Five tips to avoid cybersecurity burnout
2020 has been a year of constant and unpredictable change, especially for technology professionals. When the stay-at-home orders were first announced, IT teams were expected to take on several additional responsibilities to accommodate organizational work from home models.
As the pandemic triggered a convergence in roles across tech teams, many IT pros ended up inheriting expanded security responsibilities. In fact, the SolarWinds 2020 IT Trends Report: The Universal Language of IT revealed over two-thirds of tech pros spent at least 10% of their time on IT security management in addition to their core responsibilities. This rise in roles and responsibility—and the added pressure of looking after security functions—has started to lead to a rise in burnout.
When technology professionals aren’t accustomed to a significantly increased focus on security, the added pressure can take its toll. Ransomware attacks and data breaches are just some examples of the added responsibilities generating tension for IT teams with already overwhelming workdays.
Though the new tasks for tech pros aren’t likely to go away anytime soon, there are ways to curb the pressure and find a healthier, safer, and more effective work–life balance.
Here are five tips to help your team avoid burnout:
1. Get outside (your vertical).
Great cybersecurity professionals face a paradox. They’re researching critical new threats and simultaneously helping businesses solve the same rookie issues over and over. This gets old in a hurry when it seems like nobody’s listening. Reach out to peers outside your vertical to learn about the challenges they face. How do dental offices secure their patient data? What’s it like for retail, transportation, government? When it seems like your company or industry isn’t responding to urgency and expertise with success, set aside the specifics of your environment and take a fresh look into wildly different operations. It’s a handy way to restore creativity and make some new friends, too.
2. Educate your enterprise.
What percentage of your time is spent trying to prevent breaches from employee phishing link clicks? How much time do you spend responding and communicating after a breach has occurred? Are these the functions you wanted to perform in cybersecurity? With broad training for everyone on the network, it’s possible to increase security, decrease your reactionary tasks, and make room for SecOps self-care and healing. Technology isn’t the most frustrating aspect of cybersecurity, the human factors are. We don’t burn out because we can’t buy or build tools to help, we burn out because eventually we snap when people keep repeating the same mistakes. CFOs will happily trade the cost of training for the significant potential business loss or damage resulting from a preventable malware click.
3. Push compliance into daily tools, reduce dependency on overlay scanning.
On a typical day, IT operations teams make hundreds or even thousands of infrastructure changes. Tracking, verifying, and reporting on all these changes is an exercise in needle-in-the-haystack sifting. It can be tedious and less helpful because of detection latency. Instead, help your ops team use processes designed to put governance and policy in the tools they use daily for even routine changes. Doing so will decrease errors, simplify compliance, increase real security, and let you get back to your passion for identifying emerging threats and adapting security posture.
4. Learn new tools and reconnect by teaching.
Learn cloud identity and access management (IAM) and find a way to share this knowledge with the entire technology team. It’s more than a chance to take a little time away from the keyboard to refresh—teaching can be a great way to reconnect with people. You’re also likely to get leadership support because cloud is different. A single, common human error in cloud access permissions can land your company on the news. This puts a lot of pressure on the security team, and you’ll sleep better knowing operations isn’t accidentally treating cloud access control like Active Directory® groups.
5. Find a SecOps therapist.
Security continues to get worse not better—despite years of diligence and investment—and this can be a major source of burnout. It’s easy for anyone to feel hopeless when they’re not making headway, and for sharp, security-minded humans, this is a major demotivator. A mentor or trusted colleague can help you accept the contributing factors: more attackers, better attack toolchains, increasing systems complexity, and an expanding attack surface. These aren’t your “fault,” but we tend to internalize them anyway. Someone needs to offer CBST (Cognitive Behavioral Security Therapy), but in the meantime, talking to a non-technologist can help you accept the current situation without giving up.
As we head into 2021, tech teams have earned the right to take a well-deserved break and review their accomplishments this year. As tech pros, you met unprecedented security and infrastructure challenges and literally kept your company running. You sourced IT equipment in the face of sudden shortages, often in creative and transformative ways. You found ways to extend the help desk to support remote users at home. You picked up new skills on the fly and expanded your tool belt. You’ve earned a respite. Take some time to learn what works for you to avoid burnout and then invest in yourself. Your valued experience will be more critical than ever in the years ahead.
