Like many information security professionals, Tessian CISO Josh Yavor once found himself working late nights and weekends. He did it to help his team, he said, but it wasn't helping him.
"As security leaders, we try to shield the organization by taking on the heroics ourselves. Then we miss family events or doctor's appointments, and we get burned out – and our leadership by example drives unsustainable behavior," Yavor said.
After realizing he was working too many nights and weekends, and setting a bad example, Yavor put an end to it. But it wasn't easy.
"I forced myself to stop working after a certain number of hours, and to hold myself to that," he said. "It was one of the hardest things I have done professionally."
Yavor is hardly alone. Data and expert insight shows there's no single cause to burnout. Lack of talent, too much time in meetings, too many manual tasks, too little training, the ever-changing threat landscape, and misalignment between security staff and company leadership all play a part.
So, too, does the mentality of the typical security professional – working hard, and often late, to stop attackers in their tracks and save the day.
"We have a personal orientation to solve these difficult problems. We're mavericks," said Karen Worstell, senior cybersecurity strategist with VMware. "We feel invigorated and energized by these problems. We thrive in a space between success and absolute disaster."
But that comes at a cost. Worstell said she has experienced burnout twice in her career, sacrificing self-care in the name of doing more.
At the leadership level, a Tessian survey showed that three in five CISOs struggle to "switch off" once the work day is done, with the average CISO logging 11 more hours than they're contracted to work.
5 strategies to help security leaders (and their teams) combat burnout
With many factors contributing to burnout, no single step or initiative will fix the problem.
Hiring more people and encouraging self-care will help, but organizations need to take a much more holistic and enterprise-wide approach.
Worstell, Yavor, and others provided five recommendations for security leaders looking to better define their work and mitigate the impact of burnout.
Clarify the expectations of CISO role.
Most corporate roles have had decades to "mature their practices," said Shamla Naidoo, head of cloud strategy and innovation at Netskope. In other words, people tend to know what HR, finance, or operations executives are responsible for.
That's not always the case for the CISO, which is a relatively new leadership function. "There's an astounding breadth of responsibility in CISO's remit, but it's not standard from one company to another. There's a black box," Naidoo said.
While most new executives can immediately set out to solve a problem, a CISO needs to settle in and see how corporate culture reacts.
The best fix is for security leaders to define how they set priorities, tell the board and other executives what they can expect from the CISO, and set boundaries.
"If we delay addressing one thing, we need to explain that we're focused on another thing that's more important," Yavor said.
Partner with other business units.
Most corporate functions don't favor decisions by committee – but security is an exception because the CISO's responsibilities tend to touch everyone in the company, Naidoo said.
Collaborating with other business units gives CISOs insight into their priorities and distributes security decision-making so not everything falls on the security team's shoulders.
"If you let people make the decisions that they are in the best position to make, then you have a community of experts," Naidoo said.
Adopt a more focused approach.
As security leaders set priorities – including what tools to invest in and what problems to solve – they should focus on addressing the company's most pressing needs first, said Josh Klick, cybersecurity evangelist at Devo. That way, if something does slip through the cracks, it's less of a risk, and the impact to the business is minimized.
This emphasis on high-priority fixes will also help improve alignment between the security team and the rest of the business, reshaping security's reputation from innovation blocker to business partner. In turn, better alignment influences what the security team does next, Naidoo said.
As part of this approach, leaders should consider the automation of repetitive security tasks — anything that their teams do several times each day, Klick said.
The challenge is doing this without implementing more tools that teams must learn and maintain. This complicates operations while making it difficult for companies to find security professionals with experience managing a wide range of bespoke tools, Naidoo said.
Invest in the right kind of training.
One consequence of burnout and employee attrition is the loss of institutional knowledge when security professionals leave, said Carlos Rivera, principal security advisor at Info-Tech Research Group.
"This is stressful for security leadership, and it creates an environment of uncertainty," he said. "It can take 90 days to onboard someone new – to get them to learn techniques and the organization."
In response, CISOs are investing more in training, including opportunities such as CISSP and CISA boot camps, which can come with a price tag of $3,000 or more.
"Companies may not have thought about this before, but it's making security professionals feel more at home," he said. "They feel excited about companies investing in their own employees."
Shift the focus from reaction.
When the work of security professionals is likened to that of first responders – receiving hundreds of alerts per day and assessing threats in a matter of minutes – then security functions on a reactionary basis.
"If you stay reactionary, then you set yourself up for needing heroics, rather than prevention," Yader said. "Heroics are necessary, but it's also often the result of a failure situation."
One approach to addressing this is enabling self-service tools for common "security blockers" that often result in a low-priority Help Desk ticket, Yader said. For example, when an employee can't log into a business application, the IT system could call up a self-help solution instead of generating an alert that requires a human response.
"For every alert or engagement flow where the next step is a human talking to another human, is there a way to apply tooling to make it asynchronous?" he said. "The vast majority of things don't need to be synchronous. You don't need to wake someone up in the middle of the night."