“We’re not afraid of the circumstances of what we fear. We’re afraid of who we are in those instances.”
- Dr. Stacy Thayer
Amidst all of the learning and conversations I had in Vegas during Hacker Summer Camp, this quote wormed its way into my brain, bothering me like a scab over a wound, where itchiness is a sign of healing.
This quote came out of a community roundtable session Dr. Thayer held after her talk at Black Hat USA 2022 titled “Trying to Be Everything to Everyone: Let’s Talk About Burnout.” As I listened to other security practitioners speak about their personal experiences with burnout, one thing really stood out to me: intertwining personal identity with our job inevitably leads us to confronting what any bad event says about me, or you, when things go wrong. This is why recovering from and preventing burnout is a deeply personal journey.
There’s no quick fix, silver bullet, or five step formula.
There are helpful markers along the journey to benchmark your progression, but more on that later.
According to this article in World Psychiatry, “[b]urnout is a psychological syndrome emerging as a prolonged response to chronic interpersonal stressors on the job.”
As Dr. Thayer emphasizes in her talk, burnout is about the interpersonal, meaning it relates to relationships and communication between people.
Occupational burnout is as much about the individual as it is about their surrounding work environment.
How does burnout show up among security professionals?
There are plenty of articles on the Internet describing the effects of burnout. If you’re concerned that you are experiencing burnout, please set up time to talk to a licensed professional, whether through teletherapy or in-person sessions. While I can’t help you diagnose your situation, I can help you learn more about it. At its core, there are three dimensions to experiencing burnout.
Emotional exhaustion - fatigue, feeling depleted, and a total loss of energy
Cynicism - loss of idealism, negative and overly detached attitude toward work, withdrawal
Professional efficacy - reduced productivity, decline of achievement and capability
A research study Dr. Thayer and several other security professionals conducted in 2012 showed that security professionals were more likely to express burnout through cynicism. Why might that be?
Two contributing factors to manifesting burnout through cynicism
Consider these thoughts from ultramarathoner and former Netflix VP of Security Jason Chan:
There are two points that Jason touches on:
The first is the lack of control in the security profession.
There is a clear link between lack of control and burnout. The lack of control in security stems from the modern decentralized way of working and the legacy mentality of security being only security’s job. IT and security can no longer operate as the gatekeepers to technology advancements, nor can they scale as the sole department responsible for the fate of the company’s risk management practices. Cloud resources are spun up and utilized more dynamically than ever. New software is being developed to help every part of the business operate more efficiently. The ways of working are changing all throughout the business, and somehow security teams are still stuck with the perception as the primary responsible team to protect and respond to threats.
The second point is the interwoven nature of personal identity and the job.
It is common for people to blur the line between who they are as an individual and their career. As a litmus test on how tightly you wrap your identity with your career, just ask yourself, “Who am I without this job? How would I describe myself? How does that make me feel?”
Depending on how tightly you mesh your personal identity with your job, a bad day at work can lead to you questioning what that says about who you are as a person and a spiral of negative self-talk. Instead of tackling the separation of personal identity and work, the more common way of coping is to distance yourself mentally and emotionally from the thing that is triggering the ugly spiral - the job.
If you compound these two points with society’s unrealistic expectations of perfection and zero breaches, it’s no wonder cynicism is the most common way burnout is expressed in the security industry.
So where do we go from here? How do we fight cynicism and burnout?
Fighting cynicism and burnout in security beyond “self-care” tips
There are just as many articles on the symptoms of burnout as those outlining “self-care” tips claiming to be the antidote to burnout. While written with good intentions, research has shown that the most effective ways to reduce burnout are self-efficacy and social learning theory.
As Dr. Thayer puts it, self-efficacy is “the belief in your own ability to learn from a situation and control your behaviors to achieve a desired result.”
Social learning theory considers how people learn through observation, modeling, and imitation.
Basically, the real journey to battling burnout is a deeply personal journey of self-discovery, learning what triggers your stress and equipping yourself with skills to manage your stress. Then you can help reduce burnout by modeling your new skills in the workplace.
But what about the environmental factors that contribute to burnout? What if the work environment is toxic, unsupportive, inflexible, unappreciative, etc.?
Well, friend, those things are out of our immediate control. We can only affect what is within our control, and we are in control of knowing ourselves and how we respond to external factors. While you do the work to fight burnout, it’s important to emphasize that burnout is not your fault.
Here’s some advice from Caroline Wong, Chief Strategy Officer at Cobalt, if you’re burned out and recognize you need a change of environment.
Dr. Thayer shares a nifty taxonomy for us to recognize the progression from survival mode to self-efficacy.
She also shared a variety of advice and tips, as well as resources. For the full deck from her talk at Black Hat, click here.
You are your greatest asset, so take what you need from this post to join us on the journey to fighting burnout.
If you’re in survival mode, stop here, take a break, and breathe.
If you’ve progressed to the “understanding” stage of dealing with burnout and are open to discussing what we can do about the “lack of control” in security, let’s continue on.
Tackling the “lack of control” in security
The dynamic nature of cloud technology and innovation has exacerbated the legacy asset lifecycle processes that IT and security had when assets were more tangible and more labor intensive to deploy. But this hasn’t changed the two basic questions security professionals must answer:
- What do I have?
- Where am I most vulnerable?
Manual asset inventories become obsolete as soon as they are complete, so how can security teams regain some control over their everyday operations? The first step will always be improving your own visibility without introducing hurdles to your business counterparts. With such a fragmented technology landscape to run a business, the only way to keep up with the data stream is to integrate and pump the data into an adaptable system of record. With that system of record, you can query it, graph relationships between assets and vulnerabilities, and visualize things like the blast radius of compromise or dependencies.
Guess what? I work at JupiterOne, and that’s what we do.
One of the reasons I love working at JupiterOne is because of what we aspire to be:
We shine a light and provide complete asset visibility in the cyber security universe. We empower our customers to create order from chaos and embrace a bold new vision of security - not as an inhibitor but as an accelerator for business. We invigorate the industry and inspire our users to recognize the critical importance of their work. We burn as a beacon for those who believe, as we do, that cybersecurity doesn't have to suck."
So if you want to learn more about how we help security teams bring order to their complex cyber asset universe, check out JupiterOne platform or sign up for a demo to talk to one of our technical experts.