, which has boosted our ranks with a wealth of talent and enthusiasm. It’s helped us connect with communities of talented security professionals from Australia, Canada, Argentina, Germany and Sweden, to name a few. Strong security talent can choose where they want to work: very often, the deciding factor is knowing that other capable practitioners are already employed there. This leads to a “clustering effect” in multiple regions.
Security: From your own experience in leading global teams, what tips do you have on avoiding job burnout?
Bradbury: There are a few things I try to keep in mind to avoid burnout and keep the team functioning at their highest level:
■ Strategic Alignment: Be transparent with staff about overarching strategy, so your team feels a shared sense of purpose and can link their individual work to larger organizational priorities.
■ Recognition: Schedule a time and make a concerted effort to recognize the efforts of team members, whether they be great outcomes or even just demonstrations of positive behaviors. Everyone needs and wants to know that their contributions are valued. In security, it’s often difficult to fully appreciate the impacts you are making: we don’t tend to celebrate the absence of an incident or a vulnerability or how much faster or effectively we’re handling them. We need to be proactive about it.
■ Listen and Learn:
- Take an anonymous pulse on how staff feel about their work and address what’s in your power to change as earnestly as possible.
- Remember that burnout can be attributed to things as varied as the stress associated with lockdowns, the frequency of high-impact security events and competing interests between businesses and stakeholders.
- Make sure you have a good understanding of what’s causing stress before you take steps to address it.