Cybersecurity has a burnout problem. This is not new (or surprising) news per se, but we, as an industry, are certainly getting better at talking about it. The first step, they say, is admitting that there’s a problem. The next? Examine the scope and impact of the problem before thinking about how to solve it. Such were the key themes of a panel discussion, Combatting Burnout to Protect Both Your Data & Your Ethics, led by Andrew Rose, CISO of SoSafe, at this year’s International Cyber Expo.
At this year’s Expo, panel discussions and keynotes on the brand new Diversity & Skills Stage focused on topics affecting the people within the cybersecurity industry. Burnout is, undeniably, a pertinent topic in this area. With threats getting more frequent and more sophisticated, a perfect storm for unhealthy work cultures has emerged – and burnout is an unfortunate, but almost inevitable, by-product. Cybersecurity is already a thankless career and now professionals are having to work overtime to stop threats. It’s tiring keeping the status quo.
During the talk, Andrew Rose was joined by Chris Denbigh-White, CISO of Next dlp, and Jasmine Eskenzi, Founder and CEO of The Zensory, a popular wellbeing, productivity and habit management app. What was particularly moving about this panel discussion was hearing from real-world practitioners on their experiences, as well as the experiences of their peers, of burnout first hand. The advice given by the speakers came from a place of true empathy, a crucial element of building a healthier workforce. The panel session strived to destigmatise burnout and it did just that.
The session began with a short guided breathing exercise led by Eskenzi. The audience was invited to hack their senses and enter a state of focus. It is thought that there are many powerful benefits of an act as simple as taking a deep breath, one of those even includes significantly reducing phishing risk. The science behind why is a whole other article.
Firstly, the discussion focused on how leaders can recognise the signs of stress and burnout within themselves and their teams. For CISOs, they noted that the signs of burnout may manifest as partaking in ‘self-protecting decisions’ to reduce overwhelm and burden. This could look like non-disclosure, avoidance or taking shortcuts. These acts undermine trust, a fundamental cornerstone of cyber. They noted the ethical challenges and choices that are thrown up by environments of high stress. Cutting corners is not only risky, but reckless. Yet, there’s only so much time to get work done.
CISO Denbigh-White noted that stress and burnout don’t happen in a vacuum. Rather, it affects the whole team and presents a larger issue. He noted that real change must happen within and that, as a CISO, you have to look after yourself to be able to look after an organisation. You can’t lead a team if you don’t look after yourself properly. But what does he advise that business leaders do to reduce burnout and, in turn, cyber risk within their organisation?
- Listen to staff – create a workplace where staff feel able to talk about their feelings, emotions and struggles, as well as any security concerns. This must be a safe space, free of judgement.
- Embrace automation – where possible, embrace automation to reduce burden on wider security team.
- Delegate – Empower staff to take on tasks with full trust. There’s a reluctance to take executive decisions with a fear of litigation and blame looming large.
- Recognise staff efforts – Celebrate the achievements of the whole security team. Celebrate when things go well.
- Create a positive security culture – create a safe space for people to voice their concerns about security, without blame.
Ultimately, the speakers noted that organisations must create safe environments where employees are able to learn and grow, with guardrails that allow them to thrive safely. A strong security stack inevitably takes some of the stress away from security teams and relieves pressure. They noted that security must be done alongside the wider industry, with clear lines of communication open. A collaborative mindset is key.
The takeaway? Strong security postures that support security teams build organisational resilience. Denbigh-White says: “Resilience is a team sport” – resiliency is best achieved when we have a support network. We need other humans; stress leads to isolation.
