Cybersecurity Burnout: What It Is, Why It Matters, and What to Do About It

Posted on by Karen Worstell


Burnout is a critical issue for company productivity, innovation, and talent retention. This month is devoted to burnout: causes, identification, prevention, and what to do if you are already there.   

I recently gave a keynote address about the problem of burnout in the cybersecurity space. What astonished me was what happened after. Audience members approached me, many with tears in their eyes, to admit that they were at the end of their ropes. They were so relieved that my talk had shown them it was an industry-wide issue, and not something wrong with them. 

Burnout reaches crisis proportions in what’s known as “high-adversity” professions like cybersecurity, where mistakes are costly, every task is mission-critical, and hyper-vigilance is everyone’s default state. 

Cultures that foster burnout suffer from chronic slow performance, disengagement, and “presenteeism” -- which some studies suggest costs companies 10 times more than absenteeism, to the tune of $150 B per year. 

What leaders can do to spot, prevent and fix burnout 

The stress inherent in the cybersecurity field is never going to go away. Given that hypervigilance and the high cost of mistakes are baked into the job, what can managers do to help their teams, beyond the rubber-stamp response of referring them to employee assistance programs (EAPs)? 

Recognize the signs of burnout 

Burnout doesn’t happen all at once. There are telltale warning signs like disengagement and cynicism, before outright exhaustion sets in. Watch your team and yourself for things like performance decline, increased number of sick days, intensity of disagreements and impaired concentration. Are you seeing these crop up in your company?

Make it OK to not be OK 

Make sure your employees know that if they are experiencing burnout, it’s not going to be seen as a fault or weakness, but as a hazard that comes with the job. Let them know it’s safe to express their concerns about what’s going on with them and in the workplace. This gives you a chance to head off the problem before your best people head out the door. 

Understand what really helps 

EAPs are OK but they only go so far. Show your people you empathize and care about them by not only investing in their technical skills but also in their well-being. You can bring in resilience training workshops that will give them the tools to better handle the stressors that come with the job. 

Slow is Smooth and Smooth is Fast 

The prevailing belief system is that working harder and faster than anyone thinks is humanly possible is a badge of honor. Show your team it is essential to learn how to slow down and take enough time to be able to think things through - because it is good for them, and in the end, things will actually run more smoothly and effectively. 

What if you’re the one experiencing burnout? 

Cybersecurity pros spend their lives protecting others and we often forget to keep an eye on our own well-being. 

Your emotional and physical state are intertwined, and the net effect is something management coaches like Tony Robbins call “state.” Your state is a combination of your language, your focus, and your physiology. With that in mind, here are a few suggestions I invite you to try and share with your teams.

Be mindful of your language. Instead of saying something like “I’m insanely busy! This is bananas!”, it makes a world of difference to say, “We’ve got so much opportunity ahead of us,” and do it with a truly positive point of view. 

Your focus. Do you dwell on the problems? It is common to believe you can’t take your eye off the ball but you do need to take a break periodically. Don’t be in a hurry to solve every problem immediately. Take your time and celebrate solutions and success so that becomes your focus. 

Your physiology. Even with a world-class company gym, it can be tough for people to take care of their physical body. There are all kinds of reminder apps to breathe, drink, not slouch, etc. and just as many ways to ignore them. This is something you have to take seriously to stay in the game for the long haul. Having workout buddies or regular class schedules can help. Making a commitment to others can help keep the commitment to yourself. 

If you are the one who is already “so done with this” I invite you to believe that you are not broken; the problem is not you. This is a perfect time to invest in yourself - to find a coach or a program that will give you new perspectives and ways of handling adversity.  

As cybersecurity professionals and leaders, we must stop dismissing burnout as not a real problem, and expecting people (including ourselves) to just “suck it up.” It’s causing too much suffering, too many mistakes, and costing our industry too many great people. These suggestions above are battle-tested. With awareness, empathy, and belief in a healthier more inclusive culture we’ll all do well -- all the better to keep the world’s data safer. 

Karen Worstell

Sr. Cybersecurity Strategist, VMware

professional development & workforce

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs