How to prevent security practitioner burnout
Security Operations Centers (SOCs) play a critical role in defending against today’s incessant cyber attacks. Yet the people who occupy these centers are often stressed, burned out, and demotivated. A recently Survey commissioned by @devo_Inc found that 71% of security professionals are likely to be leaving because of a combination of challenges in the SOC.
According to the survey, it takes months to fill vacancies, so it is important to understand the causes of SOC employee burnout and how to solve it. That’s what members of #CIO TechTalk Community tried to get to the bottom of this in a recent Devo-sponsored Twitter chat.
When asked if they had experienced burnout as a safety practitioner, participants rushed onto the stage to affirm their negative experiences.
I’m curious who actually says “no”. Stress and burnout are rampant in our industry and companies need to assess this when considering how to retain #cybersecurityprofessionals. We are already struggling with a hiring shortage of new employees. #ciotechtalk
Kayne McGladrey, CISSP@kaynemcgladrey
#CIOTechTalk – this is like the question “is the sky blue”? – Naturally. However, when it comes down to how much, and the result of it is different from different practitioners. I’d say IR/IH & SOC are probably worse off than, say, compliance folx. It’s gradient and situational.
In the past, according to TechTalkers, travel was a major contributor to burnout:
When I did #infosec consulting. Endless months on planes and hotels can drain you and leave you in a state of burnout. Combine that with a difficult client and opposing employees and you have a perfect #burnout storm. #Ciotechtalk
Devo CISO Kayla Williams pointed to evidence that a significant number of SOC crews are overworked:
@devo_Inc’s new #SOCPerformanceReport found that 41% of survey respondents said their teams work up to 9 hours of overtime per week. Cybersecurity leaders need to stay on top of this and help teams prioritize and mitigate workloads. I find automation key to #CIOTechTalk success
More ominously, some participants indicated they switched careers due to the pressure:
I did, in fact I experienced a burnout year in 2017 that culminated in a number of factors that combined required a career change of direction – the #defensive pressures and the constant budget and attention challenges are tough. #CIOTechTalk
One revealed the physical toll, along with sexist-tinged reactions from management:
They knew because it made me physically ill. They told me I wasn’t “tough enough” to handle it. Read as a woman in a male role.
Joanne Friedman@joannefriedman
Extremely unhappy. Gender bias is more of a challenge in #infosec than the security challenge itself.
Women in safety numbers have improved, but it’s not great yet. Speaking from my experience, technology wasn’t marketed to me at all growing up. I got into tech through auditing and complementary skills #CIOTechTalk
Many of the stressors are equal opportunities, including a lack of management empathy and unrealistic expectations. CIO TechTalk moderator Isaac Sacolick sparked some back and forth with his observations:
What I’ve seen with IT teams boils down to unrealistic expectations. Too many priorities and not enough prioritization. Part of the reason SOCs are more likely to burn out is that it’s an area that’s hard to prioritize and where business can’t afford failures and headlines #ciotechtalk
At the top – the #CIO and the #CISO – how you manage the expectations of your fellow executives and show IT and protecting IT as part of the business mission directly contributes to the benefit of your team. #CIOTechTalk
I think this is a double edged sword, some leaders get smeared for raising issues and safety concerns while others hide them and tell teams to get creative. I think how the risks and needs are presented to the organization ultimately determines the outcome.
Several participants questioned whether leaders are listening to employees or whether they fully understand security challenges:
We are at a point where rapid technological change is leaving some leaders behind. It is evident that the same effect occurs with security, resulting in more disconnects. Also, some CISOs don’t yet have a seat at the table, and the organization’s security posture can suffer as a result. #CioTechTalk
For leaders to listen, they may need to understand what they’re listening to. Not all leaders understand security and it’s up to security people to communicate effectively. #CIOTechTalk
What’s more – do they know where to listen? Have you / your team been reached consciously via the channels [execs|the field|sales|whomever]? Wiki, PPT, whatever. What is the cadence? Format? Its little things that save you stress later. #CIOTechTalk
#CioTechTalk – Between personal experience and friends and colleagues, they listen but they don’t.
Joanne Friedman@joannefriedman
But perceived management deficiencies reflect only part of a long list of issues contributing to the problem:
In no particular order: – Understaffed – Safety budget cuts – Lack of executive support – Safety is not part of the business – Outdated processes and mindsets still drive product delivery – Reactive “hero” culture still reigns in the organization
Respondents were asked if the company’s goals and the SOCs matched to start a discussion on how to get the attention of decision makers in the company:
Not ordinary. But the words “brand equity” get and keep their attention. #CIOTechTalk
Joanne Friedman@joannefriedman
Brand equity and reputational risk are certainly driving many #security investments these days. Nobody wants to be associated with a breach and investing in a SOC is one way to be proactive against attackers #CIOTechTalk
The discussion ended with a question of how organizations can better support security professionals. More resources, empathy, stress management programs and communication were just a few of the many suggestions. And in plain text:
Also helps to know: It’s a tough conversation as a #CISO, but have you spoken to the #CFO and board what a transferrable loss is? What is an acceptable loss? If you don’t know, how do you prioritize your actual level of risk? #CIOTechTalk
Get the full discussion below #CIO TechTalk and to learn more about how to transform your SOC and prevent employee burnout, visit www.devo.com.
Copyright © 2022 IDG Communications, Inc.