Security Burnout

For those in the corporate world, it may seem strange that May is the month I am most likely to implode. It’s only the fifth month of the year, the weather is warming up, and conference season is well under way!

For those in Higher Education, it’s completely foreseeable. May is the end of the year. After ten months of steady work, graduating students celebrate, faculty go elsewhere for research, and continuing students take the Summer to earn more money or take vacation or whatever it is they do.

For administrators, particularly those involved in technology things, Summer semester is the time when the heavy lifting actually begins. This is the time when you can make changes to wireless environments, or deploy logging indexers, or upgrade an ERP — because the bulk of your customers are not around. It’s also the time when you do end of year reviews, and finalize next year’s budget, and refresh your strategic plan. Non-HigherEd folks always ask if we “get Summer off”.

No, no we don’t.

Burnout is a funny thing (not). It’s not just that you’re having a lousy week, or that a dismal project is consuming all your time. Burnout is a pervasive low-grade fever of exhaustion, of constant cynicism regarding the people you work with and for, a state of mind/body/spirit that bleeds into all aspects of your work and personal life. It seeps into your bloodstream while you aren’t paying attention, and makes it hard to concentrate on the positive aspects of your life.

Security is a profession that is particularly prone to burnout.

We are already conditioned to be cynical and paranoid (“Just because I’m paranoid doesn’t mean they aren’t out to get me”). Our role in an organization require us to question a lot of things, to verify the extent of the control effectiveness, to see what other people might miss.

Our jobs have us regularly seeing negative events — when people’s accounts are compromised, when attackers get past the unicorn vendor product, when systems are so fragile they cannot be patched — and like law enforcement, we develop a crusty outer layer of professional stoicism in order to proceed throughout our days. Of course, we’re not allowed to discuss these things broadly, because of the potential reputation damage that making this stuff more public might cause.

We’re constantly being told to “lighten up”. We are not the team of “No”, we’re the team of “Yes…And”! Our psychology partners tell us that folks don’t want to hear about negative things — that to change security behaviors we need to emphasize the positive, to motivate people to positive action, to enable them to be part of the winning team!!!

It makes me all so tired.


Burnout is a big problem for Chief Information Security Officers.

An effective CISO sets the tone for Security at the organization with everyone we meet, and everything we say. We must balance the tendency to question and judge with the requirement of building an open, trusting partnership. We must motivate our teams to do the right thing the right way, every day, with a can-do attitude and a positive mindset. We must be willing to hear vendor sales pitches for what they might offer, not what they think they can do. We must present our case for Security to senior leadership, and not be emotionally invested when that case is rejected in favor of speed, or convenience, or something else. In short, we must be good at flexing our personalities and styles to meet the circumstances of the moment.

I know, this is true of any leader in any type of organization. True. But Security has a different problem: non-Security folks are already primed to dismiss Security — we’re too hard to work with, we don’t understand their needs, we slow them down. Give them any reason to think we are not credible, and the time and effort to repair that relationship is enormous, and can make them act in less secure ways.

When your mental energy bank account is running low, being a positive role model is hard to do.


I used to use the analogy of the frog in the pot of water to describe how an organization’s culture changes. I would presume to suggest that the frog (people) won’t notice the increasing water temperature (Security) until it was too late for them to change back. I thought I was cleverly explaining that making a work culture more Security-aware was slow, and happened largely without the organization noticing the change. And that this would be a good thing.

This is the wrong analogy to use, because ultimately the frog boils to death.

I don’t know what the correct analogy is, but somehow the CISO (and the rest of the Security team) need to come into equilibrium with the culture of the organization. This happens when the organization gets to do what it does, AND where Security is valued and the Security professionals are supported. Otherwise, Security is the frog.

Equilibrium happens, often, at the organizational level. Leaders are aware of the need for Security, and company statements are universally supportive of making our organizations, and our society, more secure. However, equilibrium does NOT happen in the day-to-day grind of the Security workday. And it is here that Burnout takes place.


There are plenty of articles available to us which help us identify signs of burnout, and how to combat those signs. I wrote about this topic (sort of) last July.

This month, I’m taking steps to avoid Burnout:

  1. I’m on vacation. Not doing Security. Not traveling anywhere, either (that’s too much like work). Hanging with family and friends.
  2. I attended a terrific conference full of Security friends where I learned some new tricks, and received a lot of positive affirmation (Note to self, register for this as soon as I can).
  3. Sleep/Diet/Exercise. Not necessarily in that order. Well, actually, yes, in that order. Although Diet is more about good food and drink than any kind of deprivation thing. And Exercise is more about walking the dog in the sunshine than any kind of heart-rate/sweat thing.
  4. Trying to find a couple of things that are or will be “blockers” to the success of my role, and my team, and working on ways to change or remove these blocks in the coming year.

When I am not Burned Out, I am positive, extroverted, strategic, creative, pragmatic and calm. When I am Burned Out I am grumpy, short-tempered, tactical, rigid and overworked.

It’s pretty easy to tell the difference.

Either way, I have to acknowledge that I am human, and I must allow myself time to recharge and recover. I can also acknowledge others who are experiencing Burn Out too, and support them while they repair themselves. As CISO, this is doubly important, to ensure that the work we do and the relationships we build are productive and mutually beneficial.

May it be so.