Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

CISO Strategy

Burnout in Cybersecurity – Can It Be Prevented?

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Burnout in cybersecurity

Burnout is a growing problem that damages people and threatens effective security.

Burnout is likely to worsen in the coming months as the economy forces teams to do more with less at the same time as cybercrime and nation-state attacks are increasing.

But what is burnout? How does it affect you; can you prevent it; and can you recover from it? Any profession, especially stressful professions, suffer from burnout; but here we are primarily discussing cybersecurity.

The World Health Organization (WHO) describes burnout as an occupational syndrome: “Burn-out is a syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed.” 

The symptoms are exhaustion and mental distancing from the occupation – and the effect is reduced efficacy at work. The question we ask here is whether better stress management could prevent burnout, recognize its early stages, halt its progression, and recover from its effect.

It’s worth mentioning – it’s not just the CISO. Any member of the security team can succumb to burnout.

The view from the coalface

“Our industry is facing unprecedented levels of burnout,” comments Melissa Bischoping, director of endpoint security research at Tanium.

Advertisement. Scroll to continue reading.

“We face the exceptionally high risk of burnout due to the nature of our work in security,” adds Sounil Yu, CISO at JupiterOne. “Burnout is more common than most realize. Recognizing burnout risks is an important way to be supportive and to let team members know that they are not alone.”

“Cybersecurity professionals are dealing with environments that are ‘active’ 8 by 5 but are under threat 24 by 7,” says Mike Parkin, senior technical engineer at Vulcan Cyber. “Finding the resources to keep the SOC operating after hours can be a challenge.”

Bischoping recognizes the same problem. “It’s not uncommon to hear those in the industry say that holidays and weekends are the most likely time to get a call for a major event, so ensuring that you’ve got the right on-call coverage where needed and you’re balancing that with providing time to recover and prevent burnout is essential.”

Security professionals know about burnout and understand some of the underlying causes. It is usually described as a mental health issue. ‘#burnout’ has more than 12,000 followers on LinkedIn. But still it exists and – if anything – is increasing. It’s time for a closer look at causes and remedies. 

Mental health encompasses emotional, psychological, and social well-being, influencing cognition, perception, and behavior. It likewise determines how an individual handles stress, interpersonal relationships, and decision-making. Wikipedia

Mental health effectively includes everything that isn’t specifically physical health.

Burnout within the wider business can cause problems — but burnout within the cybersecurity team could lead to a catastrophic cyber compromise. Preventing burnout, especially in the cybersecurity team, is not just an ethical nicety: it is a business necessity.

Cause and effect

Peter Coroneos is founder of Cybermindz.org, a not-for-profit organization dedicated to supporting mental wellbeing within the cyber community. Coroneos accepts that burnout isn’t limited to the cybersecurity profession. “Burnout can ultimately affect anyone in any sector,” he told SecurityWeek. But he added that Cybermindz has identified at least 15 factors which, in combination, make the stresses on cyber teams stand apart from just about every other professional group.

“The combination is both quantitatively and qualitatively unique, which is why we are seeing burnout rates in cyber exceeding those of other professional groups.” He gives two specific examples. “The attack environment is relentless, with no psychological downtime as security teams are never sure when an attack will occur;” and “cyber teams are acutely aware that the downstream effects of a single failure can affect potentially millions of people.”

Peter Coroneos

CISOs are also aware they are the potential scapegoat for security failures. It is rarely the board that is punished for failing to provide the necessary resources, but the CISO is always responsible for failing to achieve the impossible.

The result is a constant demand on adrenaline that is completely out of sync with the biological and psychological purpose of adrenaline. This is a naturally produced hormone that is designed to improve physical and mental performance at the point of stress – immediate and short-term fight or flight. It is not designed for constant use – and consistently high levels of adrenaline, or insufficient time to recover from adrenaline surges, is positively harmful.

“The warning signs of impending burnout are threefold,” says Coroneos: “increasing cynicism or depersonalization (the so called ‘quiet quitting’ phenomenon); emotional depletion; and a loss of sense of professional efficacy (or how well you think you are doing your job).”

He points to Cybermindz research suggesting that the ‘professional efficacy’ indicator is particularly high among cybersecurity teams. “Cyber teams are polling worse than frontline health care workers,” he said. “That metric is a reliable predictor of resignation intent,” which is alarming given the existing skills gap.

Bec McKeown, director of human science at Immersive Labs, points out that burnout can affect the entire security team. “The job role itself doesn’t matter,” she told SecurityWeek. “It’s the situation that you’re in, and if you’re constantly running at capacity, you’re constantly under stress. You’re very busy, your adrenaline is pumping all the time. That is extremely tiring, and is an important part of burnout.”

Bec McKeown, Immersive Labs
Bec McKeown

She cites the Yerkes-Dodman law of performance. It relates performance quality to stress level, and presents as an inverted ’U’ curve. Boredom can lead to apathy and poor performance, or rust-out – the little-known converse relation of burnout. Surprisingly, rust-out can also affect certain members of a security team – some routine functions simply need to be repeated over and over again.

Peak performance comes with medium (or manageable) levels of stress. But in times of high anxiety, performance falls. The problem for security teams is they are required to operate at high performance levels for extended periods of high anxiety; and this can only be achieved with high and continuously high levels of adrenaline. The physiological purpose of adrenaline to fuel short term fight or flight is replaced by a continuing requirement to fuel psychological stress and anxiety that never stops.

This is unsustainable, and the result is burnout. The primary route is constant stress causing continuous reliance on adrenaline with little opportunity to recover from the normal adrenaline surge, resulting in burnout. “It’s that continual pressure from one direction or another, that leads to burnout,” says McKeown. “It’s not just one incident. One incident might be the straw that broke the camel’s back, but for cybersecurity I think it’s a constant – being under fire, under pressure.”

Remedies

The key questions for CISOs and their teams are: ‘can burnout be prevented?’, and ‘can burnout be cured?’ Prevention is always a better option than cure – and it is usually the easiest solution. ‘Cure’ is often too late for the current employment – the victim has burned out and left. The cure is usually a complete rest followed by a different occupation. “It’s more effective to prevent burnout in the first place by building personal resilience than it is to try and mop it up after the event,” says McKeown.

Prevention comes from building resilience. Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress. 

McKeown believes security professionals can help themselves with the Robertson Cooper model of resilience. There are four primary components to this model: confidence in one’s own ability to handle difficult situations; adaptability to changing situations; purposefulness in having a clear sense of purpose, values, drive, and direction; and social support.

For security teams, the last one is key, upon which the others are founded. “It means building trust and relationships,” she explained. “When that is successful, you know the support of your team around you. And that is a big component of building resilience against any sort of bad things that can happen – because you know you’re not on your own. You’ve got a team that will support you. They’ve got your back, and you’ve got their back. And that is quite a strong measure of how resilient a team is.” 

For the CISO, of course, this goes beyond the immediate security team. A CISO can strengthen his own resilience by building trust and relationships with the business leaders. It enables the difficult questions to be asked and answered before a crisis strikes – and when the crisis does strike, the whole company knows what to do with minimal stress.

Coroneos also stresses the term resilience. “At a personal level, when you are emotionally depleted, you’ve got nothing to give even yourself, much less the people around you that may be suffering. If we can rebuild the emotional resources within the individual and make them feel better and stronger about themselves, they obviously have more to give to those around them. This is the power of building resilience, psychological resilience in teams and wellbeing. It can have a huge morale boosting effect.”

He recommends, and his organization uses, the Integrative Restoration (iRest) protocol developed by Dr Richard Miller. Although based on the ancient tradition of Yoga Nidra, it has been adapted and used in many spheres of modern life. It has had extensive use in the US military for conditions ranging from PTSD, anxiety, depression, insomnia, and pain management. Cybermindz uses it within cybersecurity with the backing of the iRest Institute.

“By showing the individual where the foundation is within themselves, that they can always return to and that is unbreakable,” he explained, “it provides a platform that is separate from the chaos that the individual is contending with. It means that they can step back, take a breath, and know that they’re safe.”

This isn’t just yoga mysticism. “We have neuroscience that shows actual structural changes in the brain as a result of the application of techniques like iRest,” he added; “a reduction of stress induced hyperactive regions and cellular growth in areas corresponding to emotional regulation, insight, perspective taking, interoception (or self-monitoring), and overall calmness.”

Who is responsible for preventing burnout?

Building personal resilience is key to countering burnout – but it’s a complex process (especially within cybersecurity teams), and everyone is responsible for it. One important factor is ensuring that everybody gets adequate downtime to recover from the most recent surge of adrenaline. That’s not just being away from the desk but being away from the stress. 

“It’s important that everyone in my team can take off, and decompress, and come back to work energized and charged,” comments Billy Spears, CISO at Teradata. “For me as a CISO. I’m overly cautious of that. I think that if they’re not saying anything and I’m not seeing people take time off, then burnout and fatigue will be a concern. So, I talk to them a lot about boundaries and making sure they’re taking their time off, and plan in advance and make sure that they get whatever time away that they need. That means away from their computers and their work devices, and they don’t respond to emails or exchanges at night and things like that.”

He also makes sure that he has time off for himself, and he makes sure his team sees him having time off.

But work stress is only part of the stress we all feel – psychosocial stress is another factor. Modern security teams are by design diverse in nature. That means recruiting men and women, people from different cultural backgrounds and religions, and LBGT and neurodiverse people – and office-bound and remote home workers. Each one of these categories has different psychosocial pressures that easily turn into stress in the wrong environment. This can add to the daily work stress and increase the likelihood of burnout.

Burnout requires an all-company solution. Senior management should create an open, transparent, and inclusive work environment for everyone, and must be cognizant of the dangers to mental health. Within cybersecurity, much of the responsibility will fall on the CISO, requiring frequent team talks and leading by example. By protecting the team, and practicing what is preached, the CISO will also be protected.

For the business, any cure for burnout will usually be too late. The damage has already been done to the person, and the result will have affected the business. But prevention – or at least minimization – is possible. The key is ensuring a realistic life/work balance for everyone.

Related: The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment

Related: Balancing Security Automation and the Human Element

Related: How Organizational Structure, Personalities and Politics Can Get in the Way of Security

Related: The Importance of Wellness for Security Teams

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

SecurityWeek talks to Chief Information Security Officers from Bill.com, FreedomPay, and Tassat about their role and experience as CISOs.

CISO Conversations

SecurityWeek talks to Dennis Kallelis (CSO at Idemia) and Jason Kees (CISO at Ping), two of industry’s identity giants. The idea, as always, is...

CISO Conversations

U.S. Marine Corps and SAIC CISOs Discuss the Differences Between Government and Private Industry

CISO Conversations

While the BISO might appear to be a new role, it is not – and understanding its past provides insights into its present.