RSA Conference 2012: Stress and burnout in infosec careers

SAN FRANCISCO – Career stress and burnout is as common among information security professionals as it is among professionals in other high-stress fields, such as medicine or law. But finding support and information on dealing with info sec career burnout is difficult because resources and knowledge are scant.

“If you do a Google search for info sec burnout, you’ll find nothing,” said KC Yerrid, an information security and managed services consultant. Yerrid was one of several panelists who took part in a talk focused on IT security burnout and stress held Monday at the 2012 RSA Conference in San Francisco.

The group, all information security veterans, spoke to a packed room about some of the causes of burnout in the info sec field, how to recognize the symptoms, how to seek help and how to reach out to others who may need assistance.

“For me, burnout manifested itself as rage,” said Yerrid. “And when you are a six-foot-one, bald guy having a bad day on the job, that can give some people a bad impression.”

“I’ve seen a high level of burnout. A number of colleagues in this field, fighting the good fight, who have exhibited signs of burnout,” said Martin McKeay, a security evangelist with Akamai Technologies.

Moderated by Jack Daniel of Tenable Network Security, the panel mentioned several reasons why they thought levels of stress were high within the info sec field.

Security consultant Gal Shpantzer noted an individual he had met several years ago who had once been in law enforcement and took part in drug raids and other types of high-stress and adrenaline-filled missions as part of his job. But when his friend transitioned to a job in information security, his level of satisfaction was much lower. Shpantzer said his friend felt like he could measure success, and knew when he had done a good job at the end of the day, in law enforcement. In IT security, there are very few concrete measurements for success, Shpantzer said.

“It’s like a fungus,” said Shpantzer. “You’re trying to get rid of it, but it keeps growing.”

Others on the panel cited the types of personalities that the info sec field attracts which make working in the profession hard.

“We are a nasty group of people. We turn on each other,” noted panelist Joshua Corman, director of security intelligence for Akamai Technologies.”We spend so much time worrying about malware and woes in this industry that we forget to take care of each other.”

Panelist Stacy Thayer, executive director of SOURCE Conference, noted info sec is an isolating profession and that lack of human contact on many days can make things seem bleak.

“We work with computers. It’s not like they are warm and fuzzy,” said Thayer.

Daniel presented the results of a “Burnout Survey” he and the panel conducted in 2010. Although a wide range of respondents took part, the data only contained about 124 valid responses, which Daniel noted was insignificant from a research perspective.

“It allows us not to draw conclusions, but to make observations,” said Daniel.

The data focuses on three indicators of burnout: level of exhaustion, level of cynicism and self-efficacy. Low levels of self-efficacy is where security professionals differentiate themselves from other high-stress professions, he said.

Among the responses, Daniel said the data revealed almost 13 percent of those surveyed were in what he called a “red flag” area for level of burn out and were clearly in need of some intervention. Several panelists urged audience members to reach out to those who may be in need of some support, or to ask for help themselves if they felt they were at a critical point and nearing burnout. Other advice included taking on a mentor or mentee role or getting involved with teaching or speaking about an outside passion or hobby.

The goal of the talk was to raise public awareness and support about the risks associated with burnout among infosec professionals and build a community of support. It is an ongoing effort led by the panel. More information can be found at secburnout.org. Interested professionals are also asked to fill out a career attitudes survey at https://www.careerstudy.org.