Burnout In InfoSec: An Epidemic We Need To Talk About

I’ve seen it claim more than enough victims throughout my career. Some of the top performers in the industry have been consumed by it, yet few speak about it. Yes, there is a silent epidemic within the information security industry that is impacting performance, claiming careers and even lives, and may very well be sweeping through your SOC unnoticed – employee burnout. This isn’t mere conjecture on my part. The phenomenon has been so acute that in recent years a few initiatives have been created, with perhaps the most prominent one being helmed by the iconic Jack Daniel. I recently spoke with him and a few others involved in the effort, to address this issue, and to find out what, if anything has changed in the industry, and what managers and fellow InfoSec practitioners can do to identify and address burnout, not only in themselves, but with their peers.

Getting ahold of Jack was itself an adventure, as never ending meetings and incidents at both his work and mine kept pushing our call out further and further. “We may be getting some insight into stress just trying to schedule this” he texted.

He’s not far from the truth. Most security teams are having to get more done with less resources these days as companies begin to tighten their belts. That, combined with the never ending flow of patching, risk assessments, responding to incidents, and the other fine minutiae that constantly fills our calendars, can make for the burnout perfect storm.

Several years ago, Jack and some others did a survey of the community to address the issue. They sent out a questionnaire, and got 128 respondents for the industry’s first “Infosec Burnout Inventory” (www.secburnout.org) The results were not promising. The vast majority of people surveyed showed some sort of career or mental exhaustion, and even people still in their 20’s were facing fighting stress and were on the verge of dropping out of the industry. Indeed, some did. So what is it about our industry that predisposes us to such a high incidence of stress and fatigue?

From the results of the study some patterns rapidly became apparent. One of the top offenders was that many felt a combination of a low personal efficacy mixed with high cynicism. This shouldn’t surprise anyone who works in information security. How many times have you raised a red flag about security issues, only to be told it’s a business decision to accept the risk or “we’ll fix it In the next release” or “it’s not in scope?” It’s easy to see how a person can not only feel dis-empowered, but that they have no control. “Personal efficacy is an important shield against cynicism and burnout,” Jack muses. “You need to feel you are doing a good job. I see it often. A team is busting their butts and feel like they are making a difference making progress. They may be working long hours, getting tired, but it’s a good exhaustion. Then a major incident happens and the team feel as if all the effort they put in wasn’t successful. Your feeling of personal efficacy vanishes, and now your good exhaustion collapses into bad. That’s a huge head start into burnout.”

For others, the solitary nature of our work can be a big contributor to the problem; not only do warning signs go undetected by others, the opportunity to reach out to teammates for support may not be present. Remote workers are especially vulnerable, sometimes going days without ever speaking to other members on the team. Even those who work in offices with teams are often hunkered down at a terminal, slaving away on individual tasks that often don’t require much interaction with others. Add into the mix the (sadly cliched yet accurate) personality type of the loner hacker that many in the industry have, and you have many who aren’t used to reaching out to others for help.

Another key factor to the burnout phenomenon is the ever-changing technical aspect to information security. Another member of the SecBurnout group, Gal Shpantzer, put it best. “It’s a treadmill that keeps getting faster. All these new tech stacks come about that companies adopt that you need to learn, then you need to learn how to defend them. The old systems don’t go away – you need to keep protecting those, as new stacks are added to the pile. We still see RDP getting popped.” This ever growing mountain of responsibility which can easily get unmanageable. “On one hand you’re trying to stay ahead of latest greatest, stay on top of what the blue team is doing, implementing, operating that properly, while trying to keep on top of what the IT group is doing. You’re also dependent on what other people are doing, and that can be a huge stressor. A simple misconfiguration can cause an open port or an open S3 bucket, and then you get pwned.”

Gal also points out that new business processes add to the workload and the stress as well. Now we have auditing requirements, new legal and compliance frameworks, data privacy and data residency issues, many of which are specific to different geographic areas. Just keeping track of these requirements alone can be a full time job, never mind actually doing the work to address them. It can be exhausting.

The constant threat of getting pwned is also a major contributor to burnout and stress. Gal points to this as a critical contributor. “The thought of getting pwned, or the threat of the imminent occurrence of being hacked is really grinding. If you’re a doctor you actually have a metric on how well you’ve done. Did the patient live or die? Did the ailment go away? In InfoSec we don’t have that feedback. You might already be pwned and have no idea. For the most part you really don’t know if you’ve done it right – it can be super terrifying. The constant terror of ‘when is the really bad thing going to happen’ can wear you down. And we take it personally. We are the defenders, and we’re not just paranoid. We actually have people coming after us – all the time. That’s not easy to manage for a lot of people.”

That said, being the defenders can itself be a stressor. Security is the speed bump; we’re the ones who slow IT and Dev teams down with our added security requirements. As a result, the security teams aren’t usually loved by many in most organizations.

So what should you do when you recognize that you are experiencing too much stress and are on the path to burnout? First, take care of yourself. When you start to feel overwhelmed, seek counseling from a competent person (not friends). Unfortunately, the SecBurnout study showed this was exceedingly rare. One reason is that if you have a security clearance, talking to a psychiatrist or psychologist can potentially cause issues. The reality is that your mental wellbeing is more important than a clearance (and let’s face it, there are TONS of security jobs out there).

Professional help aside, lean on your peer group – as long as you have supportive people who don’t pretend they are professionals. Make sure it’s a give and take deal – one way relationships can become toxic. “You need to pay attention to who’s leaning on me and how and why,” says Jack. He stresses that it’s important not to become a sponge for everyone else’s problems. “Empathy is an amazing gift and a horrible burden.”

Avoid leaning on drugs and alcohol as a crutch. “A lot of us drink too much,” says Jack. “We’ve made some progress in the past couple of years. Now we feel bad about the amount we drink, whereas a few years ago we thought it was funny. Its progress but still not great.”

Physical exercise can be extremely helpful in burning off stress. Even getting up from your desk and walking outside for a bit to clear your head can help a lot. It’s also important to have a life outside of security. Don’t let your downtime be focused on the computer as well. “Make sure you do something – anything,” says Jack. “Go to the gym, hike, camp, have pets, play music – have an outlet.”

Another important preventative thing is to not “take it personally.” You can only do so much. You can make recommendations that go up the chain, but if executives decide they will accept the risk and ignore your suggestions, that’s on them.

If you don’t believe burnout in InfoSec is a problem mull this over – despite the initial great progress the SecBurnout initiative made, eventually the group fell apart. Why? The members by their own admission, burned out. They didn’t have the cycles to keep it going, and the emotional drain of trying to support others also took a mental toll on many of it’s members. And so it goes.