Burned Out: InfoSec Professionals Sound the Alarm

Naomi buckwalter
Author: Naomi Buckwalter, CISSP, CISM, Director of Information Security & Privacy, Energage
Date Published: 15 August 2022

If you’ve been in the cybersecurity industry long enough, chances are that you’ve probably experienced workplace burnout – emotional and physical exhaustion and loss of motivation for your job. The reasons for burnout in cybersecurity are varied: working too many hours, cleaning up too many breaches, and having too little support from company leaders for security initiatives are only a small handful of the issues contributing to burnout in our industry.

Last month, the results of a Bridewell survey on burnout made national headlines and sparked a discussion among information security professionals on social media. Burnout, it seems, is no longer a confidential topic of conversation between workers and their therapists – it is now talked about widely in the open, in public forums and amongst team members – and security professionals are sounding the alarm.

A redditor recently posted in r/cybersecurity, “I’ve decided to quit… When you hate going to your job everyday and can't complete basic tasks - it's time for a change. As for another job - I don't have one lined up. And maybe that is for the best… I don't even know if I'll return to cybersecurity.” The post garnered close to 150 comments from others in the industry, with many commiserating and sharing their own stories of burnout, and some joining in on the chorus of wanting to leave the cybersecurity industry altogether.

Gavin Grisamore, CISO at Stash Financial, agrees, saying, “[Security professionals] have an innate ability to want to help people, but that often leads to burnout, by taking on too much or having lower priority items getting forced to the top.”

The results from the Bridewell survey certainly support this viewpoint. Of the approximately 500 cybersecurity professionals who are thinking about leaving their position within the next year, 40 percent attribute this desire to stress and burnout. There is simply too much to do, too few resources to do it, and too much at stake for their reputation and career.

Self-care and mental health start with individual responsibility
Indeed, information security professionals are at high risk for burnout. Knowing this, I asked a handful of security people on LinkedIn how they keep the negative effects of work-related stress at bay.

Michelle Dain, compliance specialist at Lyon Shipyard, shares her story. “As an introvert it’s been really hard for me to find my voice and be firm with my boundaries… I used to check my work email from holidays and home. The work-based FOMO was real… I decided that I was putting an end to that when I was at the grocery store with my hungry daughter, took a work call, which took MUCH longer than anticipated. Instead of my daughter getting the home cooked meal, [we] had Taco Bell instead.”

Mikaela Seabourne, teaching fellow at University of Tasmania, says to be comfortable with the word “no,” saying: “‘No’ isn't a dirty word… It's a full sentence. Being able to manage your own expectations for yourself and avoid chronic burnout means you need to be able to set professional boundaries, even if you don't always want to. You don't need to explain yourself beyond basic niceties.”

Damian Tommasino, principal security sales engineer at Feroot Security, takes practical steps to guard his personal boundaries as well. “[I use] my calendar as a shield to establish healthy boundaries. By adding in family time, lunch breaks, and time to just get outside, I can protect my mental health while ensuring my team understands when I need time to regroup.”

The leader’s role in preventing burnout in their employees
The responsibility for maintaining a healthy work-life balance does not rest solely on the individual employee, however. Leaders must also put effort into helping their employees prevent burnout.

Jesse Wolcott, a long-time cybersecurity leader, offers this advice to fellow cybersecurity leaders. “If you are [in] leadership, you must constantly evolve and change your management for each person that reports to you. Give tasks, projects, challenges, and support where relevant, and back off when the stress piles up… You have to guide and support, absorb and deflect, and allow them to do their best work. People don’t burn out with constant victory and growth.”

Max Killinger, global director of infrastructure and security at Tosca, says that leaders must balance their employees’ workloads within their teams. “Those of us privileged with leadership roles must ensure the people in our care are sharing workloads. This helps both build our up-and-comers and create a culture of learning and relying on each other. We win as a team.”

Chris Stinson, an information security specialist with Blackhole Security, takes it a step further. “I've suspended some access before for those going on vacation, with their knowledge of course. Prevents the ‘just checking in’ habit.”

To keep from burning out, find purpose in your work
Thomas Agler, a cybersecurity instructor with the US Air Force, closes with this thought. “It helps if you work somewhere where you are passionate about the organization’s mission. Even in some of my most stressful jobs, I felt energized at work because I knew what I did mattered. The long hours, constant troubleshooting, coordinating communication between technicians and leadership during crises, and getting calls in the middle of the night aren't as bad when you know why it matters and you see how you are making a difference.

“I encourage cyber security professionals to get involved, learn about other parts of your business, and meet others from different business units. Learn how you are helping individuals and helping your organization’s mission, not just doing a job. While not always practical for everyone, if you can't find a sense of purpose or passion where you work, you should look for a job somewhere you can.” Disclaimer: Thomas’ views do not reflect official policy or positions of the Air Force.

About the author: Naomi Buckwalter, CISSP, CISM, is the founder and Executive Director of Cybersecurity Gatebreakers Foundation, a nonprofit dedicated to closing the demand gap in cybersecurity hiring. She has over 20 years' experience in IT and Security and has held roles in Software Engineering, Security Architecture, Security Engineering, and Security Executive Leadership. As a cybersecurity career adviser and mentor for people around the world, her passion is helping people, particularly women, get into cybersecurity. Naomi has two master’s degrees from Villanova University and a Bachelors of Engineering from Stevens Institute of Technology.