According to a survey published in Information Security Magazine, 91% of cybersecurity professionals have experienced mental health challenges at work. 50% percent of the responders attributed the problem to the high-stress nature of their jobs. A driving factor of these challenges is that 70% of organizations are understaffed. For Security Professionals, stress can come with the territory, but poor culture and poor management style are opportunities for change.
It’s important to recognize that a large majority of IT professionals are facing more significant mental health challenges and burnout is part of a continuum.
When it comes to moments of collective trauma, such as the pandemic, the law of thirds tends to apply. This means, about a third of people really struggle and have challenges that require intervention, about a third of people manage to just barely keep their head above water, and about a third of people can thrive and grow from these moments. How do we move into that third, how do we move our employees into that third, and how do we move our companies into that third?
During a MassTLC Security Community fireside chat, “How Security Leaders Can Reduce Burnout and Increase Employee Retention,” security leaders discussed this ever-relevant topic. Panelsts included Julie Fitton, VP, Digital Product Security, Stanley Black & Decker, Inc; Lorna Koppel, Director-Information Security/CISO, Tufts University; Paschall Freeman, Director of Governance, Risk, and Compliance, meQuilibrium; and Josef Rutcho, CISSP CISA CTPRP CMMF ITIL-F, Governance, Risk, and Compliance Analyst, meQuilibrium. The panel was moderated by Adam Perlman, MD, MPH, FACP, Chief Medical Officer and Co-Founder, meQuilibrium.
Here are some key takeaways.
On the unique challenges security teams face.
“As a security professional, you’re held accountable for a lot of things when you don’t always have direct control. That unto itself can be a very stressful aspect of our field. You add to that times of economic stress, social stress, challenges in the environment in which we’re operating, and other aspects that are outside of the workplace that add stress. Then you layer on top of that the stresses that the field itself creates. Responding to incidents, trying to drive organizational change, and trying to convince people to behave in certain ways that might be counter to the rest of their motivations for why they show up to work every day. There also has been a big push for self-sufficiency in the workforce. Services that had been available to people like executive administrative support, management support, and support resources from HR where you have a human that you can call up and talk to and talk through some of the challenges are gone. A lot of those things have been replaced with streamlined organizations with automation or with call centers, where you don’t necessarily get the emotional support side of things. I combat this by trying to listen to people’s concerns and be that sounding board for them. I let my team know that making mistakes is not only okay, but it’s also expected.” – Julie Fitton, VP, Digital Product Security, Stanley Black & Decker, Inc.
“Another challenge to security teams is the fact that they often are dragged into doing things that are not security because there’s so much decentralization, which causes a lot of stress if they feel like they’re wasting their time. To combat that, we try to look at our clear roles, responsibilities, and objectives. What’s the roadmap of what we’re working on? Then the key part is the gratitude we try to bake in throughout the entire IT organization by routinely recognizing success and how we’ve made progress. There’s a lot that you can do to make people feel welcomed and help manage stress levels. It’s important for leaders to recognize and take that into account by asking what can be done differently.” – Lorna Koppel, Director-Information Security/CISO, Tufts University
“It’s important for us as leaders to recognize that we set the tone for how our teams deal with stress and things that cause burnout. While it’s true that everyone can build individual skills, as leaders, we can look at the teams that we’re managing and help them understand that what we are doing is not scary. It’s not a threat. We’re not here to say no. We have a process we call trap it, map it, and zap it, where we recognize that something’s happening, we recognize why it’s happening, and then we zap it by applying a healthy behavior so that we can mitigate the negative impacts of that stress.” – Paschall Freeman, Director of Governance, Risk, and Compliance, meQuilibrium
On the leading causes of burnout.
“It’s not the work that we do on a day-to-day basis that we signed up for that’s causing us to burn out. It’s all the other stuff we do. It’s the paperwork and the tedious stuff, not where we get to ideate, be creative, and do problem-solving. Also, having unreal expectations about how much a person can do has been a real cause of burnout.” – Paschall Freeman, Director of Governance, Risk, and Compliance, meQuilibrium
“One of the areas is specific to top-down culture. Your people will look up to you in the behaviors that you are carrying forward and try to mirror and reflect your behaviors. If you are not practicing self-care, if you are not giving yourself space, if you’re not expressing a degree of vulnerability to your people, then they’re going to be resistant to doing those things, or at least to show that they’re doing those things in a public way. It’s about rapport and trust. It doesn’t really matter where in an organization you sit; someone is looking up to you.” – Julie Fitton, VP, Digital Product Security, Stanley Black & Decker, Inc.
“Encouraging your team to think about what their boundaries are is a great way to start that conversation. You should encourage your teams to tell you what they need in order to be successful and what they need to do to take care of themselves.” – Paschall Freeman, Director of Governance, Risk, and Compliance, meQuilibrium
On behaviors to look for that might be warning signs of burnout.
“What are they saying in meetings when you’re catching up on stuff? Dig deeper into some of the things that they’re frustrated about. Really pay close attention to their reactions to work assignments, questions, and their behaviors. You can start to see a different negative talk which indicates that their perspective is off and how they’re dealing with it could be causing them a lot of stress, ultimately leading to burnout.” – Lorna Koppel, Director-Information Security/CISO, Tufts University
“The information security professional typically is a very driven personality. I think that when they’re stressed and have all these demands coming in at once, the natural impulse is to keep working harder and longer. Bring up mental health in your one-on-ones with your employees. If we can interrupt those patterns of multitasking and overworking, we can reduce stress and put an emphasis on self-care.” – Josef Rutcho, CISSP CISA CTPRP CMMF ITIL-F, Governance, Risk, and Compliance Analyst, meQuilibrium
On the icebergs that drive how organizations talk to management and some ways that we can mitigate them.
“One thing that I’ve noticed throughout my experience as an information security practitioner, is that it seems that burnout and stress melt away when employees have a sense of psychological safety. A sense of psychological safety is fostered by compassionate leadership and fair expectations. When folks have this safety and when they are resilient and practice self-care, they have tremendous power and ability to take risks. When folks take risks, they’re more likely to collaborate, innovate, and bring their best selves to work. A study from Information Security Magazine showed 51% of respondents in a survey stated that their mental health struggles were caused by poor culture and management styles. There is a great opportunity if management can embrace compassion and reasonable expectations. This will enhance the productivity of their teams, large or small.” – Josef Rutcho, CISSP CISA CTPRP CMMF ITIL-F, Governance, Risk, and Compliance Analyst, meQuilibrium
“A couple of the icebergs that we tend to fall into is the idea that what we’re doing is win or lose. You either completely succeed or completely fail. By giving your team room to make some mistakes or try something that may or may not work, you are helping to mitigate burnout.” – Paschall Freeman, Director of Governance, Risk, and Compliance, meQuilibrium
How Security Leaders Can Reduce Burnout and Increase Employee Retention was hosted by the MassTLC Security Community. To join the community and attend future events, contact Community Manager Joanna Rosenberg at firstname.lastname@example.org.