The information security industry is suffering from burnout. It’s suffering because businesses think they can deal with security “later.” But later only comes when something bad finally happens.
When a company finally does a pen test on its existing publicly available app, and it returns tens of thousands of tickets, the higher ups in the company panic. “Later” is here, only now they don’t know what to do. They decide to build a team, maybe even hire a bunch of Info Sec pros to come in and fix everything. But they can’t get the amount of talent they need quickly because of budget constraints, so they take the handful of people they can get. They may even call one a CISO or Head of Info Sec, and then try to get this handful of people to do the job of a 20-30 person team.
This company is already starting out behind and with thin resources, things won’t improve fast enough. The board is now mad because there are so many problems and everyone is worried about getting sued. Have we already been exposed (probably, maybe, who knows)? Are we being hacked, currently? The board wants this five person team to handle these thousands of problems and get it done in under a year. A task which may have been impossible for the 20-30 person team to do, let alone a five person team.
What happens next in this scenario is surprising to no one but the board. The people brought in to fix the problems and close the tickets end up burning out. They’re working almost around the clock to do their job, and there’s a ton of pressure to not only fix the problems but to also figure out how to prevent future problems at the same time. That’s a hard ask for any team.
But that’s only part of the reason info sec professionals are burning out. When it comes to information security, businesses prioritize funds when it’s already too late. If an alert comes through and an info sec team sees that there is a vulnerability, they automatically bring it to the attention of higher ups. That’s their job, to notify the company of things that could put the business at risk.
But much of the time, those higher ups say that it’s too expensive, or it will take too long, or it’s not a priority right now just leave it alone. Now your info sec team is in a bind. They’ve taken oaths to do the right thing to protect this information. It might not be the company’s info, it might be customer’s info, but they’re being told to ignore a vulnerability that they see as a problem.
Regardless of the reason, now they feel demoralized. They were hired to do a job and they aren’t being allowed to do it, so why are they there? It starts a cycle of willful ignorance. If the company doesn’t care, why should I bother? I’m just going to ignore this other alert. I’ll halfway fix it, but not really care how well it’s done. My boss doesn’t care about security, so why should I? They become apathetic about security because they are forced to ignore things that shouldn’t be ignored, or to do things quick and dirty as opposed to thought out and secure. This is a dangerous path for a security expert to be on, and directly leads to burnout.
While it is possible to contract out your information security duties when something hits the fan, it is far more efficient to do things in a secure fashion from the beginning. It is more effective to listen to your own staff and handle security according to their recommendations than it is to ignore them. Ignoring your info sec specialists will lead to problems down the road. You don’t want to incur the cost of making something secure from the start? Imagine the cost when it breaks or gets hacked. You lose business and reputation, profits shrink, you’re paying out more in labor, either for overtime or for a contractor to fix the problem, and it was all preventable.
Creating a culture around information security is so important. It’s not just to keep your business running effectively and securely. It’s also to keep your employees from becoming apathetic and burning out because they can’t properly do their job. A secure culture starts at the top.