Cybersecurity is tough: 4 steps leaders can take now to reduce team burnout

Working in cybersecurity is only getting harder. Cybercriminals continue to up their game as security teams scramble to catch up with attack tactics and techniques. Organizations put near-impossible demands on their security departments, often with little or no support.

The “always-on” nature of many roles in cybersecurity (from SOC analyst to incident response to the CISO) regularly interferes with a good night’s sleep, and rarely do security pros take enough quality downtime. Many CISOs worry that the next breach will get them fired, and the breaches keep coming fast and furious.

As work stressors rise, so too, does burnout, which in such a tight labor market only perpetuates the cycle of under-resourced security departments, a major cause of stress for security professionals at all levels.

“Cybersecurity professionals at all levels are burning out. Our research shows this is only getting worse,” says Jon Oltsik, former industry analyst and author of ISSA’s 7th annual “Life and Times of Security Professionals” report. “Much of the stress is related to skill shortage, so a staff of 10 is doing the work of a staff of 13. This year we see budget cuts and more tightening, which only perpetuates the problem.”

Nearly 65% of 369 respondents to the ISSA survey said their jobs are getting harder, citing increased complexity and workload, more threats and larger attack surface, regulatory compliance pressures, and understaffing as their top stressors. The report also indicates the vast majority (81%) of respondents who said they are under stress considered leaving their jobs on a regular basis, verses 17% of those satisfied with their roles.

4 steps to help break the cycle of burnout and stress

Fortunately, with little or few resources, security leaders can break this vicious cycle to improve their own job satisfaction and that of their teams. But the effort must be proactive — it involves communicating, listening, including, empowering, and incentivizing security team members.

But to help heal their stressed teams, cybersecurity leaders must first reduce their own stress levels. Fortunately, the two go hand in hand because a happier staff tends to stick around, reducing a major stressor for CISOs.

Below, experts share their best tips for improving morale across all layers and roles in the cybersecurity team — without requiring more resources from the organization.

1. Share with peers

Whether it’s about solidifying partnerships with business managers, changing corporate culture, or correcting errant employees, peer input is golden. No matter the scenario, it’s likely that other security leaders have dealt with the same or similar situations, so their input, empathy, and advice are invaluable.

“One of the ways I work against burnout is through consistent communication with my peers because the problems we all go through are relatively consistent,” says Jimmy Sanders, formerly head of information security at Netflix and incoming ISSA international president.

“Right now, one of the huge stressors we talk about is AI, specifically how to set realistic expectations for management when it goes out and buys AI, then tells people they will lay off staff because AI can do their jobs now. Then they expect to see results, even if we have to manufacture them. Burnout can be real for security leaders and everyone on their team.”

So, Sanders and some of his peers are working out templates to help inform business leaders to make educated decisions around acquisition of new tech like AI, such as value versus cost, accuracy, new risks and costs to manage those risks, and manpower needed to install and maintain the solution, for example.

“It’s our job to say to our business leaders, ‘I’ve talked to my peers. They said they they’re only seeing 40% returns on the solution,’” Sanders says. “This is one of the things that peer groups are designed for. And it shows that you are on board with transformative tech to achieve business outcomes.”

2. Share with business leaders

Well-informed leaders are more likely to champion and include security in new initiatives, an important shift in culture from seeing security as a pain to embracing security as an important business tool. Such a shift greatly reduces another top stressor among CISO’s — lack of management support.

In a security-centric organization, team members in all roles experience less pressure to perform miracles with no resources. And, instead of fighting with leaders for resources, the CISO has more time to focus on getting to know and better manage staff.

Susanne Senoff, CISO at PROs Holdings, an AI-powered sales and pricing optimization platform with more than 300 million in revenue, feels lucky to work for a company with a security-first mindset. But she’s no stranger to toxic and unsupportive executive leadership, which she experienced in some of her past roles.

She recalls how, at a previous company, executives had rejected her mentor’s bid to promote her to CISO when he vacated the role and instead placed a peer in the position, telling her to support him. She didn’t stay long.

It all worked out though. That same mentor recommended her for her current role at PROs, with a strong security culture where she felt immediately supported by her company leadership.

3. Share with your team

Senoff’s true challenge was transforming burned-out, dysfunctional superstars into a sustainable high-performing team. “When I joined, I highly expected everyone on the team was going to quit. They loved the company, but working in security was terrible for them. They’d been overwhelmed and working excessive hours. The people were talented and fabulous, each individually great, but they couldn’t work together well. My boss and I agreed that my most important success factor was to take care of the team.” 

She commenced weekly one-on-one meetings to learn her staff’s stressors, get to know them and understand their roles so that, as Senoff puts it, she could help them “identify their purpose.” 

Because of past experiences, she adds, “Team members were terrified of making a mistake. And their roles were jumbled, so they were stepping on one another’s toes, which created internal rivalry. Once I got to know them, I gave them swim lanes, showed them that I have their backs, that we’re all in this together, each with their own roles that coordinate with and support other roles.”

In the one-on-one meetings, she actively empathizes with and empowers team members to solve their own problems where they can, such as when an employee thought another was gunning for them. She coached them on how to communicate with that team member directly to try and resolve the issue, and that she’d step in if needed, but had confidence they could resolve it. “Having the agency to fix their problems, along with strong support really helps prevent burnout.”  

She’s also given team members agency over the fear-of-failure mentality by emphasizing “fail fast” (which the team is trying to rename to something more positive). She describes the concept this way: “Security is tough, ambiguous, and we are often solving novel problems. We don’t always get it right and that’s OK. Failure is analysis paralysis. Success is ‘I gave it a go and I learned and improved.’”  

She also encourages people to be themselves, or as she says, “not to feel like they are walking on eggshells at work.” 

4. Share rewards, recognition, and downtime

Senoff advocates for her team at the highest levels of her organization, and shares their accomplishments with company leaders, who then recognize and reward the team members directly or through Senoff. Recognition, she says, boosts individual and team morale and motivation. “I am grateful for and do not take for granted having excellent leadership above me that supports me and my team. I try to make it easy for them.”

And, since personal stressors also impact burnout, she encourages team members to share their personal stressors at her one-on-ones or in the group meeting where they can be supported. Maybe they just need time off to unplug, but in security, the stigma of not being on 24/7 holds people back from taking time that they’ve earned and deserve. When she observes stressed-out employees on the path to burnout, Senoff often nudges them to unplug and recharge for as long as they need to.

As the ISSA survey reported, happy staff generally stick around longer, which ultimately helps prevent burnout among security leaders.

“For CISOs, staffing can be a major stressor, especially when it involves navigating teams and circumstances that may be beyond our control,” says vCISO Renee Guttmann. “As a CISO, it’s essential to focus on what we can control — such as hiring talent and ensuring fair team compensation — so that we can reduce the pressure, and position ourselves and our teams for long-term success.”