Why burnout happens in Information Security

What are the signs that lead to employee burnout in Information Security? I’ve been a CISO for 10 years. I’ve worked in Information Security for 15. I’ve worked in tech a lot longer than that. I’ve seen more co-workers and peers burn out and leave the industry at all levels, from entry-level analyst to a number of my peers. This is an endemic issue, according to the article by Kelly Sheridan in Dark Reading: ”Burnout, Culture, Drive Security Talent Out The Door.”

This isn’t written for the CISOs or security people. It’s written for the CIOs and management that can help stem the tide of this major issue. Many of the issues my peers and I have observed that drive people to burnout aren’t technical in nature. They are communication and cultural issues. We’re going to discuss them below.

Giving excuses instead of spending time on security

When you have team members and managers that refuse to do anything to improve security, give excuses, and then openly solicit work from others, then you have a compound problem. This is two issues. The first is of not taking a risk-based approach to work and addressing open risks. The second is allowing managers to put their own priorities ahead of the mission of the organization. In both cases, if you allow this, you are opening yourself up for serious security issues, and you do not have control of your organization, despite what you think. You will also contribute to security people being disengaged.

Thinking security is going to do everything for you

Every large company has an internal audit team whose job it is to assist in discovering potential pitfalls. However, it’s not their job to address them. When Information Security conducts a risk assessment, the same rules apply. Just because they discover a risk doesn’t mean they now own it and have to fix it. Security is a team sport and needs to be treated like one. Organizations need to work together to address risks, not pawn it off on someone. If you are not addressing your risks and improving there, which is the goal of internal audit, you’re not improving elsewhere and you are stagnating.

Ignoring or not doing a risk assessment or risk management plan

If the risk assessment indicates that something is high risk, and you ignore it and do nothing about it, you will be liable should something happen. The Department of Health and Human Services’ Office for Civil Rights, who is the organization that issues fines and penalties to healthcare organizations, does not issue them just because of a data breach. They usually do so because the offenders either do not complete a risk assessment or address the issues with their security plan. If an organization can prove they have done said work, the probability of a penalty reduces greatly.

Remember, if your Information Security team either isn’t empowered to do a risk assessment or build and collaboratively execute on a plan to address risks, you will be liable when something happens. You will also be told “I told you so!” when the CISO walks out the door.

Middle management changing rules based on who asks

One of the most powerful observations I have made in my ten years as a CISO has been the interactions with the C-suite. The C-suite does understand risk, security, process, and planning very well, and is generally very pleasant to deal with. However, my peers and I have noticed that in a lot of companies, middle management will invoke the names of the C-suite in attempts to either cut back on security or rush something to “go-live” without due diligence. There are members of the C suite who will also do this, but this is a lot less common than people think.

I tested this out one time at a previous employer when I had a middle manager refuse to do something. I called a VP I knew and asked her to file a ticket to do it. Within a short period of time, said manager called me up and told me something had to be done quickly because the VP asked. That told me everything I needed to know about that person.

If you’re a middle manager reading this, you should know three things. First, the C-suite can see through the lack of due diligence miles away. Second is that you don’t make it there and stay there without a network of friends and contacts, many of whom will contact their friends in the C-suite to warn them of your attempts to look good by bypassing the rules and throwing their name around to do so. Finally, if you craft something to look good in front of them and can’t answer their questions, which they will ask, you will be found out, and it will hurt you.

If you’re an executive reading this and you allow this behavior, either actively or passively, you’re going to accomplish several goals, none of which will help your career. You’re going to allow systems which bring undue risk on the organization to persist, which will cause major security and liability issues. You’re going to break every rule and policy in the book, which is going to cause further risk to the organization and cause any well-meaning information security staff to leave. You’re also going to create a culture of favoritism, sniping, and backstabbing to get ahead, none of which are conducive to employee engagement or building a culture of trust.  None of these will help you build an organization that works well. Security people leaving will be the least of your issues.

Thinking that the “hero culture” works for security/micromanagement

One of the most pervasive ideas is that companies are built around supermen or superwomen. The late Steve Jobs, Elon Musk, Larry Ellison, Bill Gates, Michael Bloomberg and Mark Zuckerberg are seen as singular heroes that built empires and moved mountains on their own. Steve Jobs in particular is singled out for his emphasis on design and getting things right. While they are or were brilliant, successful people who have done incredibly well for themselves, they all had teams behind them. Those teams planned and executed and were motivated by their leadership to reach places they hadn’t beforehand. Jobs in particular would be nothing without Steve Wozniak, and Larry Ellison would be nothing without Bob Miner. All of these great leaders led teams. While Bill Gates wrote a lot of code and built great products (like the OS for the original Tandy laptops), he eventually stopped and let people like Dave Cutler and Mark Russinovich take over.

Don’t think you can take security and hand it off to some really smart person and tell them to figure it out with limited resources because so-and-so did and built rockets, a smartphone, or a database. You’re going to end up with a disengaged really smart person who is going to leave because they will get fed up and burn out. Motivation only takes you so far.

If you are an executive that sets the example by doing everything or priding yourself on micromanaging your team to demonstrate what a superperson you are or how much you are like Elon Musk, you are going to do several things to yourself.

First of all, you will drive away aspiring leaders from your organization because you will remove all ambition. Secondly, you will remove any chance you have at having a normal life, because you will be doing everyone else’s job, and managing them as you won’t have any leaders left you can depend on to actually manage. Third, you will show people they cannot be trusted to do anything, and most of your good people will leave when you don’t trust them. Fourth, you will build a toxic culture of backstabbing because people will literally throw each other under the bus just to look good in front of the boss. You will have “managers” who will act to hurt their peers because that is what they see and emulate, and bypass every process possible to satisfy customers, instead of establishing good governance and processes.

This will have long-lasting and dangerous effects to your organization, as your IT and Security teams are not seen as equals or peers, but subservient. You will marginalize IT and make it impossible for security to succeed because it will be seen as an obstacle that a call to the CIO will bypass.

Most importantly, you’re going to open yourself up to risk because you will shut out all objective viewpoints or differing opinions except your own and ignore warnings from your own teams. No matter what you think, you will not be right 100 percent of the time, and to think so is a fatal fallacy.

The next person who takes your job, no matter how good they are, is going to have a really hard time rebuilding the team and is going to spend time on undoing your lack of leadership on multiple fronts. This is going to lead to the executive who takes your place not being able to address risk properly because they have to rebuild a team due to your lack of understanding of what a leader really does and your propagating it to the team.

Not having a culture of individual wellbeing

The prevalence of the idea that we must be on our game and on the job 24/7/365 is killing us. If an organization doesn’t support and encourage a healthy work life balance, and doesn’t put in place policies, procedures, teams, and strategies that support it, then you will have burnout. The idea that we all have to be heroes is damaging the lives of good professionals and their careers. Two of the people I learn from the most have brought this up, and I’ve lived it. Paul McAninch from our team was the one who suggested this, and Caroline Wong from Cobalt.io has blogged about this. It’s important to have a culture that promotes healthy activities, exercise, good diet, and leisure time. It’s also important to respect personal time and work hours, and ask the question “Is this really important, or can this wait? Does this need to be done now?”

We’re not superhuman. We can’t be expected to be. If the expectation is set that there is no work/life balance, the good people will either burn out or leave. Setting the expectation that anything less than heroic effort 100 percent of the time is a sign of weakness is toxic and will destroy not only the lives of employees, but their families and friends. Just because you want to be the hero doesn’t mean you have to sacrifice others to do so.

Conclusion

Security issues often have their root causes in non-technical issues. Company cultures that allow people to give excuses, pawn work off on others, ignore risk, change the rules based on who asks, and think that giving something to really smart people and have them “figure it out,” or micromanagement are the causes of burnout my peers and I have observed. It took me a few years to figure these out. However, they are also signs of corporate cultures that will seldom allow anyone to succeed, let alone security.

If you’re asking the question as to why your security people are burning out and leaving the field, you may want to look at your company first. If you see any of these characteristics, you may have your answer, and it doesn’t have to do with funding or resources. It has to do with the examples you set, and the culture you facilitate. If you can’t live by your company’s mission and values and show them every day, there is your answer why.