How to stop cyber burnout
What is employee burnout?
I believe it to be when a team member has lost passion and drive due to the work itself. An employee that has burned out can still be a high performer, however, does not have the same passion and drive that the person came in with. Ultimately, this means that the person is not content and is just pushing through work.
My experience with burnout
I have been burned out twice, for different reasons. The first time was due to having to work a large volume of false positive alerts. It was all I worked despite all efforts to reduce the volume. The second time was due to consistent road blocks with an engineering team. The engineering team themselves were understaffed, so it wasn’t their fault. The roadblocks constantly put significant wait times on tasks or projects I was working on.
My perspective
Employee burnout can happen in any role. I am speaking in this post based on my experience within the cybersecurity field, especially Security Operation Centers (SOC).
Why should you care?
Security operations is only as good as the team itself. If you have a team that is burned out, then your capabilities are significantly hampered. At which point, you’ll be paying salaries to employees that are not yielding their best work, have an increased probability of making mistakes, and no longer have high drive and passion.
Mistakes
Increased probability of mistakes should not be overlooked. Say an analyst is burned out, picks up an alert being pre-conditioned to believe it’s a false positive based on historical high volume of the same alert by name being closed as a false positive, and incorrectly closes it as a false positive. You potentially have a situation where an analyst closed the only alert that surfaced a compromise.
Slow Production
A burned out team or person typically only does what is necessary. The team or person might not be motiviated to learn new things or go after new certifications. The team or person might become irritated when there is work to do that is different from the norm. These signs are especially true to roles that do not inherrently expect new things.
The prevention!
Because there can be many reasons for someone being burned out, there’s no one size fits all. However, in cybersecurity, especially in SOCs, there are root causes that are common. It is important to ruthlessly tackle the below topics.
High volume
If your analysts are having to each close tens of alerts every day, that’s going to mentally compound into burn out. You need to be very careful and very picky about what detections are released. Just because a detection is assigned a low severity, does not make it okay to release into production, causing tens of alerts every day.
High false positive rate
If 99% of the alerts your analysts are closing are categorized as false positive, this is a big problem, similar to high volume but uniquely different. Analysts will start developing an unconcious bias to believe that alerts are false positive before they even pick up the alert. Additionally, analysts begin to feel a sense of worthlessness. Meaning, if all you work are false positives, you start to feel like you’re not providing any significant contribution to the protection of your company, your clients, etc. It is important to gauge this statistic.
No co-analyst support
If you have an analyst that is always covering a shift by themselves, that’s going to quickly lead to burnout. This one might not be so obvious. Knowing that it’s only you covering the shift, you feel a necessity to hawk eye the queue to the point where you don’t do anything else. This is true even if as a manager, you tell your solo analyst to relax and not focus on the queue too much. That’s not going to fix it. You must at a minimum, pair analysts together so that they can support each other.
Time to learn
Generally speaking, analysts are intellectually curious and have an innate desire to learn new things. Make sure to support this with a training budget, and allow training to occur during work time. Even just providing 1-2 hours a day to train, can go a long way. However, there’s on giant caveat. Even if you tell your analysts that they can spent 2 hours every day studying and training, it won’t do them any good if they’re bogged down with alerts all day.
Time to have fun
The team needs to figure things they can do together that is fun. This can be something as simple as meeting at someone’s house for a BBQ. In a remote team, it could be a Minecraft server everyone joins. You can even have a virtual BBQ in Minecraft. The options here are quite endless. It might be difficult to find something everyone enjoys. And you might not, which is why it’s important to change it up. Overtime you should be able to satisfy the team as a whole.
Time to breathe
Don’t set expectations that the team needs to be doing something every minute. Set the expectation that it’s okay to go for a walk with the dog if something is stressing you out. Don’t limit your team to just “walks” either. Be open to different ideas for breaks. Naps, extended lunch break, pool table, grabbing snacks from fast food locations, etc. If the team has good communication and trusts each other, then they will naturally make sure there is coverage that allows for these breaks without compromising the responsibility of the SOC.
The Restoration
Burn out will happen. If you’re a manager and or in a lead position, try to catch signs of burn out. Now, before you do anything. Don’t point any fingers. Figure out what’s going on. Personal life issues could be at play, you want to be cognizant of all possible reasons.
Vacation
Once you’re burned out, the most effective reset is vacation time. If your company offers unlimited PTO, then I would encourage mandatory vacation. Preferably two weeks or more if possible.
Work Rotation
If the burn out was caused by some specific work. Rotate that person out to a different role, or exclude the person from that work specifically for a period of time.
Prevention
Vacation is only temporary if the reasons for burn out have not been addressed. Which is why it is extremely crucial to work on prevention as much as possible.