5 ways to curb cybersecurity burnout

Former CISO Karen Worstell doesn’t mind sharing her burnout story with others in the industry as a cautionary tale. About a decade ago, she left her role as VP of risk management at AT&T Wireless following a grueling merger project. She took a two-week vacation and then started her new role as CISO at Microsoft. Her adjustment into the new culture proved rocky and excruciatingly stressful after her boss laid out her performance metric for the year: No hack, no leaks.

Self-doubt crept in, and she sought the help of a psychiatrist who told her there was nothing wrong with her. She was probably just sleep deprived, he said. He handed her three prescriptions and then made a troublesome comment: “You have no idea how many of your colleagues I see here.” She resigned five months later.

Unlike IT projects she had done that had a beginning and an end, “the challenge with cybersecurity is there’s no way to contain it,” says Worstell, who is now CEO of W Risk Group and founder of MOJO Maker for women in tech. “When you move into something that is highly stressful and uncontainable, it kind of takes on a life of its own. It’s like your worst nightmare that you can’t wake up from.”

Stress is undoubtedly playing a part in the mental health decline and career burnout of today’s CISOs and their teams. Some 91% of CISOs say they suffer “moderate or high” levels of stress, and 60% “rarely” disconnect from their work role, according to a recent survey commissioned by Nominet of 408 CISOs overseeing security for large US and UK organizations. Even more alarming, 17% say that they have turned to medication or alcohol to help deal with that stress.

Making matters worse, a constant deluge of headlines pop up almost daily on mobile phones alerting security professionals to the latest breach or attacker. It leaves the impression that “your comrades are falling on the battlefield all around you!” Worstell says.

This constant defensive state can lead to exhaustion, or worse, says Jeffrey M. Stanton, professor of information studies at Syracuse University. His research focuses on work-related stress and the relationship between organizational behavior and technology. “A fundamental aspect of the cybersecurity profession is that it is defensive. This naturally puts people in a vigilant state of mind, staying alert for threats,” Stanton says. “Such vigilance and alertness is inevitably stressful if maintained over a long period of time.”

Who is to blame for cybersecurity burnout?

The stress hitting CISOs comes in part from the lack of engagement with the C-Suite and the board, according to the study. About one-third (32%) of U.S. CISOs said that their executive management team does not understand and accept that security breaches are inevitable. These executives think that either (A) nobody is paying attention to their company and it won’t happen to them; or (B) the CISO can and should protect them from all data breaches and leaks. More than a quarter of U.S. CISOs (29%) think that if a breach occurred they will face an official warning or lose their jobs.

For cybersecurity staff, the widespread talent shortage and a lack of staffing in their organization often cause burnout, according to Dr. Bill Souza, professor of cybersecurity at the University of North Dakota. “That shortage could imply that you’re overloaded and have a lot of work” on your plate, he says.

No doubt, the stress is real, but there are ways to curb cybersecurity burnout. CISOs and managers must first recognize the signs of burnout in themselves and their staff, and then foster a less stressful environment.

Recognize the signs burnout 

As is true in many situations and professions, look for meaningful changes in behavior, such as unexpected or unpredictable outbursts of anger, Stanton says. “If it seems like someone’s personality has changed, it is possible that they are under work-related stress.” Physical signs and symptoms, such as those that result from poor sleep, may also be indicative.

The easiest behavior to spot is cynicism. “When you hear people talk about management or life in a cynical way, that’s a red flag,” Worstell says. “That shows there’s stress and distress, and a sense that people feel like they don’t have any kind of agency over effecting the outcome for what they’re made accountable for.”

Presenteeism is another sign of stress – when employees show up but only do enough work to get by, without follow-through or attention to detail. “They feel like the quality of their work doesn’t really matter.”

Stress and burnout are real and potentially serious conditions. There’s no one-size-fits-all remedy, but there are ways of putting the out-of-control nature of cybersecurity into perspective. The following are five suggestions for how management and CISOs can help curb stress and burnout.

1. Assert control where you can

This is where management can really make a difference, Worstell says. They can add selective control points and checkpoints to give cybersecurity teams the opportunity to lend their expertise upstream to avoid a downstream disaster.

For instance, during an M&A project, Worstell found out that her organization would be acquiring a company that had a product that was inherently, incurably insecure. The terms and conditions of the M&A were that it was going to be integrated into their product suite — a situation that she had no control over.

“We had to say, ‘There’s a checkpoint upstream from where we are right now that needs to be added so that we have input into this earlier in the process.’ It expanded our sphere of influence in a way that gave us control over the outcome,” she says.

2. Consider rotating security roles

Everyone who is charged with a role that involves vigilance and monitoring of threats needs to have required down time, Stanton says. Think of a lifeguard. “At a well-run facility, lifeguards rotate roles or positions every 15 to 20 minutes. The reasons for this have to do with mental alertness and attention more than they do with stress and burnout, but the principle is the same.” Cybersecurity leaders should consider implementing job rotation, where those charged with monitoring cyber threats are periodically shifted to other roles where they can have downtime from being vigilant, he says. “Their deep experience in detecting and mitigating threats can be powerfully helpful when working (temporarily) as a trainer or in another ‘background’ cyber role.”

3. Provide recognition and training

If resources aren’t available to lighten the load for cybersecurity teams, then leadership should take care of employees, Souza says. “Non-monetary recognition from leaders and peers that they’re doing a good job can inspire self-value in the individual,” he says. Offering training certifications can help leadership attack the same problem from two different angles, he adds. “The certifications help mitigate the shortage of knowledge, and you boost their self-value,” and potentially reduce the cynicism. Most importantly, the leaders themselves have to take a look at their leadership style, he says. “Leaders must understand how to manage an organization that is short-handed.”

4. Talk about stress 

Stressed-out workers should be vocal about their levels of stress to both work colleagues as well as family, says Dr. Dimitrios Tsivrikos, a business psychologist and lecturer at University College London. “You will be surprised by the support and help that is often available via both official and unofficial channels.”

Colleagues and family that employees choose to confide in should always be empathetic, Worstell says. “Hearing that pain, do not turn away or treat that lightly.”

5. Require unplugged time off

“We haven’t become the Messiah (as cybersecurity professionals) with the weight of the universe on our shoulders,” Worstell says. The CEO gets to have a vacation, and the CISO (along with cybersecurity staff) should do the same without being constantly on call, she says. “Some of that’s on us, but we have to be willing to say, ‘I am going to shut it off now. I’ve done everything I can that’s reasonably possible, I have someone in charge while I’m gone, I’m taking a break, and I’ll check in when I get back.’ But it’s really tough for the people in our business to do that.”