Your cybersecurity team called, they said it's time for a change.
By Karen Worstell, Senior Cybersecurity Strategist, VMware
May 31, 2023

An introduction to this article appeared in the monthly Creating Connections newsletter put together by the women of The CyberWire. This is a guest-written article. The views and opinions expressed in this article are those of the authors, not necessarily the CyberWire, Inc.

Your cybersecurity team called, they said it's time for a change.

The cybersecurity industry as we know it needs help. The threat landscape is continuing to evolve, with attacks becoming increasingly frequent and complex by the day. This means defenders need to be at the top of their game at the front lines of defense to protect businesses’ infrastructure. But how can this be done properly if the industry and cybersecurity first responders themselves are suffering?

The concept of burnout is not a new one for cybersecurity pros on the front line of defense. However, it can –and has– reached new heights for those individuals who are prone to always being on high alert. As the number of attacks continues to rise, the phrase “attackers never sleep” rings loudest for these individuals who are constantly wondering when attackers will strike next. 

Managing Burnout 

Speaking from my own personal experience, this state of being “always-on” can impact more than just our mental health. In 2013 , I took a sabbatical from security after a series of personally devastating events made it difficult for me to re-enter the workforce in a cyber role. During this time, I started my training as a chaplain. I took time to reconfigure my work-life balance and reinvigorate my productivity in my work - and most importantly - my well-being by focusing on something that was a major life goal. In the process, I learned a great deal about moral injury, workplace distress, and burnout. I returned to the Tech industry from my role as the Palliative Care Fellow at the VA in Portland when I realized that those highly impactful states were prevalent in the Tech community. I like to say that Tech is my foxhole.

We need to focus on burnout as a serious issue, a symptom of workplace dysfunction rather than a sign of personal failure, and address it accordingly. It’s important that managers recognize burnout as a hazard that comes with jobs that always focus on finding and fixing what’s broken in a high-stakes environment, a task that has recently become a significant career risk. As leaders, we can create a culture and work environment where employees feel safe to express concerns and contribute their best work. If you are a leader worried about burnout within your organization, take a closer look. Is a once attention-prone employee now making careless errors and mistakes? Are some of your team members taking frequent sick days? If the answer is yes to any of these questions, now may be a good time to check in with these individuals. At the end of the day, we’re human beings, not human doings – we require a healthy balance between our personal and professional priorities; valuing our work while simultaneously valuing our mental and physical well-being. When this balance is not maintained, you'll likely end up losing top talent. 

Addressing the talent shortage

The cybersecurity talent shortage in the United States has left teams understaffed, and rising cases of burnout are not helping. A recent study from VMware found that 69% of cybersecurity professionals who have experienced burnout symptoms considered leaving their job as a result. What’s more, Gartner predicts that by 2025, nearly half of cyber leaders will change jobs due to multiple work-related stressors. With security teams already spread so thin, business leaders must make it a priority to retain top talent. This is a multi-faceted undertaking and I suggest three of the top strategies that will make a difference:

  • Create an inclusive culture. Currently, women comprise about 10% of cybersecurity leadership and women in technical computing roles is close to 20% of the technology workforce. The reasons are less related to recruitment than they are to retention. Structural issues affect performance management, pay and promotion equity, and meaningful benefits for women, such as on-site childcare and services that allow women to safely and effectively offload some of their at-home responsibilities (errands, meal-prep, emergency child care.) Equity at work begins at home. 
  • Embrace Digital Transformation with Security in Mind. For the cybersecurity industry to retain its existing workforce and attract future talent, we need to empower security teams to take charge, work smarter and achieve a feeling of accomplishment. This comes with improving processes, automation and baselining the environment. Shrink the attack surface, driving false positive alerts to zero, and reducing dwell time of intruders are all essential metrics that point to digital transformation with the outcome of making the overall business easier to defend from a cyber perspective.
  • Create a culture of presence and listening. This will naturally promote critical skills such as empathy and a healthy approach to self-care because it creates strong and trusting relationships. These skills are essential for senior leaders to attain. When leaders model the vulnerability necessary to truly hear another person and encourage self-care, it creates a supportive environment that improves employee engagement and creativity. 

The work that needs to be done to close the cybersecurity talent shortage will not happen overnight. However, changing the narrative around burnout, creating more opportunities for women, and providing the necessary resources to ensure that defenders – present and future– have the proper support and resources to thrive in their cybersecurity role are good places to start. These improvements will not only create a more positive environment within a security team, they have tangible business benefits to improve the work environment for everyone.