Curbing pandemic burnout: 3 steps you can take to support overwhelmed security teams
We’re a year and a half into the COVID-19 pandemic, and burnout is hitting employees hard. Recently, Okta CEO Todd McKinnon used an all-hands meeting with employees to underline the importance of taking vacation. In April, LinkedIn announced it was giving the entire company a full week off to unplug, recharge and help curb burnout.
For security teams, burnout isn’t a new phenomenon. Given the need to always be on and ready, cybersecurity professionals already face high levels of stress, and the pandemic has added to increasing and alarming burnout rates. On the heels of the Exchange, Kaseya, and SolarWinds attacks, it’s no surprise that cybersecurity teams are overworked and exceptionally stressed -- we’re under a lot of pressure.
Burnout by the numbers
According to a November 2020 survey by the American Psychological Association, three out of four Americans agreed that the pandemic was a significant source of stress for them. And according to data from Glint, manager burnout increased 78 percent between the first and fourth quarters of 2020.
Cybersecurity teams in particular are feeling it. A recent study found that over half of security professionals surveyed either left a job due to burnout, or knew someone who had. Every CISO surveyed in one study said the average security role in their team was stressful, and 91 percent said it carried moderate to high levels of stress. And 65 percent of SOC professionals in one survey admitted that skyrocketing stress levels have caused them to think about quitting.
This all comes at a time when the federal government is facing a severe shortage of cybersecurity professionals -- when it, arguably, needs them the most.
But you don’t need surveys and statistics to feel the impact. Our teams -- and we as security leaders -- live this every day. We discuss it in our friend circles, in our one-on-ones, and in our team meetings. So, what can companies and security leaders do for these crucial teams that are always on and increasingly susceptible to workload fatigue?
Here are a few ways that you and your organization can get ahead of the security burnout, before it impacts your business operations, your customers and, most importantly, your people:
Encourage your security teams to take the time they need to rest and recharge
Consider the pressure these teams face daily. They may feel they’re one unpatched system or one phishing email away from a breach, which could impact their organization, their coworkers, and themselves. And with the proliferation of remote work, that line between work and personal life can be harder to find. These employees need time to unplug so they can come back refreshed and do their best work.
That’s why it’s important for you to encourage your security team to take time off, and to set an example yourself of taking a break and disconnecting -- and yes, that last part might be difficult! The logistics of time off can be tough when you’re in an "always on" role, but by working with each member of your team to ensure there’s someone else who can cover their responsibilities can take a great deal of pressure off when the time comes for PTO. I have a friend who, once backup roles have been defined, has each individual in her team take an unannounced day off, as a way of both testing those backup plans and starting a healthy cadence of time off.
And tell me if this sounds familiar: An email goes out late at night or over the weekend that’s not urgent, but spins one or more people up to work on the issue. I’ve certainly been guilty of this -- but sending those messages during the workday, instead, can help protect that work-life balance. By respecting downtime, whether it be PTO or just after hours and the weekend, you’ll foster a culture where employees feel comfortable taking the time they need to rest.
Something else to consider: Your team’s work preferences. If early morning meetings aren’t working for your team, change the meeting time. Talk with your employees about what their schedules and boundaries are like. Is being online 8:00 AM - 5:00 PM increasing productivity? Would they be more focused if they could take a break in the afternoon? Work together to determine what would make each individual feel fulfilled and do their best work -- especially as the workforce remains largely remote, and security teams aren’t only balancing massive workloads and various time zones, but also caregiving and parenting obligations, personal health needs, and more.
Invest in making the job easier
We spend a lot of time as security leaders finding, buying, and implementing technology, all in the name of helping our teams do their jobs easier and better. But tools that increase complexity and require a lot of care and feeding may have the opposite effect, and frankly can make your team miserable. Automate the tedious stuff. Find -- or build -- tools that work for you, that decrease the load on your team, and that make their job easier.
Finally, take time to listen
Although we seem to be spending more time "together" during the pandemic -- in meetings, on video, and so on -- we’ve lost that time we’d spend talking with someone in the breakroom, at lunch, or at our desks. Interactions have become two-dimensional.
If your people are feeling burnt out, listen to them and make changes to ensure that they feel supported. Give them space to talk about their concerns, individually or as a team. My team holds a general retrospective meeting about every six weeks, to discuss what went well, what didn’t go well, and what topics people have questions about. We also take down action items for follow-up.
And team meetings aren’t about status checks or projects -- we certainly have plenty of those already -- there’s just one topic, "how much fun are you having, right now?" We go around the room, each person explaining their score, and what’s driving it, whether at work or outside of it. It may sound simplistic, but it’s just a way to get the team talking and listening.
Everything a security team does is for the good of the organization, its constituents, and its workers. By prioritizing the wellbeing of your security team members, you will be in a better position achieve that goal.
James Nelson is VP of InfoSec, Illumio