Whether you are a leader or a practitioner, cybersecurity is a hugely stressful job, and it’s not getting any easier.
Earlier this year research firm Gartner noted that cybersecurity professionals face “unsustainable levels of stress.” The analyst firm predicts that nearly half of cybersecurity leaders will change jobs and 25% will leave the field entirely.
In a field where there is already a talent shortage, such high levels of churn will further thin defenses and leave more cybersecurity pros with even heavier workloads to factors that will negatively impact security posture. It’s a vicious cycle. There’s also anecdotal evidence of suicides in the profession.
Mental Health Among Cybersecurity Leaders and Pros
Because we are at the end of May, which is Mental Health Awareness Month in the U.S., MSSP Alert is taking a deeper look at the topic of stress and burnout among cybersecurity professionals. It’s not a new topic, but it’s not always one that people talk about freely.
Karen Worstell and Rick McElroy of VMware Carbon Black are two of the people who talk about mental health regularly. They’ve both served as chief information security officers, and together they have 55 years of experience in the cybersecurity industry. They’ve both experienced first-hand the toll of mental health stress on themselves and on others in the industry.
McElroy told MSSP Alert:
“The people that day-to-day are defending systems, they are dealing with some really tough stuff. You’ve got folks that are working on critical infrastructure that are aware of how fragile and brittle that infrastructure is on a day-to-day basis. Then, of course, it’s 24/7. It doesn’t stop, and the adversaries hit us on holidays.”
It’s a challenge for individuals, and it’s also a challenge for the security posture of organizations.
Mental Health in Cybersecurity Sometimes a Taboo Topic
“How do we build security programs that have resilience of not just the technology side, but the people side?” McElroy asked. “We all felt it, we all experienced it, and we refuse to allow the next generation to go through that,” explaining that that’s where his commitment to mental health and burnout in the industry has come from.
Worstell said major cybersecurity conferences, explained how DefCon started highlighting the topic of burnout about seven years ago and it attracted attention:
“I’d been through my own burnout experience by then, so I had a lot of hard-earned perspective, but I kind of thought I was the only one. We weren’t hearing about all the suicides. That’s just in the last 10 years, and it’s gotten more social media attention because it’s become really evident that the problem is severe.”
Cybersecurity Burnout: The Numbers
VMware’s Global Incident Response Threat Report (PDF) for 2022 included results from a survey that showed 51% of cybersecurity professionals experienced symptoms of extreme stress or burnout in the most recent 12 months. Of those 67% had to take time off work because of it and 65% considered leaving their jobs altogether.
“People feel like there is no other alternative,” Worstell said. “It feels very black and white. You have to be pedal to the metal in this industry, or you have to get out. One of the things Rick (McElroy) and I try to talk about with a lot of people is how to stay in the game.”
Some people say, “It’s not a sprint; it’s a marathon.” But McElroy says it’s not just a marathon. It’s back-to-back marathons because it never seems to end.
“We are not an inexhaustible resource, and we have to figure out how to be able to get the work done and not burn ourselves out in the process,” Worstell said.
Another issue is that the cybersecurity community itself can be tough on people who show vulnerability, which may be perceived as weakness. It’s not easy to admit you are feeling exhausted or burned out. People suffering from burnout often turn to unhealthy coping methods such as self-medication.
The Definition of Burnout: Is This You?
The World Health Organization (WHO) defines "burnout" as “a syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed.” The WHO characterizes three dimensions of burnout:
- Feelings of energy depletion or exhaustion
- Increased mental distance from one’s job, or feelings of negativism or cynicism related to one’s job
- Reduced professional efficacy
Worstell noted a fourth component of burnout:
“We have this environment around us that says don’t talk about this. It’s shameful if you can’t cut it. So people suffer in silence until something really dramatic happens, and that’s taken all kinds of forms over the years.”
The Trouble with Cybersecurity
The field of cybersecurity itself is a challenge to mental health. McElroy asked, “Like why work on a problem if you think it’s never going to get fixed?”
Worstell said that cybersecurity is an asymmetrical problem. Practitioners only need to screw up once for the adversary to get a leg up, and the adversary never stops.
“It’s really easy for people to feel like there’s just no way we’re going to claim this hill,” she said.
How To Avoid Burnout and Help Your Employees Avoid It
McElroy and Worstell recommend a number of steps for organizations to take to help cybersecurity programs thrive and employees avoid burnout, and they aren’t secret formulas. You’ve probably heard of them before.
- Hire enough people to do the work. Some organizations purposely underinvest and shift the burden of time onto a few people who are working heroic efforts.
- Invest in the people in your cybersecurity program. You need them to stay long-term in order to have success.
- Invest in your cybersecurity leaders, too. If you are constantly experiencing turnover in leadership, your strategy will also always be in flux and your team can never gain momentum.
- Talk to your employees about stress and burnout.
- Create a program to manage stress and burnout on your team.
- Look at job rotations among your staff to avoid both burnout and alert fatigue.
- Make sure you are not burning people out with meaningless, repetitive work, such as closing tickets.
- Create a wellness program for your organization.
- Provide education for your organization’s leadership teams on how to have meaningfully conversations with people about stress and burnout.
To complete one of her own bucket list items, Worstell trained to be a chaplain and then returned to tech. An important part of that training was empathy. As she explained:
“Empathy is being recognized as a number one leadership skill, but it’s a terrifying skill… You can imagine what technology managers who are concerned about a number of things — including the law for how to treat people in the workplace in an equitable way — will feel about opening their door and saying, ‘I’m here for you, and I’ve got your back.’”