Cybersecurity Burnout

Recently I have seen mentions in different outlets of the problem of burnout in an alarming number of cybersecurity programs. The Wall Street Journal had such a piece in which a number of CISOs complained that the programs they oversee are understaffed and what staff they have are burning out under the weight of the ever-growing deluge of cyber attacks of various kinds.

The problem described in the piece resonated with me. The tone and thrust of the CISO's complaints did not. Before I talk about the problems to which I think I have useful input I want to outline the problem to which I think I do not have useful input: the burnout problem.

I keep seeing the following dynamic in cybersecurity groups: there is a surge of cyber attacks and mission-driven employees that we are, the cybersecurity folks respond by working more hours to deal with these particular crises. But the surge turns into the new normal, so while we wait for the cavalry to arrive, we fall into working late on weeknights. Then we find that we have to do a few things on Saturday to keep up with our other work. Then Sunday evening becomes a work night. By the time we realize that we are burning out, our excessive work schedule has become the norm and since it is normal, our complaints that we cannot go on fall on very unsympathetic ears: isn't this normal? We sabotage ourselves by covering for being a few people short so that we when ask for a few extra people to cover the shortfall and then a few extra people to get ahead, we seem to be asking for the moon. I don't have a good answer to this problem, but luckily Pythia Cyber has Ted Hayes, our Behavior Lead and he has thoughts.

So back to the problems I feel I can address. Ted pointed out to me when he and I were discussing the WSJ article, just about every C Suite member feels that his or her group is underfunded and understaffed. But while every leader seems to want more resources, technology leaders in general and cybersecurity leaders in particular often do a bad job of making the business case for needing more resources. Technology people tend to think in terms of level of effort and absolutes: no bugs! We need this feature! Our C Suite colleagues tend to think in terms of Cost vs Benefit, all expressed in dollars, not hours of effort. Rich Mironov helps product managers tie their interactions with the Board and C Suite into what he calls "Money Stories" (here is an excellent example) and I think that this is a lesson that many CISO need to learn as well. Don't ask for more money and more people. Tell a story of threats to be avoided, attacks to be thwarted and protection to be extended and reinforced, all of which prevent downtime, reputational damage and other costly things. You can't afford not to!

In addition that all-too-common problem tying the need to the benefit, there was a lack of offering options in the CISO's complaints. "More money, more people, please" is not a very sophisticated approach. Offer a range of options; for instance, I would have beat the AI drum: they have AI so we need AI, not replace people but to reinforce people. AI is not only good for attacks, it can be an effective tool for pattern-making logs to look for early signs of attach. There is a fair bit of daily drudgery in being a cyber defender: perhaps you could lighten the load if your cyber defenders oversaw an AI's analysis of the logs instead of reviewing them by eye. We need smart people, we need special-purpose and carefully monitored AI, we need training in all of the above. That may all boil down to "more money, more people please" but that is not the point: without the money story you don't get the money. Even if you've earned it. Even if you deserve it. Even if some future disaster makes it clear that you were right.

Bring your colleagues along with you as you figure out what you need. Hire talent, support that talent and defend that talent. AI is like the tide: if you fight it you won't win but if you ride it you will go far.