Burn, Baby Burn
Why dealing with cybersecurity’s culture of burnout and overwork is key to the industry’s survival.
Blog Post
May 16, 2016
Dan Ward couldn’t recognize himself anymore. A few months after he took over as the director of information security at a small company, his job started to eat him alive.
With a seemingly endless amount of work and little organizational support, Ward, who was in his late 20s at the time, says the toxic work environment began to poison his body and mind. Suddenly, he had chest pains, heartburn, and eventually, extreme mood swings and mental instability. “Over time, my mental state eroded,” Ward recalls. “I became a person that I could have never imagined myself being.”
A person who blew up at colleagues, and one day, erupted during a meeting with his boss. A person who was eventually “drummed out of the company.”
Ward’s story is one of many — part of a growing trend of burnout and overwork in the cybersecurity and information security field that threatens not only the future of the industry, but digital safety for all of us.
We all know about the threat of malicious hackers to our personal information. But failing to address this workforce issue could be just as destructive. The future of the cybersecurity industry hinges on eradicating burnout and dismantling the culture of overwork.
Figuring out how to do that requires a better understanding what really causes burnout and overwork. Let’s start out by busting one myth: It’s not always about the number of hours someone spends in the office.
Rather, burnout and overwork are symptoms of same problem: We’re not giving managers the tools and the knowledge they need to support their employees. They’re often unknowingly driving their employees insane by sending emails 24/7 or refusing to adjust work deadlines or schedules to make it easier for their subordinate to do their best work.
This gets to a key reason why it’s so important we address this issue — and how ignoring it could put us all at risk: Burnout and overwork are driving away talented people. Already, there aren’t enough infosec employees to address the increasingly complex threat landscape, and that talent shortage is only going to get worse. One recent study shows that burnout is the number one reason for the industry talent shortfall, especially at the top. Fewer people working in cybersecurity means all of us are more vulnerable.
We also know that recruitment of women is a big industry challenge — and that women make up only about 10 percent of the infosec workforce. It turns out that the culture of overwork is especially hard on women: Harvard research shows that the culture of overwork is a bigger obstacle to women in the workplace than a lack of family friendly policies. That’s in part because the majority of caregiving work still falls to women. But if women take advantage of flex-time policies to fulfill these responsibilities, that ends up stalling their careers because they’re less committed to their jobs.
The second reason that we need to take this threat seriously: burnout and overwork cost companies financially. Overwork and burnout can create the conditions for health problems like depression and heart disease (recall the case of Dan Ward). Those conditions, in turn, can lead to absenteeism, rising health insurance costs and turnover. And then there’s the actual work product. Stanford University research shows that productivity falls sharply after 50 hours or so of work a week — in other words, diminishing returns.
Alright, so enough with the dire stats and stories. What exactly can we do about this?
Let’s recall that these problems have a root cause: managers without the tools and knowledge needed to support their staffs.
So, here are three ideas for those managers — strategies that they can use to treat their employees more like individuals with distinct needs, rather than cogs in a machine. These come from expert interviews and research into employee retention.
Ask: Questions are powerful. And that’s why many companies use exit interviews to find out why employees are leaving their jobs. But that information doesn’t really help the company PREVENT the employee from leaving in the first place. Instead, why not do a Stay Interview, and talk to your employee before he shows any signs of leaving. Ask him about what will make him stay, and what makes him feel supported and motivated?
Motivate:
There’s a higher mission in information security that is often obscured by the need to meet metric-based objectives. You aren’t just deploying firewalls, logging threats, pushing out tickets and analyzing alerts. Remind your employees regularly — they aren’t just protecting information — they are protecting people. They’re protecting the country. This is something that’s key to retaining and recruiting women and millennials, who tend to be more attracted to positions where they can see a social or communal impact. And this is why companies spend so much time crafting mission statements: they help to infuse day-to-day work with a higher sense of purpose and meaning.
Monitor: Like cybersecurity, the consulting industry also suffers from burnout/overwork related retention issues. The Boston Consulting Group started producing a “Red Zone Report” that gives managers insight into which members of their consulting team are working especially long hours, enabling them to intervene and reduce and rebalance the workload across the team. Crucially, this intervention has an additional layer of built-in oversight: If a particular team, or certain individuals, are in the Red Zone again and again, an Office Administrator or Senior Partner will step in to figure out how to make the workload more sustainable.
The bottom line: sustainability isn’t about making cyber jobs “easier” or changing the nature of the work. It’s about treating employees like humans, rather than cogs in a machine, so that they can do their best work over the long-term.