Burnout is a growing problem in many professions, particularly among those in the cybersecurity field. In the coming months, burnout is likely to worsen as the economy forces teams to do more with less at the same time as cybercrime and nation-state attacks are increasing. To better understand burnout, it is important to know what it is, how it affects people, how it can be prevented, and how it can be recovered from.
The World Health Organization (WHO) describes burnout as an occupational syndrome resulting from chronic workplace stress that has not been managed. Symptoms of burnout include exhaustion, mental distancing from the occupation, and reduced efficacy at work. It is not just the CISO who can suffer from burnout, but any member of the security team.
“Cybersecurity professionals are dealing with environments that are ‘active’ 8 by 5 but are under threat 24 by 7,” said Mike Parkin, senior technical engineer at Vulcan Cyber. Bec McKeown, director of human science at Immersive Labs, added, “It’s the situation that you’re in, and if you’re constantly running at capacity, you’re constantly under stress. You’re very busy, your adrenaline is pumping all the time. That is extremely tiring, and is an important part of burnout.”
The warning signs of impending burnout are threefold, according to Peter Coroneos, founder of Cybermindz.org: increasing cynicism or depersonalization, emotional depletion, and a loss of sense of professional efficacy. He pointed out that cyber teams are polling worse than frontline health care workers, and that this metric is a reliable predictor of resignation intent, which is alarming given the existing skills gap.
Preventing burnout, especially in the cybersecurity team, is not just an ethical nicety: it is a business necessity. The primary route is constant stress causing continuous reliance on adrenaline with little opportunity to recover from the normal adrenaline surge, resulting in burnout. Bec McKeown believes that it is more effective to prevent burnout in the first place by building personal resilience than it is to try and mop it up after the event. This can be achieved with the Robertson Cooper model of resilience, which includes four primary components: confidence in one’s own ability to handle difficult situations; adaptability to changing situations; purposefulness in having a clear sense of purpose, values, drive, and direction; and social support.
Security professionals can help themselves by building their own psychological resilience to stress and building trust and relationships with the business leaders. When done correctly, this enables the difficult questions to be asked and answered before a crisis strikes – and when the crisis does strike, the whole company knows what to do with minimal stress. Preventing burnout is the best option, but it is also possible to recover from it with a combination of rest and a different occupation.
Burnout is a growing threat to effective security, with cybersecurity teams facing unique stresses that can lead to burnout. CISOs and their teams should understand the causes and remedies of burnout in order to prevent it. Resilience is key, and can be achieved through building personal resilience, building trust and relationships with the business leaders, and understanding the Robertson Cooper model of resilience. With these strategies, burnout can be prevented and security teams can stay at peak performance even during times of high anxiety.