A role in cybersecurity, while rewarding, can also be extremely taxing psychologically. We spoke to Chris Schueler from Trustwave about why burnout is so prevalent and how it can be addressed.
Chris Schueler, the senior vice-president of managed security services at Trustwave, began his cybersecurity career in the US military, when the field itself was still in its infancy.
Though cybersecurity has changed a lot since then, Schueler feels that his military background has remained relevant – in both the military and in cybersecurity, you’re on the front line, be it a digital or literal one.
“Today may be your worst day,” as Schueler puts it. “You may log into your computer and see absolute chaos. [You may] be called out of bed at two in the morning to quickly realise that the worst thing has happened: your environment has been breached, your data is spread across the internet. That reality used to be few and far between. Now, it’s not a matter of if, it’s a matter of when it’s going to occur.”
Even when things do occur, they generally aren’t clear-cut. In reality, it’s more grey than anything else. “Things that you think may have occurred may not have occurred. Things that you think may be benign or a false positive may actually be the first indications of a compromise or breach. That grey nature in general doesn’t make for a structured environment … you have to think with both a white hat and a black hat.”
Not only this, but in an industry as tight-knit as cybersecurity, news of large data breaches, and the professionals who oversaw them, travels “at the speed of the wire”. Schueler added: “The minute something happens, your personal reputation, not the company’s, is now on the line.”
As one might expect, constantly being braced for ruin, and the feeling that this ruin will instantly become very public, will put knots in the stomachs of even the most zen of people. This is why, Schueler argues, burnout and stress overload are endemic in the cybersecurity industry.
Bad for everyone
Nobody wins when employees are stressed beyond belief. It’s bad for the workers themselves, of course, but Schueler argues that it is disastrous for employers and managers, too. “The scariest thing [an employer] can have is a cybersecurity team that is burnt out, because now they’re so overwhelmed, [they] can’t care any more. That’s your worst-case scenario.” If a cybersecurity team has become despondent, the “dwell time” – in other words, how long it takes for a cybersecurity threat to be detected and then neutralised – can stretch beyond a year.
While Schueler contends that cybersecurity is, in some ways, inherently high-stress, that is not to say that the situation can’t be allayed somewhat. Schueler stresses that cybersecurity teams need to be the right size, though adds that the ever-growing skills gap can make expanding teams pretty difficult. In lieu of that, managers can ensure that employees aren’t faced with a workload that increases their stress levels.
The working schedule should be peppered with appropriate breaks and managed so that the most intense elements of the job don’t fall too consistently on any one employee. If need be, Schueler suggests, outsource elements of the cybersecurity strategy as a way of calling in extra reinforcements to address threats.