Beating IT Security Burnout
Every once and a while, I have a friend who is thinking about quitting the IT security industry. They cannot take it anymore! They are tired of trying to do their best to help people and their organization have significantly better computer security only to have much of their advice ignored. They are tired of people groaning when they tell them to change their passwords or use MFA. They are tired of trying to get their patch management processes to actually patch everything it is supposed to patch. They are tired of telling co-workers they need to pay attention and analyze every email, so they do not become the latest social engineering victim. They feel like a rodent on a hamster wheel. All people do is complain and it seems as if the whole shebang is a deck of cards waiting to fall if the adversary finds any of the huge holes in their defense. It is stressful. They want to quit.
Sometimes they are brave enough to share this just before they actually quit.
As a guy who has been in the computer security field since 1987, I have seen some very good computer security people burnout and quit. Some have become artists, musicians, museum guides and anything else they find personally fulfilling, even as they often have to live on far less money. They decided that their mental health
When someone tells me about IT security burnout
You Are Not Alone
Other jobs, like cops, lawyers, teachers, etc., live with the same frustration. They tell people over and over what to do and the people they tell ignore them and end up with bad consequences sometimes. You are not alone...not that it makes what you are going through any better. But it could help to ask a cop or teacher friend, mentor or someone you respect in IT who has been doing it for a long time, how they best deal with the same type of stress. They may have a technique that you might like.
Transfer Some of Your Stress To Senior Management
Recognize that some of the stress that you are internalizing is really because you are stressing about risks that should be decided on at the senior management level. When appropriate, send the decision to senior management, advise them the best you can, but let senior management make and take the risk decision. And if the risk decision has a negative outcome, that is on them. They get paid to do that...and the outcome of that decision should lay on their shoulders, not yours.
Control What You Can Control – You!
The best that you can do is to do your best job. Do your best job and no matter what happens due to other people, you can rest in the fact that you did the best that you could do within your control.
Do Not Let Perfection Be the Enemy of Doing
I have heard the claim, “It is all a deck of cards and we have huge holes that any hacker can find to break into my company!” a bunch of times. No defense is perfect. The secret is that it is not supposed to be. Computer security is risk MANAGEMENT
Computer security is about managing risks. You determine what the greatest and most likely risks are and try to implement mitigations to reduce the risk of them occurring. That is not just computer security. That is risk management in all areas of life. For example, any thief can break into our house at any time. None of us have defenses that will conclusively keep the bad people out if they are dedicated to breaking in. We all sleep at night even though our houses could be targeted by thieves and there is the very real risk that one day, someone will break into your house (or bank account or car) and take something. We understand that. We live with that. But the job is not to make the house impossible to break into. It is to make it less likely to be targeted in the first place and less likely to be broken into if it is targeted. So, we put strong doors on our houses, put locks on them, lock windows and maybe get alarm systems and cameras. But there is no guarantee that all those things will work perfectly to stop a burglar.?
We do the same with computer security. We implement multiple, overlapping mitigations to reduce the risk of a cybersecurity incident. And sometimes, what we implement does not work. That is life. That is work. Let it go. Your job was never about absolutely guaranteeing that no one would break in. It is about risk reduction. If you have helped to reduce the risk, you are doing your job.
Focus on the Right Tasks
Make sure you focus on the right things at work...that is the theme of my Data-Driven Computer Defense book (https://www.amazon.com/dp/1092500847). You are going to be asked to do hundreds of things to secure your environment and you will probably still need to do them all because of compliance issues. But focusing more on the things most likely to lead to compromise in your environment, is the best way to do computer security and will help decrease the stress.
领英推荐
Work Less
Make sure you take breaks even if you feel you do not need them.?A lot of the burnout comes from working over eight hours a day...always being on call, etc., and even if you think you need to work extra hard to do a great job, you are robbing yourself of your real life. Work is a job. Your life is everything else.
Most of my best employees and co-workers have been people who worked 10-12 hours, or more a day. I would tell them to work less or they are going to burnout, and they would laugh and scoff. They would tell me they love working the longer hours or have to work the longer hours. The truth is, your workload will always fill the bucket of time you give to it. Work eight hours a day and you will have a full workload. Work 15 hours a day and you will have a full workload. Work fills the bucket. You can decide how big of a bucket is devoted to your work and your personal life.
Hard Won Life Hint: The harder that you work, the more tasks you do, and the more hours that you work makes it less likely that you will get new co-workers to help you. It is often only when things are falling in the cracks that management finally moves to get you help.
Many of the best employees who I begged to work less and scoffed at me, eventually burned out. They could not see it coming. They were too busy working. But eventually, the pace at which they were working just became too much, and they got burned out. But it was not a surprise to anyone around them. Realize that one of the keys to longevity at a particular job is working close to normal hours. And no one dies wishing they had worked more at work. A lot of companies I have worked for, including Microsoft and KnowBe4, really do care about work/life balance
Talk to a Professional
Talk to a licensed therapist
Maybe It Is Time To Change Careers
And if you really do not like IT security anymore, seek another career. Life is too long and too short at the same time to be stuck doing something you do not really like. So, if you really cannot stand IT security anymore and have thought of staying in it depresses you, get a job that you like better. All jobs suck at some time and sometimes you will not like what the boss is telling you to do…even if you are the boss and running your own company. But if you personally like what you are doing for your career, life will be better in the long run and you will do a better job at it.
Many people make career changes. Heck, I am an EMT paramedic who became an accountant who then became a computer security geek, and that is not counting all the little jobs (e.g., ice cream truck, laundromat cleaner, locker installer, Dairy Queen cook, etc.) I had before those.
Stay and Be Part of the Solution!
There has never been a time when I have heard someone complaining about IT security burnout who I did not think that they were exactly the type of person we need in this field. They care so much that it is hurting them. So, if there is a chance you can find a way to make yourself re-love this career, I encourage you to stay. Because we need more people like you. Stay and make things better than the replacement worker who might care less. Stay and put your mark on it. Stay and change things so that computer security really is tangibly better. Stay and fight. Be the person in the arena.
We just need a more mentally healthy you so you are getting what you need to be happy and successful. Do the best job that you can and then let the rest go.
Not sure if any of my blathering helps...but I have had to counsel a lot of people in my career. Some stayed and thanked me. Some left and became happier. And some ended up missing it after they left and wished they never left (because technology has a way of passing them by as time goes on and it is tough to get back in sometimes).
IT security burnout is real. But if you can figure out a way to stay and be happy, please do. Because you are the type of person we need.
Putting order, building trust with technology
2 年https://www.dhirubhai.net/posts/jacoswanepoel_cybersecurity-ciso-infosec-ugcPost-6929751091857235968-oWTT?utm_source=linkedin_share&utm_medium=ios_app
Instructor and course development specialist
2 年Great analogy the protection of your house and the remaining risk. It's the one I always tell my students to make them aware 100% security doesn't exit, but we try our best nonetheless to keep it safe from thieves. Very well written article with lots of reasons to stay in the security industry while staying safe and avoiding burnout. Agree with limiting the hours, even considering a part-time job if personal finance as well as the employer permit it. I've seen lots of people in IT falling in burnout, specially developers due to unrealistic project due dates.
Senior Cyber Technology specialist, Strategic Accounts at Darktrace
2 年Very well written!