Retaining Infosec Professionals: Dealing with Stress, Reducing Burn Out and Improving the Work Environment

Posted on by Caroline Wong

I remember going out for a night on the town with my friends, about a decade ago. It was a Friday evening after a long week at work. For years, I had been commuting from San Francisco to San Jose every day. It wasn’t uncommon for me to leave my home at 6 am in the morning, and return at 8 pm in the evening. I worked on an incredible team and had a great boss. We did very interesting work and there was a lot to do. As the months and years went by, I found myself saying “yes” to more and more responsibility. At one point in time, it had felt great to be learning new skills and completing many projects. But lately, it just felt like I had this never ending list of things that I wanted to get done. Every day, the list got longer. I felt like I was always behind. 

On this particular night out, I noticed a strange feeling. I was surrounded by good friends whose company I enjoyed, and it was a beautiful evening in the Marina district of San Francisco. I don’t know if anyone but me would have noticed that anything was wrong. I was SO TIRED. So tired that after looking forward to this outing all week, now that I had made it here, I couldn’t even enjoy it. I just wanted to go home, and sleep. Instead, I ordered another cocktail.

You don’t need me to tell you about the talent shortage. How often do you feel overwhelmed by an increased workload? How frequently do your teams have to postpone or forego training, planning, or strategy in order to fight fires?

An ISSA study found that 70 percent of information security professionals feel impacted by the talent shortage. Three major impacts to the workforce include burnout, ineffective hiring practices and limited performance. The latest Global Information Security Workforce study by ISC2 reports that the workforce gap continues to grow, with the projected shortage reaching 1.8 million unfilled positions by 2022.

The world needs information security professionals. It needs us to be functioning and productive, and it needs us to stay in our jobs and keep doing our work. What can we do to take care of our teams and retain talented individuals?  

Prevent Burnout

The evening that I just described to you was the beginning of a slow realization that I was burnt out and that something in my life needed to change.

Burnout is more than just one stressful incident. It’s a state of chronic stress that leads to physical, emotional and mental exhaustion. When you’re burnt out, it’s easy to feel like nothing’s working right and even less is getting done. Severe burnout means that you can no longer function effectively on a personal or professional level. The tricky thing is that burnout doesn’t happen overnight. It sort of creeps in gradually, in a sneaky way that fools us into thinking that living in a state of constant stress is normal and acceptable. 

Living in a state of constant stress shouldn’t be normal and it is not acceptable.

Build Trust 

In 2012, Google conducted a study to try and figure out how to build the perfect team. They examined everything from how frequently people eat together to common traits between the best managers. They analyzed 180 teams throughout the company and they also reviewed half a century’s worth of academic studies on how teams work. Surprisingly, the data didn’t seem to show that a combination of particular personality types, skills, or backgrounds made any significant difference. 

It turns out what does matter is something called psychological safety, a concept that Harvard Business School professor Amy Edmonson describes as “a sense of confidence that the team will not embarrass, reject, or punish someone for speaking up.”

Because I’m a security person, I think about this idea like a software application that’s never been tested for security issues. The issues are there, but they’re hidden until someone intentionally tries to find them or they explode unexpectedly during an incident.

Similarly, teams are always going to have their issues, regardless of whether people talk about them or not. Team members that trust each other are more likely to share information so that issues comes to the surface and can be managed efficiently and proactively.

Learn to Prioritize

In order to prevent burn out, infosec professionals need to trust that they can go to their managers and talk about what they need to do their work. Often times what’s needed is a strong leader to make decisions about prioritization. It’s easy to fall into a trap of saying that everything is very important.

But what happens when everything is deemed critically important? Nothing gets the focus that it needs to be successful. The key to prioritizing effectively is to explicitly identify what is NOT going to get done, so that you can make room for what actually needs to get done.

This is the second of a three-part blog series from Caroline Wong exclusively on the RSA Conference blog. Check out the first blog on attracting new candidates to the industry and stay tuned for the final installment in September which focuses on culture change in the industry.

Caroline Wong

Chief Strategy Officer,

professional development & workforce

More Related To This

Share With Your Community