Expel insider · 4 MIN READ · BEN BRIGIDA · NOV 19, 2024 · TAGS: Employee retention / Management
TL;DR
- Ben Brigida, Senior Director of SOC Operations at Expel, sat down with Phillip Serio, Senior Director of IT Security & Compliance at Hershey Entertainment Resorts, and Joe Klein, Managing Partner and CISO, to discuss cybersecurity burnout
- They discussed burnout in cybersecurity and its downstream impact, as well as strategic and one-off choices you can make to reduce burnout for yourself and your team
- You can watch the full webinar here, or check out our ebook, Unplug your team: combatting cybersecurity burnout, for more information on burnout in cybersecurity
What does burnout look like in cybersecurity?
Burnout is a buzzword that you might be, well…tired of hearing about. But its oversaturation in the corporate world is illustrating just how rampant it truly is, and cybersecurity specifically is known as an industry especially prone to it.
High-volume tasks with low perceived value are a large portion of what SecOps teams are tasked with managing day in and day out, and that can lead to burnout fast. Whether it’s managing SIEM alerts, several tools at once, telemetry sets, false positives, or your 50th vendor questionnaire of the week, or just switching back and forth between to-dos constantly, it’s no wonder entire teams are suffering.
People go into cybersecurity because they’re mission-driven. Instead, they end up constantly changing focus, wearing multiple hats, working too many on-call hours, and filling gaps, all while feeling the nonstop work they’re doing doesn’t even contribute to the greater good.
“Security professionals have pursued careers in Cyber to protect organizations against advisories. They wind up doing a job where there’s tedious repetitive tasks, and they feel disconnected to the mission.”
Joe Klein, Managing Partner and CISO
Essentially, a job in cybersecurity without innovation is a recipe for burnout. It’s not a matter of if, but when.
The impact of burnout in your SecOps teams
Analyst burnout is a security threat: when individuals feel disconnected, their accuracy drops and mistakes multiply. No security tool, however advanced, can overcome the risks posed by an exhausted team.
At a team level, it can lead to turnover. One person leaving a team can cause a domino effect of others leaving if the burnout is widespread. Additionally, those who are left will feel their burdens increase as they’re asked to fill gaps and pick up more slack, whether it’s taking on more work they were already doing or extra on-call shifts.
And from there, it’s contagious. Leaders who see their teams suffering that aren’t empowered to help can shift from evolving to surviving, which isn’t ideal when bad actors are doing the opposite. Put simply, attackers are evolving and growing, and you’re not.
Solutions for aiding in reducing burnout
In our webinar, we discussed three overarching initiatives a company can take to combat burnout. What’s important to understand is that no one initiative will solve every problem, and it takes a combination of these (and more) to truly provide your team with enriching, exciting work.
Job rotation
While traditionally used for entry-level employees, job rotations offer powerful benefits for burnout-prone teams. By exposing staff to new challenges, these rotations can reignite career momentum for employees feeling stagnant.
The benefits extend beyond individual growth. Fresh perspectives emerge for long-standing challenges, while cross-functional empathy flourishes as teams better understand each other’s roles. This ripple effect can transform organizational culture. Start small if resources are limited—even simple shadow days, where staff volunteer to observe different roles, can spark positive change.
Automation
The bottom line is you should absolutely be automating anywhere you can, especially if it’s for prescriptive, systematic activity. This includes tasks like vulnerability management, ticket creation, and identity access requests. However, be cautious when you’re making automation a goal, and be sure to ask your team:
- Do we have the bandwidth to take this on as a project?
- Does our team have the skillset to automate, or will it require additional help?
Blindly pointing to automation as a solution without answering these key questions can increase burnout across your team if they suddenly feel like they’re burdened with yet another item on their endless to-do list.
And if the answer to one or both of these questions is no, start small: document. Documentation is the first step to automation, and it can automate the decision, even if it’s not an option to automate the task itself. “Maybe we can’t automate the task, but now at least once it comes to I have something I can follow,” encouraged Phillip Serio, Senior Director of IT Security & Compliance at Hershey Entertainment Resorts, in the webinar. Incremental improvements can quickly add up in improving day-to-day workflows.
Outsourcing
Outsourcing can be a word that makes people nervous, so be careful throwing it around. However, identifying the right tasks—and tools—to reduce the workload of your team is critical for job satisfaction. The ideal candidates are processes that need human oversight but are routine enough to pass to trusted partners—similar to automation-ready tasks. This can include things like detecting malicious activity with MDR (which isn’t the same as MSSP or SIEM), identifying and removing faux websites, and using machine learning for data crunching.
Success hinges on careful vendor selection. A poor fit that adds complexity rather than removing it, will backfire, intensifying the burnout you’re trying to prevent.
Managing burnout in yourself
Managing burnout isn’t just about taking strategic initiatives. If your budget is limited, try some of these approaches to improve team attitudes.
- Crowdsource your problem-solving (or productive venting). Whether it’s via an online forum (like Reddit), or a meeting of similar teams facing the same problems, additional perspectives and ideas can often make a world of difference (even if you’re just commiserating).
- Change your scenery. If you stare at a screen all day, find a meeting you can take on a walk instead. Plan a team meeting at a local brewery or coffee shop.
- Build relationships. This doesn’t mean you have to become best friends with your colleagues. But taking time to discuss things outside of work issues can help you feel connected again.
- If you’re a leader, listen to your team. Even if you know you can’t solve a problem, taking the time to ask how someone is feeling and why they feel that way will make them feel valued. And bonus, it may lead to a creative solution no one would have thought of alone.
Want more on burnout? You can watch the full webinar here, or download our ebook, Unplug your team: combatting cybersecurity burnout, for more information.