IDG Contributor Network: Why burnout happens in Information Security

What are the signs that lead to employee burnout in Information Security? I’ve been a CISO for 10 years. I’ve worked in Information Security for 15. I’ve worked in tech a lot longer than that. I’ve seen more co-workers and peers burn out and leave the industry at all levels, from entry-level analyst to a number of my peers. This is an endemic issue, according to the article by Kelly Sheridan in Dark Reading: ”Burnout, Culture, Drive Security Talent Out The Door.”

This isn’t written for the CISOs or security people. It’s written for the CIOs and management that can help stem the tide of this major issue. Many of the issues my peers and I have observed that drive people to burnout aren’t technical in nature. They are communication and cultural issues. We’re going to discuss them below.

Giving excuses instead of spending time on security

When you have team members and managers that refuse to do anything to improve security, give excuses, and then openly solicit work from others, then you have a compound problem. This is two issues. The first is of not taking a risk-based approach to work and addressing open risks. The second is allowing managers to put their own priorities ahead of the mission of the organization. In both cases, if you allow this, you are opening yourself up for serious security issues, and you do not have control of your organization, despite what you think. You will also contribute to security people being disengaged.

Thinking security is going to do everything for you

Every large company has an internal audit team whose job it is to assist in discovering potential pitfalls. However, it’s not their job to address them. When Information Security conducts a risk assessment, the same rules apply. Just because they discover a risk doesn’t mean they now own it and have to fix it. Security is a team sport and needs to be treated like one. Organizations need to work together to address risks, not pawn it off on someone. If you are not addressing your risks and improving there, which is the goal of internal audit, you’re not improving elsewhere and you are stagnating.