Take a vacation, rely on automation

As Labor Day quickly approaches, we can’t help but fear the inevitable end of summer. If you haven’t gotten your vacation in this season, it’s time. If you feel like you can’t take a vacation–or even worse, that no one on your team can take a vacation–it’s time to reevaluate.

For both the new and the veteran CISO or CSO, the fear of burn out looms large in what is often an unforgiving and underappreciated role. True, the CISOs first goal is to protect their business, but they also have to do so in a way that allows agility and avoids overworking their IT and security team.

The tremendous burnout rate has resulted in the shortage of high level security experts, so those who remain want to make sure the team they have is happy and fulfilled. That’s sometimes easier said than done, especially when the resources for the technology that can alleviate some of the stress and pressure of the job are limited.

Steve Grossman,VP of program management, Bay Dynamics said, “Burnout comes from a few different sources. Everybody is really busy, and there is a lot going on. The lack of visibility raises the stress level because the team doesn’t have an overall view of its threat posture.”

Many IT and security teams spend much of their time fighting fires, and they don’t know where they are going next. “They are trying to swat every fire and attack every threat that pops up,” Grossman said.

With the burden of threat intelligence overload, some teams see tens of thousands of threats. Grossman said, “If you are trying to swat each of those without a good view of the risk that exists, purely relying on tools, you are never going to be able to be successful because you are fighting a never ending battle that will lead to burnout.”

Other problems that lead to burnout come from broken communication processes, which can especially result from staffing shortages. “People are spending their time reading email, responding, and then they have to update a tool. Their time is spent having to worry about manual processes as opposed to stopping critical threats,” Grossman said.

The key is to have achievable goals based on protecting the organization, otherwise your day is spent making a small dent in a big pile without understanding if your efforts even had any impact.

Most of us gain a sense of satisfaction in our work when we  understand the benefit of what they are doing. For security teams, burnout can come from both not being able to protect the company assets and from uncertainty as to whether what they are doing actually matters.

One easy to implement effort that isn’t too restricted by budget is allowing members of the team to plug in with a mentor who understands the bigger picture of industry. “Without that, you are going to lose your staff. They’d rather go to an environment where they know what they are doing plugs into the organization and gives them satisfaction,” said Grossman.

Effective leadership goes a long way in retaining highly skilled team members who can grow to executive level leaders. Those who have blossomed under the tutelage of excellent leaders will better understand the business and technology decisions they need to make to help their teams avoid burnout.

A spokesperson for RES said, “The challenge is all too often organizations are buying technologies that help secure the perimeter and firewalls, but are not taking their security strategy a step further by investing in tools to help secure the no-perimeter world.”

Investing in the wrong technologies can contribute to burnout in many different ways, especially if the first response to an issue is a lockdown. “Due to the mobile, digital world we live in the more you lock down a user the more likely they will go around IT (Shadow IT) opening more security holes. The first step needs to be less on securing the environment and more on enabling the user to have the right access to the right tools when they need it most.” 

As much as security teams need to protect the business, the business also needs to adopt policies that prevent burnout for IT and security teams. “Policies that change access points based on a person’s role, responsibility and identity.” 

Automation and self service offer great relief from information overload. “The more that tasks are automated and standardized the less risk for human error. Allow users to go to a secure location and request services and applications they need to do their job. Do your best to fulfill these requests with automated workflow approvals to enable users as quickly as possible.”

After all that, insist that your team take some well needed and much deserved time off.