“71% of [security] analysts experience some level of burnout” and, “64% say they’re likely to switch jobs in the next year.”
I love this industry, and it pains me to see statistics like this, even assuming massive bias in the data. While the “security analyst” role is a broad category of cybersecurity professionals, burnout is a recurrent thread across the many different roles in cybersecurity, especially “front line” roles and mid-level management who deal with day-to-day operations. If we genuinely believe that cybersecurity is worthwhile, we cannot tolerate these levels of burnout.
Let’s get the bad news out first. Yes, cybersecurity is demanding; we’re fighting an “asymmetric war,” where neither side is playing by the same rules. Cybersecurity professionals must operate under a moral, ethical, and legal framework, while malicious actors don’t. While we must constantly defend, we rarely get the opportunity to hold the perpetrator responsible. The ambiguity and gray areas in this constantly changing field are intense. I would argue that this is what causes the highest amount of frustration and burnout: the sheer amount of change and critical attacks on a day-to-day basis means there’s no room for complacency or passivity. Oh, and there’s no certainty.
We have to deal with never being done. We have to deal with the ambiguity. We won’t know if we have successfully mitigated all the threats and vulnerabilities inside our systems, and we will never know. But putting aside the ambiguity and uncertainty, we must still act – implementing with acceptable confidence the business’s risk decisions to the best of our ability. F. Scott Fitzgerald said, “The test of a first-rate intelligence is being able to hold two opposed ideas in mind at the same time and still retain the ability to function.” It’s a hard position to hold, but it’s possible. That’s where the good news comes in.
Burnout is not a requirement for our industry. It is not inevitable, or an invincible bogey man. There are three things I have found helpful in avoiding burnout:
First, be disciplined.
I don’t mean, ‘work harder and have less fun.’ I mean, learn how to turn it off, taking care of self, and be disciplined in doing so. Cybersecurity preserves what is important to us—the visions of small businesses, the income of families, the way of life we treasure. But if cybersecurity and the tensions it creates become all-encompassing, you’ll lose what’s important anyway. Instead, focus on what’s important, and protect it. Know both what you value (family, health, property, etc.), and what your values are (integrity, honesty, rule of law, love of neighbor, justice, fortitude, etc.).
Second, reassert curiosity and critical thinking.
The more we can disconnect frustration, anger, and disappointment from our critical thinking, the more effective we are at making good decisions. Part of being able to do this is how well we are supported. If our team operates like an expedition (versus a “project” of “function”) where people have come together to accomplish a goal (especially a goal worthy of extended commitment) together, we are a support to each other through difficult moments. We can reignite curiosity and critical thinking… and keep our sanity
Finally, keep the passion.
Even as we separate ourselves emotionally from problems and look at them objectively, we cannot lose the passion that comes from knowing what we do is important. Remind yourself of that. Remind your team members of that. There is a beautiful world beyond the day-to-day grind of cybersecurity, and we are part of keeping it that way.
 The Voice of the SOC Analyst. (2022). Tines. Report: Voice of the SOC Analyst | Tines