An off-cadence reflective post. The topic is one I have been quietly thinking about for several months and is worth writing about explicitly.
Burnout in the security-practitioner community is real and is, on the available evidence, getting worse.
Why I am writing this
2001 was a hard year. The operational tempo was higher than any previous year I have observed in the field. Several practitioners I correspond with have, over the past 6 months, indicated some combination of:
- Difficulty maintaining their previous workload sustainably.
- Reduced enjoyment of work that they previously found rewarding.
- Health consequences from the cumulative stress.
- Considering leaving the field entirely.
None of these is unusual in any individual person. The clustering across multiple practitioners is what concerns me.
My own experience is more bounded. I do not work in the field full-time; my notebook work is voluntary. The stress of 2001 was real but did not approach the level my full-time-practitioner correspondents are describing.
What is producing the burnout
From the conversations, three patterns recur.
The cadence has accelerated. Worms once a quarter has become worms once a month. Each requires response work; the response work has not similarly accelerated. Practitioners are doing more in the same time.
The stakes have grown. Each incident now involves more compromised hosts, more affected users, more financial damage. The pressure during incident response is higher than it was a few years ago.
The visibility has grown. Senior management at many organisations now pays close attention to security incidents. The pressure of being visible to the boardroom is different from the pressure of being responsible to one's own team.
These are structural; they are not the practitioner's fault. They are the consequence of the field's growth and importance. The work has not adjusted to the new conditions; the practitioners are absorbing the gap.
What helps
From my own observation and the conversations, things that seem to help:
Real time off. Not just "I am at home but available" — actual off-the-clock time where work obligations cannot reach. Several practitioners have committed to specific protected time and report that it materially helps.
Workload boundaries. Knowing what one is not responsible for. Several organisations have over-extended their security teams' scope; a clearer scope reduces the pressure.
Peer connection. Talking to other practitioners who understand the work. The community-of-practice I described in last year's reviews is, in my experience, restorative for participants.
Realistic expectations. Both the practitioner's own and their organisation's. Pretending that the workload is sustainable when it is not produces breakdown later. Acknowledging that the workload is unsustainable produces conversations about how to change it.
Time away from the screen. Walking, exercise, hobbies that do not involve computers. The cognitive recovery from intensive technical work is largely outside the work itself.
What does not help
A few things that, in my observation, are sometimes proposed but do not actually help:
Pure productivity advice. "Better time management" and similar do not address structural overload; they address it tactically while leaving the underlying problem.
More tooling. Better automation can reduce specific workload but rarely changes the overall pressure.
Heroic individual effort. Practitioners working harder is the path to breakdown, not to recovery.
Prizes and recognition. Acknowledgement is nice but does not address the structural problem.
What organisations should do
For anyone running a security team:
Account for the cadence. Plan for an incident every month, not every quarter. Resource accordingly.
Provide protected time. On-call rotations with clear off-call expectations. Vacation that is actually off. Recovery time after major incidents.
Invest in succession. A team that depends on one or two senior people cannot survive their burnout. Building skills across the team protects against single points of failure.
Be realistic about what is achievable. Most organisations cannot defend perfectly. Acknowledging this with management reduces the pressure on the team to attempt the impossible.
What individuals should do
For the practitioners I correspond with:
Take care of yourselves. The work matters; you matter more. The notebook will continue; the patches will continue; the worms will continue. None of this is more important than your sustained capacity to do the work over years.
A small personal reflection
I am, by some measures, lucky. The notebook is voluntary; my professional work is not all-consuming; my discipline of calibrated humility keeps me from over-committing.
For the people I correspond with who are in harder positions: I see you. The work is hard; the people doing it deserve more support than the field currently provides. I will continue to write about this when it is useful.
More in time.