Karen Worstell did not recognize the first signs of burnout. She had an MS in computer science, two young children, and a three-hour commute. She continued to push herself, even waking up earlier to fit in more exercise. “Finally, my body gave out — and I ended up with mono meningitis and strep and lost the use of my left arm for a year,” she says. “I had had all the warning signs for months and just ignored them because I figured my reserves were limitless and I could push as hard as my misplaced priorities thought I needed to.”
She had another experience with severe burnout driven in part by a company culture that “was like being kicked in the stomach and having my legs swept out from under me.” Worstell eventually left the cybersecurity field to complete a master’s degree in theology and pursue her chaplaincy.
As a part of that experience, she worked with patients and families at the VA, as a community liaison for a hospital, and with patients in the ALICE (Asset Limited Income Constrained Employed) population of Pierce County, Wash., population. “I realized that the same kind of moral distress, moral injury, trauma, and burnout I saw in the populations I served was also prevalent in the cybersecurity community,” she tells InformationWeek.
Now, Worstell is a senior cybersecurity strategist at cloud computing company VMware. She brings her personal experience and her training back to cybersecurity. “The chaplain doesn’t wait for the soldier to make an appointment in the comfort of a field tent; the chaplain goes to sit with the soldier in the foxhole. Cybersecurity and technology are my foxholes,” she explains.
Worstell’s story is a sobering one for anyone grappling with burnout in the cybersecurity field. Burnout is pervasive, insidious, and it does not come with easy solutions. Worstell and five other cybersecurity leaders share their thoughts on how to manage burnout in cybersecurity teams.
Understanding Cybersecurity and Burnout
In the State of Ransomware Readiness 2022 report from cloud cybersecurity services company Mimecast, a third of survey respondents reported that they are thinking about leaving their role within two years because of stress or burnout.
That is just one survey, but the forces driving cybersecurity burnout are easy to spot. Cybersecurity is a demanding field. Attacks are constant. Threats are always evolving. And the stakes are high. A successful attack can cost enterprises millions of dollars and significant reputational damage. The pressure to protect organizations is often shouldered by understaffed teams who don’t always have ways to recognize or voice their burnout concerns.
Burnout doesn’t just exact a toll on the individuals experiencing it. It hurts enterprises as well. “Burnout presents itself in our field in the same way as it does in any other technical field, with decreased productivity, decreased engagement and initiative, increased conflict in teams and turnover and absenteeism,” Monica Sagrario, cybersecurity and talent leader at professional services company EY, tells InformationWeek.
Preventing and Managing Burnout
1. Take a risk-based approach
No cybersecurity team can eliminate every single threat facing a company, despite the feeling that they must. Robert Hughes, CISO of cybersecurity and digital risk management solutions company RSA, recommends taking a risk-based approach. “You can’t make everything perfect, and you can’t focus on small risks, even if you find something new. Instead of trying to fix something as soon as you find it, take the time to assess it and see how big a deal it is,” he says.
2. Define job roles
Who is responsible for what? If the people on a cybersecurity team don’t know the answer to that question, or they think the answer is “I am responsible for everything,” burnout is a likely consequence.
“Establishing clear roles and responsibilities within teams can also reduce burnout by helping cyber professionals better understand their priorities, areas of accountability, and therefore reduce burnout and ambiguity,” says Sagrario.
Within defined job roles, leadership can evaluate potential process improvements to help cybersecurity professionals stay engaged and feel less burnt out. For example, Sagrario suggests more frequent breaks and rotations for repetitive tasks.
3. Prioritize communication
How can enterprise leadership recognize the signs of burnout in their cybersecurity teams? They can see signs like decreased productivity and high turnover, but there is a way to discover burnout before it gets to that point. Give team members the opportunity to speak up.
Kris Lovejoy, global practice leader of security and resiliency at IT infrastructure company Kyndryl, is “constantly probing, listening, and communicating” with her team. “You can’t fix what you don’t know is broken,” she says.
Phil Quitugua, director of cybersecurity with global technology research and advisory firm ISG, points out that open lines of communication are even more important with many work environments having hybrid and remote team members.
Fostering an environment where people can talk about their workloads and their concerns creates a sense of community and opens the door to potential solutions. “It’s so important to connect with other people going through the same thing,” says Amir Tarighat, CEO of cybersecurity startup Agency. “Hearing about all the challenges they are facing and how they’re dealing with them is incredibly useful from a business perspective but also to feel like you’re not alone.”
4. Encourage boundaries
Healthy boundaries are essential to preventing burnout, but they are not always easy to establish. “Individuals feel that they don’t have a choice over how they prioritize their time and health and don’t have access to the tools and coaching to help them do so effectively,” says Worstell.
Company leadership can give individuals some of the tools necessary to create those boundaries. “Employers can support their cybersecurity teams by providing adequate resources, prioritizing work-life balance, and encouraging professional development and growth,” says Quitugua. “We encourage the team to create boundaries to fulfill their personal lives, taking advantage of flexible schedules to take time off without checking in on what is going on at the office.
Providing support for mental health can also help team members find necessary balance in their lives. Cybersecurity company Agency provided everyone on its team with subscriptions to the mindfulness and meditation app Headspace, according to Tarighat.
While it can be hard to find to carve out a healthy balance as an individual, Worstell believes that there is always a choice. She recommends assessing your life beyond the scope of work. “Create juicy, compelling goals that will help you balance how you spend your time,” she says.
5. Leverage technology
Technology can be an effective tool in the fight against burnout. “One of the ways to address burnout in the short-term is to make the technology investments that give you the most value,” says Hughes. He highlights multi-factor authentication (MFA) and going passwordless as two solutions that can cut down on enterprises’ vulnerabilities. AI can also make cybersecurity more effective.
However cybersecurity teams look to address threats, Lovejoy emphasizes the importance of simplicity. “Simplify the workload by understanding the business in such a way that you protect the most critical business services and possibly moving those services to the cloud,” he says. “Embracing simplicity can not only cut costs and increase operational efficiency but also ensure more manageable workloads for cybersecurity professionals.”
6. Evaluate the work culture
Cultural shifts take a lot of time and effort, but they are often essential to addressing cybersecurity burnout, in both leaders and their teams, in the long term. Is cybersecurity a core cultural value? If it is, it becomes a shared responsibility across the entire enterprise. “The most effective cybersecurity investment you’ll ever make is in education and awareness,” says Hughes.
Can leadership and teams talk about burnout? Does a company have a culture of looking for process improvements or a culture of placing blame on employees? Worstell has found that leaders who can practice empathy will build connections with their teams. “Leaders who model it can build highly connected, creative, and innovative teams. They also make a safe place for people who are struggling to get guidance on how to turn things around.”