“I love my job!” Can you say that? Honestly?
Or, maybe we should take off the exclamation point and change a few words around. How about: “My job is pretty cool, and I like being a security pro on most days. The pay is decent.”
Or, perhaps you’ve had enough. “I’m fed up at work. Truth be told, I’m looking for another job. I’m disgusted with my boss, co-workers, customers or (fill in the blank). I need a change of scenery – real bad. Driving a truck across the country or plowing snow near some Colorado ski resort is sounding pretty good right now.”
Most security professionals that I know experience symptoms of burnout at some stage in their professional career. In fact, one poll last year revealed that over half of the security professionals surveyed were unhappy in their jobs. Perhaps you just need to get away on one of those Southwest Airlines vacation deals. True, a certain amount of stress comes with all jobs, but particular career choices tend to bring more burnout than others.
While a comparison between security professionals and doctors who work 80+ hours a week may seem like a stretch, I do believe that this issue is more of a career-killer for security pros than for many other career tracks. (One friend commented, “It’s true that doctors work long, stressful hours, but they get paid for it. We don’t.”)
Or perhaps you’ve already moved to that company across town (or the country) – more than once. Your career aspirations aren’t being met. You’ve come to the realization that your problems are not company-specific or even related to sub-par pay or benefits. You’re considering a new line of work or at least a different security role.
You might be dealing with:
Problem 6 for Security Professionals: Dealing with Inevitable Burnout
According to one online help guide, you might be heading towards burnout if:
- Every day is a bad day.
- Caring about your work or home life seems like a total waste of energy.
- You’re exhausted all the time.
- The majority of your day is spent on tasks you find either mind-numbingly dull or overwhelming.
- You feel like nothing you do makes a difference or is appreciated.
There are two different aspects to this topic that I’d like to discuss. First, security professionals will likely experience exhaustion at various times throughout the year. Like firefighters after a major fire, hard work with little rest will require some extra time to get your energy back. Cyber attacks, like many other emergency situations, seem to come in waves. Unfortunately, when it rains, it often pours.
For example, in Michigan, we experienced at least one major virus outbreak or other significant security incident, requiring us to activate our emergency coordination center, each of the seven years that I was CISO (2002-2009). These major incidents usually lasted several days or more and required long hours with all hands on deck. Add in the other major emergency management activations such as supporting blackouts, natural disasters, frequent emergency exercises (such as Cyber Storm) and things can get pretty busy.
And yet, it’s not these major events that I worry about – nor why burnout is listed as problem six. The intriguing thing about significant events is that they often build teamwork, career satisfaction and even positive recognition, especially if there’s a happy ending. Even when incidents have a less than satisfactory outcome, security pros often seem to grow and focus more clearly when everyone in the enterprise is watching.
The “cream” typically rise to the top during these major incidents. In fact, many security pros thrive in this environment and some even look forward to the adrenalin rush. I’ve seen after-action reports contain responses like: “I told you so” or “I knew that would happen” after major zero day attacks. Truth be told, some security pros got into the security field to do battle in these types of cyber emergencies. [Side comment: movies like Die Hard 4 may even bring more young people into the field with these dramatic expectations.]
Of course, several serious events in a row can cause unwelcome family disruptions or other problems as well, but that is pretty rare, in my experience. Security veterans know that unusually tough situations can and will happen at work every so often. Afterwards, good management will likely be pretty encouraging of a family vacation to Disneyworld or somewhere nice.
But there is a different type of burnout that makes this a hot topic for security professionals. I’m referring to the daily grind on a 7 x 24 x 365 basis. The constant expectation to work long hours, including nights and weekends, will drain energy. Never-ending workload can make work-life balance very difficult over the years. The temptation to keep viewing the limitless amount of information in the short term, at the expense of personal relationships with family members, can too often end sadly in the long run.
Is this a problem for you? To determine where you’re at, here are a few questions: Do you unplug? Ever? Do you turn off the technology – including your blackberry or iPhone? How often – and for how long? Are you living up to your own family commitments? Getting enough outdoor activity and exercise?
Now ask a good friend, spouse or trusted family member their opinion of your time spent online versus offline. Do they have any recommendations for work-life balance? Experts say that there are four stages of burnout, so you can even do a self-test to see if this is a serious concern for you.
True, we all go through seasons of change. We go the extra mile because we want that next promotion. We need to impress that new team and show them that we can pull our weight. We want to keep our jobs during company cuts or industry-wide down-sizing. But look back over the past several years and see if you notice a longer-term pattern in your life. Does it ever change?
One note: security organizations are (obviously) made up of individuals. But I have seen entire groups that were burned out at the same time. At one conference I met a half-dozen people from the same security team, and they all were stressed to the max, bad-mouthing their company (over a beer) and wanting to bail at the earliest opportunity. Their situation showed me what can happen (in the extreme) if these situations are not addressed.
We all need staff backing us up as well as trusted colleagues who can help. With the economy coming out of a tough recession, I have talked to pros all over the USA who are feeling like their teams are way too thin. They never catch up. They feel the constant pressure and weight of too many insecure systems and applications. They take security vulnerabilities personally.
So what are some potential answers?
Problem #6 Solutions: Perseverance and Work Life / Balance
We all need to recognize that stress and potentially even burnout come with the territory. We need to prepare for stress like we anticipate the four seasons (at least in Michigan). We need to look for the warning signs. Being keenly aware of the burnout challenge is a first step.
Second, take some time to step back and analyze your situation at least once a year, if not more often. Schedule some time to get away, and try to disconnect for at least part of the break. Use your vacation time, and if you check-in, put barriers around your time. Talk about how things are going at work with those you trust but who have a different perspective. Get professional help from a doctor, if you need it.
Third, recognize that your career is more like a marathon (or even a triathlon) than a sprint. I sometimes see security sprinters who are excellent for a few months or up to a year, but they can’t keep up the pace. They start getting sick, make excuses for poor performance and drop quickly off the radar. This can also play out with people who become overnight security experts. (Last year they were doing something else and next year they’ll be out of security.) One thing I look for is a track record that spans years, and not just “one time specials.”
What will people be saying about our character, performance and professional ability ten years from now? What were the outcomes produced? Were we able to sustain good performance and positive relationships and reputation over the longer term? Even the best athletes will have hot and cold streaks, but the ones in the hall of fame are the ones who sustained excellence over their career.
Back last fall, I was fortunate to meet Mark Allen, Ironman Triathlon. He came to speak at our Michigan Digital Government Summit, and he offered many motivational examples of how to overcome obstacles in life. Mark encouraged each of us to apply those same principles to our daily lives.
Here is what the Summit program guide said as an introduction to the session:
"In Government IT Today, success - or even holding on for dear life - requires great toughness, endurance and resiliency. Who better to inspire us than the man who is arguably the most successful endurance athlete of our time? As a professional triathlete, Mark won 66 of 96 races he entered, six consecutive Ironman World Championship at age 37 (another record). These achievements did not come easy. In this fascinating keynote address, Mark shares the principles that enabled him to turn devastating setbacks into historic triumphs; principles each of us can use to achieve the highest levels of success in our personal and professional lives."
I found a version of Mark's inspiring presentation, The Art of Ironman Success, online. He describes how he learned from burnout in his first big race. The three tools he describes are:
1) Have a clear strategy based upon what your goal is asking you to do to accomplish it.
2) A willingness to adjust your strategy when necessary.
3) Stick with it! Absolute commitment to complete the race and realize the goals we set out to accomplish.
One final thought on burnout. There's always hope, and you can bounce back in your career. Charles R. Swindoll has several motivating quotes on this topic. Here's one of my favorites: "You're through. Finished. Burned Out. Used up. You've been replaced...forgotten. That's a lie."
Next time, we'll conclude this series with reason #7 on why security professionals fail - narrow thinking. How can we enhance our ability to adapt to rapid technology change and see the bigger picture? What strategies help us move beyond the box placed around current roles?