Departing the Profession: Why Infosec Burnout is a Bigger Deal Than We Think
Today, a fellow CISO of mine sent out a flash over our private CISO bat channel (yes, we do have these) saying he was leaving his role and heading off to not “do security” anymore. As I read the note, it struck me that this was not the first time I had seen this same scenario in the past month. I went back through my emails, LinkedIn messages and Twitter feeds, finding a pretty outstanding fact: professionals I know are leaving the infosec profession at an increasingly-growing clip.
Having been a CISO now for a few years, I can relate to the occasional challenges. Late nights/weekends, internal stress, board presentations, breaches, media… the list goes on. That said, when looking at the details further, it just wasn’t the head of the group that was departing, but the rank and file members as well. This was rather unexpected.
So, What Gives?
Infosec has solid pay, professionals are in high demand, and everywhere you turn all the media can talk about is the “skills shortage” in the space. With that, I started doing a little of my own research based on friends who have left. What I found drew me back to a part of my life that I had long abandoned – law enforcement. A few years into the job, I had reached a point where I burned out. Working nights, the stress, the constant response to crisis, all contributed to me leaving the position and pursuing a career in tech. Interestingly, many of the reasons I had left the police force seem to translate over to struggles infosec professionals are facing.
This appears to stem from the fact that, in many instances, infosec professionals are somewhat similar to law enforcement officers in that they are “first responders.” They are the front line in protecting organizations, their customers and their communities from cyberattacks. They work late, need to jump in at a moment’s notice to assist, and are sometimes subject to the worst part of humanity. Take for instance the average security operations analyst. They may work a different shift away from their families (i.e. the dreaded midnight shift). They are also under constant pressure to quickly triage tens, if not hundreds, of potential emergencies in a short time span (think about a route car officer responding to call after call). All the while they’re expected to provide great customer service to folks that may not appreciate what they do.
Sounds a lot like my former career.
In the past 10 years or so, there has a been a true appreciation of the mental health crisis within the law enforcement community. As of recently, the community recognized that folks were leaving at an increased rate and younger folks were not pursing the career path as commonly. Organizations added grief counselors, mental health stand-by professionals, changes in work patterns/processes, and it appears that the tides may finally be turning.
Are we at that same inflection point within the infosec community? On the surface, I would say we’re close. As a profession, we need to recognize the same signs we have seen in our sister community and get ahead of the problem before it gets worse. We need to leverage many of the concepts that these law enforcement organizations put in place to bring themselves back from the brink.
If we do not act now, the skills shortages we see today will pale in comparison to what we can expect in the future. With the cyber footprint expanding, attackers growing ever more sophisticated, we can’t afford to let this happen. I would submit to you that the “cyber” sphere will be a much different place if we do.