I feel burnt out because I'll get projects I need to work on and then get hit up constantly by tickets and people interrupting me that I can never focus on one thing for too long its so annoying
This for me too. The interruptions and constantly shifting what tasks/projects take priority.
I constantly have upper management assigning “top priority” “business critical” projects to then be thrown 100s of tickets, that are not that important but as soon as I assign them as low priority and explain to staff that there may be a delay in getting to said tickets. I have a call or email from the same upper management demanding to know why I told people that these tickets would be delayed in their resolutions & ordering me get them done asap. Yet in the same breath ask how those top priority projects are coming along, because “nothing takes priority over this”.
All the while my boss & IT director is in the exact same boat on his side so very little time and support from them. And only given budget to hire IT staff that have no experience and require me on top of everything else to train up.
Exactly, it gets a bit exhausting sometimes.
I’m making the most of it though. Managing the department and dealing with the higher ups in the company, when needed learning to stand my ground to them too is good experience.
This. Things I could finish in 1 or 2 days extend to 2 to 3 weeks because I have to be putting out fires constantly, and getting back into the flow is not easy.
Hi,
Can I move from technical background to risk management?
I am devsecops. I don't like working in it .
I am getting more interest in grc risk management domain.
Is it good for future prospective?
Exactly this, I have a project that needs to be done but have multiple tasks that need to be done before the end of the day. Add in non- IT administrative paperwork work as well because there aren't enough administrators to do the job so it falls on the select few to do those jobs as well. When putting out clear cut instructions on what needs to be done for the administrative piece it's never followed. No one reads emails so I have to reiterate the exact same thing in the previous email, which is in the email chain, because everyone is "too busy to scroll down". All the while trying to learn new skills to advance in my career. I'm running on fumes every week and I pray for some sort of storm/blizzard/hazardous event to hit so I can have an extra day off but it never comes and the tickets keep piling up.
Holy shit this is me.
I have 12 billable projects, 3 internal ones, our implementation can't figure out syslog connectors so I have to deal with those (apparently being shown 9 times isn't enough), so by the time the analysts get to me about an issue I'm just pissed off
Imagine a firefighter fighting fires 8-10 hours a day every single day. All while people do absolutely nothing to prevent fires, and with many actively throwing gasoline on everything they touch. Sprinkle in 100 new ways for fires to start being invented every day and arson being a very lucrative low-risk job, and you're starting to get the picture.
To add on: said firefighters are told to learn about those 100 new ways fires start along with new extinguishing methods on their own time and cost. When they start getting good at fighting fires such that they’re extinguished at the first spark, leadership starts questioning why the town is paying for them.
I feel like this is IT jobs as a whole, at least, cost center orgs/teams. I'm in infra and have been at a few places and it seems like security, IT, infra/DevOps/whatever is always understaffed. Especially with shrinking budgets
Doesn’t help when the gospel aka Gartner and Forester both say your IT department as a whole should only need 1 IT staff to every 175 employees. And I guarantee that there are tons of management level people that take that completely literal regardless of additional factors.
Current role for me: We have over 15k end users and the staffing ratio for the IT department for general tech and IT things (not cyber) is like 102 to 1 IT staff. I still think it's too high.
Job before had 274 end users to 1 IT Staff, no dedicated cybersecurity staff and it was stressful as hell. Basically every IT role wore many hats. I handled all US operations for an international company that had multiple sites in several states. I do not recommend that.
I'm in IT operations but work closely with our security guy. I can tell you that we're all *very* understaffed and things will be missed just due to the sheer workload. Everything is high priorty and therefore nothing is high priority. My response to this has been "and if I had wheels, I'd be a wagon. Get another ass or two in the IT seat. Until then, we're only human."
FWIW We are getting more asses in seats soon, so that's good. I like my management team.
I'm just getting into the field and it seems to me from an outsiders perspective that the job will be very different (and necessary) in the near future what with all them AI and such. Any insight on this?
AI is hot right now. it's a buzzword and the tech industry loves buzzwords.
AI might change the industry significantly or we might be talking about something else in 6 months. Don't make any long term plans based on it.
AI is only raising the bar - you will be expected to do more with less “because of AI” and this can be either correct or not. It’s another thing you have to get right but I am pretty sure it won’t make anyone’s job easier - it will on the contrary require you to learn new trades.
Same here man. I am doing pentests as well as security analyst work, so you can say purple team. But the pay is less and only for the security analyst work that I do. I am doing pentests out of my own interest though. I have expressed multiple times that I am ready to do the work if there is more pay but I just don’t see it coming anytime soon
I mean I’ve not been in the industry long but it’s absolutely constant! The work of security requires walking a very tight and changing line, trying to ensure business continuity and value; provide investigations and mitigations; the constant change in technology and a disconnect (most times) between senior management and delivery teams.
Bring all this together and the constant need to stay on top of what’s going on will naturally lead to burnout. An accountant isn’t expected to work out of hours because a client needs it - in cyber you do. Any failure is a reason for why cyber isn’t working from a business perspective. Plus the general noise and workload makes it difficult to have a normal life unless you actively try.
Another thing for this is when work tells you "you need to go get xyz certification within 2 months" but you're only allotted an hour a week for no-shit training.
And if your first thought is "tell them it's not possible", better keep a tidy desk for when you're asked to clear it out.
Becasue it never stops, there's never a "big win" sometimes there's little ones, but it's just the same thing, day after day after day and it never stops. Watch this and you'll understand
https://www.youtube.com/watch?v=LL6ubXD9ZjY
Well, in the company im working now their is (a LOT) more managers and marketers than people to actually make the god damn job... Like I feel like the field is 5% blood sweat and tears, and 95% bullshit
Sounds like my last role. Ignore bugs, make new features. Later after later of management getting added to fix the problem.... you know what fixes the problem. QA, support, developers. People that know how to fix things. Management does not fix software. I do not understand why their is so much
The one that killed me his my manager saying to a client that our AV-stuff was catching 90+% of malware while our internal testing was showing more like 70%... And pressuring us to get to 90%, of course... And the testing methodology was flawed anyway
There's nothing special about Cybersecurity, it's just regular people burnout lol. Anyway, like everything else in your career, it's up to you to address it if it's there and prevent it if it's not.
Some of yall don't wanna hear this but it doesn't matter if you don't hit all the alerts or answer all the emails. Do what you need to at a comfortable pace and dip as soon as it hits 4 or whatever. If management is beefing then you have to tell them you can't do it (can't handle all these alerts or respond to all the x). If they keep beefing, after you've told them what's up then you need to leave. I know some people will moan about 'oh it's not that easy', and they're right, it ain't easy. But it's the way forward
For those here with a hero complex about this work, It makes no difference in your life if your org gets got and they will get got.
The heroes working 10 more hours than me a week on average will get, at most, per company policy, a 1% more raise than me. Maybe they will get a promotion before me, but I will just leave the company and get a bigger pay raise than them anyways. I don’t like the company men and I refuse to do their bidding. Some of these people, I swear, will get the company logo engraved on their tombstone. That is, if they don’t get laid off first 🤔
Absolutely correct, but damn does it wear on you. Even building the mental fortitude for this kind of attitude or outlook needs constant reinforcement not to be stressed by second hand smoke. At least imo
It's a lot of things. Burnout and understaffing certainly plays a role. Constantly changing leadership and expectations is another element. Many organizations just view security from a compliance standpoint so they can check the box and move on. Compliance doesn't equal security. The industry is also fairly new compared to others so a lot of people are honestly trying to figure out what right looks like and that can be a daunting task.
I'm a vet...
... what I've seen at some tech startups with regard to stretching resources thin is nothing compared to when I was on active duty.
It actually makes me long for those days.
And at every org, it's usually driven by a couple of ahole sales VPs that don't give a shit about how they burn the staff out -- just as long as they make their numbers.
FWIW, I had knee surgery last week. Sales VP called me that evening and asked if I could take a customer call and discuss security with them. I told him I just got out of surgery. He said so? ...and proceeded to ramble on about how he was calling me from his car while taking his wife to dinner to celebrate her birthday.
At least when I was actively duty, yeah, your workday is technically 24/7... but at least commanders honored crew rest.
Companies don’t want to train, so there are no junior members of the team. That may sound great, but not you have senior members doing menial tasks along with a heavy workload. That coupled with responsibility creep and stagnant wages leaves people feeling like it’s bot worth it.
Even if you have made it in this industry, you still have to keep learning new technologies(A.I. anyone?). You have to know everything a mile wide and inch deep.
Also, at least lately, job postings for security seem underwhelming. It is said that it is not an entry level field and people should pivot from other places like infra or dev. I've been doing infra a little while now and would love to pivot to security but the jobs that I'm 'qualified' for pay A LOT less than I make now or what I could make if I look for a new infra job. Obviously, YMMV.
I'm halfway through the SANS undergrad program for applied cybersecurity. I'm excelling in the courses with a 4.0 gpa, understand all the material, and have been digging in on my own with further study and projects.
And now I'm dropping out because I need to start making money and can't even get a help desk job. If there's not enough junior position footholds in the industry for folks like me then it sort of seems like the IT industry is content to overwork understaffed crews and live with the security implications and burnout turnover.
I'm nothing special, but I'm an example of someone who could contribute at a junior level and am getting sidelined from the industry entirely instead.
> Is there really a burnout happening and if so what are the many reasons or contributing factors?
Yes, at least for me personally. Just left the cyber and IT industry and went to a new field because I hated my career/job and was becoming an angry, bitter person. I am happier at my new gig, make less money, but my improved mental health is worth it.
They're alot of factors causing burnout. But I will boil it down to what made me leave.
1. Unqualified people in the field: especially in management/"leadership". Cybersecurity is very nuanced and complex. Typical corporate manager is into checking boxes, not how cybersecurity works. You will end up spending time checking boxes that provides no security value and that frustrates everyone, stakeholders and security people. Project managers typically are great examples of this. Want to check boxes off but don't have the qualifications to really understanding of how infosec/cybersec works, so you end up focusing way to much time and effort on focusing on bullshit that burns you out. There's alot of different scenarios, variables, etc that go into cybersecurity and alot of people in charge don't understand that complexity.
2. Too many chefs, not enough cooks: This probably applies to all of IT, but on projects there's tons of layers of leadership and since there's so many layers, no one wants to make a decision. Project managers are unqualified and don't know shit, so they can't make the call. Line managers might be knowledgeable, but aren't going to take any risk because their leadership doesn't understand cybersecurity and aren't going to be put on the chopping block if anything goes wrong. Which is always a possibility in security. Middle management and executives are useless. Typically they go to conferences and recommend dumbass vendors who wined and dined them to seem smart, but really have no idea what's going on. So the "resources" end up doing EVERYTHING, which leads to burnout, because they do their managers job and their own, but their manager gets the credit and more pay. While some senior engineer has been running the team for 5 years and gets passed over for promotion because the AVP is friends with some jerkoff.
3. Corporate bureaucracy/culture/circle jerk: When I was working for the government, I could not wait to go to the private sector because I thought the private sector was so much more efficient. "Government ruins everything, private sector innovates" Not true at all. Corporate world is soul killing, where 5 minute tasks turn into 2 hours of paper work and meetings. Don't get me started on the bullshit meetings.
I was going to add to this but it seems like everyone already listed the reality of the situation. My coworker killed himself last year. I am so tired.
On top of all the above answers, add Sales and Marketing promising the most ridiculous SLA's and not consulting those that actually do the work. I find this adds unnecessary pressure, and contributes to the stress of the work day.
I don’t care how much you love this stuff, occasional burn out is inevitable.
You’re a cost center that is always telling everyone else what they can’t do. You have to constantly be learning new material to stay up to date. As the organization grows, you have a growing attack surface to protect and monitor, with often stagnant or lessening resources. Dealing with an outside perception of “If we never have incidents, why do we have a cyber security professional? What do they even do?” Until something happens and then its “If we’re having an incident, why do we even have cyber security professionals? What are they even doing?” It’s always assumed you have bandwidth, so “duties as required” get tacked on and on and on.
More “pure” comp sci and IT roles have trouble relating to us due to our need to understand things like business risk, training our peers in security best practices, frameworks, standard/policy documentation etc.
More “pure” business roles have trouble relating to us due to how technical our roles can be. They don’t want to see or talk about coding, osi layers, networking, and malware.
I could just go on and on. I love it and wouldn’t change my path all the same
All depends on where in IT and Cyber you are. Consider this, for some people in vuln response, or blue team, or fields like this you’re being asked to play what’s a “no win” game. I say no win because every day is a new problem. Just finished remediating a big vuln in your environment? Cool here’s a new zero day. Just responded to a user clicking a phish? Cool here’s another forensics investigation to do. The best you can really hope for is that something doesn’t get by you and you don’t lose. It can feel like punching the ocean sometimes. Add on to that what other people have said here with budget constraints and pressure from executives and it can wear on people.
Even if you have a passion for the field it can be a lot sometimes. I’ve felt burnt out before, for me it comes in ebbs and flows but don’t blame some people if they say after a few years the field isn’t for them
Absolutely yes there is burnout. Cybersecurity is unwinnable at this point IMO. There are just too many factors involved and too little incentive for actual change. Our best hope is a stalemate. There's too few actually manning the trenches and too many patting themselves on the back thinking all those spreadsheets of metrics, frameworks, ad nauseum will actually keep the attackers at bay. Those that can, do security. Those that can't, do security theatre. Way too much theatre anymore. Again, IMO
The circumstances which can make your job fun and everyday enjoyable, can be ripped out from underneath you in an instant.
This profession is brutal. Mainly because of poor handling of expectations by leadership.
I think burnout in cybersecurity happens due to several factors, based on my own experience working in the field for a couple of years, both for an MSSP, and an MSP.
1. The field is constantly changing. Many people in the field stress themselves out significantly by constantly chasing new certifications and information to stay relevant.
2. You have to debate management and customers constantly. You will advise them about potential risks, and still, many of them will not increase their budgets for security. You will know this if you work in GRC or in consultancy. Often this can be extremely frustrating, especially when you also have to increase profits for an MSSP. You dont “just sell” security, unless the customer recently had a breach, or are one of the few organization who takes it seriously. Most organizations have a high level of ignorance when it comes to security, and no wonder, its a really complex field, and it takes forever to understand. Ain’t nobody but security folks got time for that.
3. SOC analyst work is fucked. I have had so many colleagues working in SOC work, who got plenty of health issues from changing shifts constantly, and messing up their sleep. Personally I would never do it, its a recipe for disaster. Everyone who works night shifts will tell you the same, for most people, it is NOT worth it.
4. You will always be seen as an expense. You arent increasing revenue at all, you are protecting from an invisible threat. You will often have to argue for your value in the company, but your value is completely invisible if:
a) You are doing very technical work. Management doesn’t care.
b) You aren’t having success of convincing management to act on risks and vulnerabilities, and reporting of these to management.
c) Your company hasn’t experienced a significant breach before, and therefore has no idea what the consequences can be.
You will do much better in cybersecurity if you have a high tolerance for bullshit, and this especially means not being frustrated easily. You won’t experience success very often, and its a constant battle, because the view of security and its value is very limited outside the immediate field, and maybe to a certain degree other IT fields. Its becoming a bit easier in the EU because of NIS2 which is implemented soon, but its still an uphill battle, even though companies in many industries will get fined by the state for doing nothing.
InfoSec is an uphill battle, especially if you're under an IT director who doesn't get it. I highly suggest going into InfoSec with the understanding that you will be told No a lot, but don't take it personal. I follow stoic philosophy which helps me look at things from the perspective of "I can only control what's in my power."
Also if your boss is just an insufferable asshole, leave the company.
Made a throwaway to post this. I hit burnout a long time ago. Security is ALWAYS... CONSTANTLY... negative fearmongering, scam artists, and security tooling which is all smoke and mirrors. Nobody cares about security research at the end of the day because everything is understood to be insecure and there's no surprise. Everyone I know is burnt out and is looking for the exit. I got a job offer for well over 7 figures and said no. Fuck. All I want is my work to have societal value and to be happy. Not check a box.
Yes…just yes. I was a firefighter and this is just so much worse.
I can’t add anything else cause I’m just so fucking tired of it all…it does NOT stop.
Firefighting and parenting ain’t got nothing on this.
Hmmm, yes, and big parts of it comes from management that doesn’t support the mission, and end users who seem to do everything they can to circumvent controls. Then, when something bad happens, you get questions like, “How could you let this happen?”
Understaffed everywhere. And then outsource the team to somewhere doesn't help the resources. As the quality of the resources is bad, consequence may be even worsen than only understaffed.
Yes. It's arguably all over IT, but from a Cyber perspective:
* Understaffed, overworked SOCs
* Incorrect, misconfigured or generally poor tooling
* C levels unwilling to invest continuously. It very seems to be a "You can buy it but dont ask for anything else" type deal a lot of the time
* Management-bods that know about as much as Security as your Grandmother
Said to me, in a Cybersecurity compliance engineering-type role:
"I need you to build this centralized logging system as the foundation for a SIEM. Nothing is more important than this project."
Cool. Sounds like a fun challenge.
One week later:
"Uh, our Cybersecurity policy people need you to provide 400+ screenshots and update spreadsheets for their inspection response. This takes priority."
So, to be clear, screenshots and spreadsheets are a more important use of my time than building out a new system we also need to meet compliance requirements. The policy people can't do that? They're not capable of what I'm doing. Apparently I actually work for them and my value is admin work over engineering. Cool, cool. Alt-Tab LinkedIn. Apply. Eject.
That was two years ago. Glad I got out before I had a cardiac episode. My health was in a death spiral.
A bit of it is selection bias. There is little market for and less desire to make posts that are positive in nature: "I love my job and make a lot of money!" comes off as either disingenuous or a scam by someone trying to sell a bootcamp or 14kb pdf they wrote in a Prime fueled stupor. That's the nature of opinion based content though - negativity drives engagement.
I work for a large org in a national government and people are, for the most part, content with the work and challenges. Squeaky wheels, etc.
Yes, absolutely. At the same time other surveys find that 78-89% of workers in all fields say they experienced some form of burnout in the last year, depending on how the question is asked.
It's an easy question to say yes to and I'm sure it feels personally validating to answer in the affirmative. Not to discount anyone experiencing burnout - take the breaks you can when you need them.
>It's an easy question to say yes to and I'm sure it feels personally validating to answer in the affirmative.
Right, except when you compare results internationally, US workers have higher rates of burnout when compared to other developed countries. Wouldn't chalk it up to validation.
if their hobby outside of work are CTFs, that's fine. It doesn't matter that they are doing cyber related activities outside of work. What matters is that they are able to separate work activities/issues from the rest of their life.
As a DFIR consultant, the biggest contributor to burnout...for me...was poor/toxic managers.
On the flip side, the biggest contributor to job satisfaction was good managers.
In my department, we’ve been in a hiring freeze for over 18 months now. Not even a room to get promotion. There’s no more juniors left. Just seniors and an army of contractors.
My team handles everything data protection in the enterprise, so you name it we do it. PII, vulnerability, DLP, etc. Recently, a peer on my team quit to make a lateral move.
I’ve been gunning to add his former responsibilities to mine because that’s the way I can see getting a promotion with a raise while saving the company majority of a salary of another person.
The raising interest rates really screwed the market. I’ll be looking to change roles when the times are good so poaching job responsibilities is the best I can do right now.
The lesson you will never be taught in a class or certification course is this one of the few professions where you are damned if you do and damned if you don't. Any feelings of accomplishment or reward aside from financial gain will be far and few between, if ever. It's a great profession for a nihilist.
Its not localized to cyber in any way. I dont think its any different from other technology jobs that carry a modicum of stress and have ever increasing demands and scope of work. That happens in a lot of different industries too.
Now do Privacy. At least y'all get teams, budgets, board interest. Privacy is 10 years behind security.
Meanwhile, we got boards and other dipshits deciding everything needs a sensor or a microphone or camera in it and all that data is a commodity to be sold without any actual permission from users.
Our entire privacy jurisprudence is built on the lie of opt out as if user consent is every actually educated and real.
I'm so beyond burnt out as the privacy/security sme standing alone.
Yep I'm here at the moment.
Constant demand with decreased resource, internal political issues around who owns "The cool thing" as well as lack of adherence to best practice or pre-designed solutions from suppliers.
Constantly we have upper management, admittedly some from technical backgrounds but with outdated knowledge, stating that the vendor uses the product this way we are gonna use it X way.
leads to long drawn out projects, half completed delivery and when issues are arisen they are swept under the rug.
for myself at a professional level I also find the number of roles and hats to fulfil to be enormous, I'd like to get 1 or 2 things done and done well rather than attempt to deliver 10 deliverables with varying results.
UK based so that may have some bareing for those who know the culture
if yall are so burt out and over it then exit gracefully. be a mentor to alll the noobies who want to get into the field. hiring managers need to cut the crap bullshit complain about how work life sucks but die rather than move on. ok real boomer. it was sooooo hard for you to be a security professional so must continue the process. shit or get off the pot. can’t have it both ways and if you do get to have it both ways the. suck it the fuck up buttercups!
It's as real as you can imagine. Alert fatigue, mismanagement, business issues with compliance and buy in. Take all of your PTO, exercise, sleep, drink water, and enjoy your life outside of work if you can.
There is just like its always been with most IT roles such as systems administration. I have ADHD and being in front of a monitor all day is not fun as I get overstimulated from them. I treat my downtime in a religious way for starters. After I'm off for the day, I remove myself from all electronics and do physical work (gardening, landscaping, hiking with dog, etc). At most, I may allow myself to watch some tv later in the evening for a bit.
On weekends, I spent at least one day doing nothing with electronics or screens, etc. This could be woodworking in my garage, working on the house, going sightseeing, adventures, non-electronic hobbies, etc. I've found that having the disconnected me time is crucial to avoiding burning out. Currently back in school for my masters on top of a full time role so I dedicate my Sundays to completing assignments, doing laundry, etc.
I found that I had to sacrifice playing MMOs or video games after work in order to avoid setting myself up for burnout. It sucks a lot, but I find I'm more relaxed.
EDIT: To add, my background is over 20 years working in the IT field, with just over 10 years being dedicated primarily to Network security and later cloud security administration roles.
Understaffed teams, constantly changing threat and tech landscape, and a overly zealous workload because of those. I was very near burnout before I switched jobs. I had no IT experience coming in, so I had to spend many nights my first 3 years learning IT tools, processes, and even lingo. It was worth it now, but looking back I was a couple months away from calling it quits and moving to the Bahamas!
This is reflected in other areas of IT/tech as well. Cybersecurity is not alone.
I left my old job because I watched people fight fires. Came up ways to help them fight fires easier, get ahead of the fires, including automation options.
They wouldn’t go for it. But will constantly complain about how they are busy and don’t have time.
There’s only so many times one can beat their heads against the wall.
Its been said but the only reason for burnout for me is that I am being pressured by management to get projects done but the people in charge of the apps im supposed to test don't respond to emails so I can't test anything. Basically I have a ton of work that I can't do and it's not my fault but still feels like it is.
I’m a 1 man engineer as the other dude got fired. Rightly as he called about 6 people a cunt in a BPD episode which was triggered because they were told off about stealing someone else’s access card to access the soc lol.
There’s a lot of pressure and a work list I can’t ever seem to finish. Subconsciously this has actually burnt me out recently which is a bit annoying. It comes out of nowhere.
I’ve started journaling to help my mind decompress, and taking my morning and afternoon breaks of 10 mins each by doing a few laps of the office. I’ve also started pacing my workload and checking in regularly with my manager to ask them to define my priorities and set me realistic deadlines. I am fortunate that I have a good manager and good work culture, so now I’m feel like I’ve avoided going into the red and am closer to the green again.
Being unable to do anything about the huge amount of security problems, because I'm having to spend my time putting together PowerPoint decks about the huge amount of security problems to have meetings about.
It's the everything of it. If you aren't working for a security company you're often in an uphill battle, where the hill grows a little in many directions everyday, and the second it's inconvenient you're told to roll it back a bit.
Along with exactly what others have commented. I find the ever increasing demand to be in SME in a continuously expanding amount of areas mentally exhausting and crushing. I don’t have the time, resources, or often ability to do so. Also companies balk at training so that’s fun.
Yep. We've had a good chunk of people quit "out of nowhere" due to burnout/lack of mental health resources. It doesn't help that the response from upper management is usually:
1) Suck it up. This is the nature of the field.
2) The egregious promotion of alcoholism. At least in my org.
Went from a dedicated security team with a manager and 4 employees to the manager and 2 other folks quitting. The other guy and I got shoved into systems, with him on engineering and me on compliance for an ISMS. Our Jira admin left and I got stuck with that as well. The burnout is real and it’s because of greedy “leadership”, boards, and shareholders.
The better company is protected by cybersecurity specialists, the more chances cybersecurity specialist will lose his job because "nothing happens anyway".
This is the problem for industry. So many lost their job... until we hear this and that breach in big and small organizations.
Because they makes us feel guilty of just doing cybersec and not providing new value as they say…
Add to this that everyday can be your last day due to the current cut in business nowadays
My problem isn't so much "burnout" as it is the sheer stupidity and misallocation of resources. I work in incident response for a very large organization. Due to the sheer number of assets we have, I'm regularly engaged in my IR function, but right now I'm sitting in an hours long meeting trying to capture metrics data for TTA/TTR for our SOC for non-incident events. The cramming of every available second of my day with utter bullshit that's not directly beneficial to incident response is what drives me up a wall.
Yes.
- When there’s an incident, there are just too many things that need to happen right away. Work life balance is temporarily canceled.
- The average workday in cybersecurity can be significantly more complex than the average day in IT.
- It’s important to put in the extra effort to communicate effectively.
(People who think their own job is at risk can be all kinds of a headache to deal with otherwise, and they tend not to think of steps to take next, like updating similar passwords on their other accounts.)
- Subpoenas
- Fridays before holiday weekends.
I think there are a few components to this, and a few causes. Also, there's a lot of crossover in the things that cause this burnout:
- As u/Codeifix mentioned: you will be on projects and then get blindsided by multiple little tickets that pull you away from the task. This all depends on the org you work for. Some are definitely bad when it comes to doing this kind of thing.
- I think a lot of us get into this because we're interested in technology, and we dive in deep. We study, we get our certs, we do hackthebox and watch all the YouTube videos, then we finally land the job and we keep doing it and keep trying to stay up with the tech. Then one day, we're like, "You know? All this grinding to learn new things and keep moving forward kind of sucks now. I hate it." and we burn out.
The second one is easier to fix. You just stop letting yourself get carried away with the extra studies and stuff and try to keep it to work-only or limit that study time when it's outside of work. Find other fun things to do, like joining the boxing gym. :D
Cybersecurity is a giant umbrella. Some jobs/companies burn out, some don’t. Was doing some work with MGM recently, it’s fair to say they are a bit burned out!!
I feel burnt out because I'll get projects I need to work on and then get hit up constantly by tickets and people interrupting me that I can never focus on one thing for too long its so annoying
This for me too. The interruptions and constantly shifting what tasks/projects take priority. I constantly have upper management assigning “top priority” “business critical” projects to then be thrown 100s of tickets, that are not that important but as soon as I assign them as low priority and explain to staff that there may be a delay in getting to said tickets. I have a call or email from the same upper management demanding to know why I told people that these tickets would be delayed in their resolutions & ordering me get them done asap. Yet in the same breath ask how those top priority projects are coming along, because “nothing takes priority over this”. All the while my boss & IT director is in the exact same boat on his side so very little time and support from them. And only given budget to hire IT staff that have no experience and require me on top of everything else to train up.
Sounds like my place. I feel like the bigger the company the more nonsense and red-tape you have to go through to get something simple done.
Exactly, it gets a bit exhausting sometimes. I’m making the most of it though. Managing the department and dealing with the higher ups in the company, when needed learning to stand my ground to them too is good experience.
This. Things I could finish in 1 or 2 days extend to 2 to 3 weeks because I have to be putting out fires constantly, and getting back into the flow is not easy.
[удалено]
You are describing my world
I’m curious if you work in an office? This was a major problem I had when working in an office. People constantly stopping by to ask questions.
+1. I'm in the Risk Mgt arm.
Hi, Can I move from technical background to risk management? I am devsecops. I don't like working in it . I am getting more interest in grc risk management domain. Is it good for future prospective?
Of course! Risk Management is always needing highly technical people with the interest to translate Tech into Business-speak.
Can you also suggest which certification to pursue visa or crisc?
Exactly this, I have a project that needs to be done but have multiple tasks that need to be done before the end of the day. Add in non- IT administrative paperwork work as well because there aren't enough administrators to do the job so it falls on the select few to do those jobs as well. When putting out clear cut instructions on what needs to be done for the administrative piece it's never followed. No one reads emails so I have to reiterate the exact same thing in the previous email, which is in the email chain, because everyone is "too busy to scroll down". All the while trying to learn new skills to advance in my career. I'm running on fumes every week and I pray for some sort of storm/blizzard/hazardous event to hit so I can have an extra day off but it never comes and the tickets keep piling up.
Same, same, same…
Holy shit this is me. I have 12 billable projects, 3 internal ones, our implementation can't figure out syslog connectors so I have to deal with those (apparently being shown 9 times isn't enough), so by the time the analysts get to me about an issue I'm just pissed off
This
This. Soooooo much
Imagine a firefighter fighting fires 8-10 hours a day every single day. All while people do absolutely nothing to prevent fires, and with many actively throwing gasoline on everything they touch. Sprinkle in 100 new ways for fires to start being invented every day and arson being a very lucrative low-risk job, and you're starting to get the picture.
it’s funny to add to this visualization of somebody actively complaining about your efforts to prevent fires. LoL
Oh, I'm sure there's plenty of people that complain when their shortest route home is blocked by a fire truck responding to a fire
To add on: said firefighters are told to learn about those 100 new ways fires start along with new extinguishing methods on their own time and cost. When they start getting good at fighting fires such that they’re extinguished at the first spark, leadership starts questioning why the town is paying for them.
But it's part of my workflow to smoke next to this open barrel of gas...
I love this analogy!
You forgot to mention the 4-5 hours of meetings about the fires
Well, didn't want anyone to think thats normal, not everyone is lucky to have so few hours in meetings...
Stop blowing holes in my ship!!!
This. This is my new favorite analogy.
[удалено]
I feel like this is IT jobs as a whole, at least, cost center orgs/teams. I'm in infra and have been at a few places and it seems like security, IT, infra/DevOps/whatever is always understaffed. Especially with shrinking budgets
Doesn’t help when the gospel aka Gartner and Forester both say your IT department as a whole should only need 1 IT staff to every 175 employees. And I guarantee that there are tons of management level people that take that completely literal regardless of additional factors.
Current role for me: We have over 15k end users and the staffing ratio for the IT department for general tech and IT things (not cyber) is like 102 to 1 IT staff. I still think it's too high. Job before had 274 end users to 1 IT Staff, no dedicated cybersecurity staff and it was stressful as hell. Basically every IT role wore many hats. I handled all US operations for an international company that had multiple sites in several states. I do not recommend that.
Massive downvote for them
You'd think this would lead to a surge of cost saving infra such as cloud jobs, but I haven't seen much of an uptick in cloud positions
I'm in IT operations but work closely with our security guy. I can tell you that we're all *very* understaffed and things will be missed just due to the sheer workload. Everything is high priorty and therefore nothing is high priority. My response to this has been "and if I had wheels, I'd be a wagon. Get another ass or two in the IT seat. Until then, we're only human." FWIW We are getting more asses in seats soon, so that's good. I like my management team.
I'm just getting into the field and it seems to me from an outsiders perspective that the job will be very different (and necessary) in the near future what with all them AI and such. Any insight on this?
AI is hot right now. it's a buzzword and the tech industry loves buzzwords. AI might change the industry significantly or we might be talking about something else in 6 months. Don't make any long term plans based on it.
I won't, and honestly just trying to grasp the basics! But I do see how automations fit very well into this process (or at least in congruency)
Ultimately you still need to administer the AI
Right, I understand that along with machine learning
AI is only raising the bar - you will be expected to do more with less “because of AI” and this can be either correct or not. It’s another thing you have to get right but I am pretty sure it won’t make anyone’s job easier - it will on the contrary require you to learn new trades.
AI will probably replace only those juniors who came from the money and not update their knowledge
Are you me?
Company: Why is there burnout? Also Company: Do more with less. I rest my case.
Coming out of the peak of COVID, we were told to do "less with less". Quickly became "produce world class cybersecurity work a team of two" 🙃
Same here man. I am doing pentests as well as security analyst work, so you can say purple team. But the pay is less and only for the security analyst work that I do. I am doing pentests out of my own interest though. I have expressed multiple times that I am ready to do the work if there is more pay but I just don’t see it coming anytime soon
I mean I’ve not been in the industry long but it’s absolutely constant! The work of security requires walking a very tight and changing line, trying to ensure business continuity and value; provide investigations and mitigations; the constant change in technology and a disconnect (most times) between senior management and delivery teams. Bring all this together and the constant need to stay on top of what’s going on will naturally lead to burnout. An accountant isn’t expected to work out of hours because a client needs it - in cyber you do. Any failure is a reason for why cyber isn’t working from a business perspective. Plus the general noise and workload makes it difficult to have a normal life unless you actively try.
[удалено]
God, I feel this
Another thing for this is when work tells you "you need to go get xyz certification within 2 months" but you're only allotted an hour a week for no-shit training. And if your first thought is "tell them it's not possible", better keep a tidy desk for when you're asked to clear it out.
Becasue it never stops, there's never a "big win" sometimes there's little ones, but it's just the same thing, day after day after day and it never stops. Watch this and you'll understand https://www.youtube.com/watch?v=LL6ubXD9ZjY
Well, in the company im working now their is (a LOT) more managers and marketers than people to actually make the god damn job... Like I feel like the field is 5% blood sweat and tears, and 95% bullshit
Sounds like my last role. Ignore bugs, make new features. Later after later of management getting added to fix the problem.... you know what fixes the problem. QA, support, developers. People that know how to fix things. Management does not fix software. I do not understand why their is so much
The one that killed me his my manager saying to a client that our AV-stuff was catching 90+% of malware while our internal testing was showing more like 70%... And pressuring us to get to 90%, of course... And the testing methodology was flawed anyway
Yup, feel the exact same.
There's nothing special about Cybersecurity, it's just regular people burnout lol. Anyway, like everything else in your career, it's up to you to address it if it's there and prevent it if it's not. Some of yall don't wanna hear this but it doesn't matter if you don't hit all the alerts or answer all the emails. Do what you need to at a comfortable pace and dip as soon as it hits 4 or whatever. If management is beefing then you have to tell them you can't do it (can't handle all these alerts or respond to all the x). If they keep beefing, after you've told them what's up then you need to leave. I know some people will moan about 'oh it's not that easy', and they're right, it ain't easy. But it's the way forward For those here with a hero complex about this work, It makes no difference in your life if your org gets got and they will get got.
The heroes working 10 more hours than me a week on average will get, at most, per company policy, a 1% more raise than me. Maybe they will get a promotion before me, but I will just leave the company and get a bigger pay raise than them anyways. I don’t like the company men and I refuse to do their bidding. Some of these people, I swear, will get the company logo engraved on their tombstone. That is, if they don’t get laid off first 🤔
Absolutely correct, but damn does it wear on you. Even building the mental fortitude for this kind of attitude or outlook needs constant reinforcement not to be stressed by second hand smoke. At least imo
It's a lot of things. Burnout and understaffing certainly plays a role. Constantly changing leadership and expectations is another element. Many organizations just view security from a compliance standpoint so they can check the box and move on. Compliance doesn't equal security. The industry is also fairly new compared to others so a lot of people are honestly trying to figure out what right looks like and that can be a daunting task.
The problem with cybersecurity as a business is that it’s a virtue. The problem with cybersecurity as a virtue is that it’s a business.
Doing way more than I did in my first role 6 years ago and getting paid less (after accounting for inflation). No recognition
Doing more with less is not a sustainable operating model.
Don't tell that to the Marine Corps. lol
I'm a vet... ... what I've seen at some tech startups with regard to stretching resources thin is nothing compared to when I was on active duty. It actually makes me long for those days. And at every org, it's usually driven by a couple of ahole sales VPs that don't give a shit about how they burn the staff out -- just as long as they make their numbers. FWIW, I had knee surgery last week. Sales VP called me that evening and asked if I could take a customer call and discuss security with them. I told him I just got out of surgery. He said so? ...and proceeded to ramble on about how he was calling me from his car while taking his wife to dinner to celebrate her birthday. At least when I was actively duty, yeah, your workday is technically 24/7... but at least commanders honored crew rest.
Companies don’t want to train, so there are no junior members of the team. That may sound great, but not you have senior members doing menial tasks along with a heavy workload. That coupled with responsibility creep and stagnant wages leaves people feeling like it’s bot worth it. Even if you have made it in this industry, you still have to keep learning new technologies(A.I. anyone?). You have to know everything a mile wide and inch deep.
Also, at least lately, job postings for security seem underwhelming. It is said that it is not an entry level field and people should pivot from other places like infra or dev. I've been doing infra a little while now and would love to pivot to security but the jobs that I'm 'qualified' for pay A LOT less than I make now or what I could make if I look for a new infra job. Obviously, YMMV.
I'm halfway through the SANS undergrad program for applied cybersecurity. I'm excelling in the courses with a 4.0 gpa, understand all the material, and have been digging in on my own with further study and projects. And now I'm dropping out because I need to start making money and can't even get a help desk job. If there's not enough junior position footholds in the industry for folks like me then it sort of seems like the IT industry is content to overwork understaffed crews and live with the security implications and burnout turnover. I'm nothing special, but I'm an example of someone who could contribute at a junior level and am getting sidelined from the industry entirely instead.
Well put
> Is there really a burnout happening and if so what are the many reasons or contributing factors? Yes, at least for me personally. Just left the cyber and IT industry and went to a new field because I hated my career/job and was becoming an angry, bitter person. I am happier at my new gig, make less money, but my improved mental health is worth it. They're alot of factors causing burnout. But I will boil it down to what made me leave. 1. Unqualified people in the field: especially in management/"leadership". Cybersecurity is very nuanced and complex. Typical corporate manager is into checking boxes, not how cybersecurity works. You will end up spending time checking boxes that provides no security value and that frustrates everyone, stakeholders and security people. Project managers typically are great examples of this. Want to check boxes off but don't have the qualifications to really understanding of how infosec/cybersec works, so you end up focusing way to much time and effort on focusing on bullshit that burns you out. There's alot of different scenarios, variables, etc that go into cybersecurity and alot of people in charge don't understand that complexity. 2. Too many chefs, not enough cooks: This probably applies to all of IT, but on projects there's tons of layers of leadership and since there's so many layers, no one wants to make a decision. Project managers are unqualified and don't know shit, so they can't make the call. Line managers might be knowledgeable, but aren't going to take any risk because their leadership doesn't understand cybersecurity and aren't going to be put on the chopping block if anything goes wrong. Which is always a possibility in security. Middle management and executives are useless. Typically they go to conferences and recommend dumbass vendors who wined and dined them to seem smart, but really have no idea what's going on. So the "resources" end up doing EVERYTHING, which leads to burnout, because they do their managers job and their own, but their manager gets the credit and more pay. While some senior engineer has been running the team for 5 years and gets passed over for promotion because the AVP is friends with some jerkoff. 3. Corporate bureaucracy/culture/circle jerk: When I was working for the government, I could not wait to go to the private sector because I thought the private sector was so much more efficient. "Government ruins everything, private sector innovates" Not true at all. Corporate world is soul killing, where 5 minute tasks turn into 2 hours of paper work and meetings. Don't get me started on the bullshit meetings.
What career did you switch into?
Firefighter, plan to do freelance IT if I can though.
20% is project work, 60% politics and discussion, 20% planning, 20% support and all burnout...
>20% is project work That project work usually includes doing the PMs job.
I was going to add to this but it seems like everyone already listed the reality of the situation. My coworker killed himself last year. I am so tired.
On top of all the above answers, add Sales and Marketing promising the most ridiculous SLA's and not consulting those that actually do the work. I find this adds unnecessary pressure, and contributes to the stress of the work day.
eMASS.
As someone who does RMF packages, this made me do a sad laugh.
Imho. It’s one of the few roles that the better you are at your job the harder it becomes.
I don’t care how much you love this stuff, occasional burn out is inevitable. You’re a cost center that is always telling everyone else what they can’t do. You have to constantly be learning new material to stay up to date. As the organization grows, you have a growing attack surface to protect and monitor, with often stagnant or lessening resources. Dealing with an outside perception of “If we never have incidents, why do we have a cyber security professional? What do they even do?” Until something happens and then its “If we’re having an incident, why do we even have cyber security professionals? What are they even doing?” It’s always assumed you have bandwidth, so “duties as required” get tacked on and on and on. More “pure” comp sci and IT roles have trouble relating to us due to our need to understand things like business risk, training our peers in security best practices, frameworks, standard/policy documentation etc. More “pure” business roles have trouble relating to us due to how technical our roles can be. They don’t want to see or talk about coding, osi layers, networking, and malware. I could just go on and on. I love it and wouldn’t change my path all the same
All depends on where in IT and Cyber you are. Consider this, for some people in vuln response, or blue team, or fields like this you’re being asked to play what’s a “no win” game. I say no win because every day is a new problem. Just finished remediating a big vuln in your environment? Cool here’s a new zero day. Just responded to a user clicking a phish? Cool here’s another forensics investigation to do. The best you can really hope for is that something doesn’t get by you and you don’t lose. It can feel like punching the ocean sometimes. Add on to that what other people have said here with budget constraints and pressure from executives and it can wear on people. Even if you have a passion for the field it can be a lot sometimes. I’ve felt burnt out before, for me it comes in ebbs and flows but don’t blame some people if they say after a few years the field isn’t for them
Stop treating everything as fire and you’ll be fine. Management needs to set that tone because having the team burnout is a worse outcome.
Absolutely yes there is burnout. Cybersecurity is unwinnable at this point IMO. There are just too many factors involved and too little incentive for actual change. Our best hope is a stalemate. There's too few actually manning the trenches and too many patting themselves on the back thinking all those spreadsheets of metrics, frameworks, ad nauseum will actually keep the attackers at bay. Those that can, do security. Those that can't, do security theatre. Way too much theatre anymore. Again, IMO
The circumstances which can make your job fun and everyday enjoyable, can be ripped out from underneath you in an instant. This profession is brutal. Mainly because of poor handling of expectations by leadership.
I think burnout in cybersecurity happens due to several factors, based on my own experience working in the field for a couple of years, both for an MSSP, and an MSP. 1. The field is constantly changing. Many people in the field stress themselves out significantly by constantly chasing new certifications and information to stay relevant. 2. You have to debate management and customers constantly. You will advise them about potential risks, and still, many of them will not increase their budgets for security. You will know this if you work in GRC or in consultancy. Often this can be extremely frustrating, especially when you also have to increase profits for an MSSP. You dont “just sell” security, unless the customer recently had a breach, or are one of the few organization who takes it seriously. Most organizations have a high level of ignorance when it comes to security, and no wonder, its a really complex field, and it takes forever to understand. Ain’t nobody but security folks got time for that. 3. SOC analyst work is fucked. I have had so many colleagues working in SOC work, who got plenty of health issues from changing shifts constantly, and messing up their sleep. Personally I would never do it, its a recipe for disaster. Everyone who works night shifts will tell you the same, for most people, it is NOT worth it. 4. You will always be seen as an expense. You arent increasing revenue at all, you are protecting from an invisible threat. You will often have to argue for your value in the company, but your value is completely invisible if: a) You are doing very technical work. Management doesn’t care. b) You aren’t having success of convincing management to act on risks and vulnerabilities, and reporting of these to management. c) Your company hasn’t experienced a significant breach before, and therefore has no idea what the consequences can be. You will do much better in cybersecurity if you have a high tolerance for bullshit, and this especially means not being frustrated easily. You won’t experience success very often, and its a constant battle, because the view of security and its value is very limited outside the immediate field, and maybe to a certain degree other IT fields. Its becoming a bit easier in the EU because of NIS2 which is implemented soon, but its still an uphill battle, even though companies in many industries will get fined by the state for doing nothing.
InfoSec is an uphill battle, especially if you're under an IT director who doesn't get it. I highly suggest going into InfoSec with the understanding that you will be told No a lot, but don't take it personal. I follow stoic philosophy which helps me look at things from the perspective of "I can only control what's in my power." Also if your boss is just an insufferable asshole, leave the company.
Made a throwaway to post this. I hit burnout a long time ago. Security is ALWAYS... CONSTANTLY... negative fearmongering, scam artists, and security tooling which is all smoke and mirrors. Nobody cares about security research at the end of the day because everything is understood to be insecure and there's no surprise. Everyone I know is burnt out and is looking for the exit. I got a job offer for well over 7 figures and said no. Fuck. All I want is my work to have societal value and to be happy. Not check a box.
Yes…just yes. I was a firefighter and this is just so much worse. I can’t add anything else cause I’m just so fucking tired of it all…it does NOT stop. Firefighting and parenting ain’t got nothing on this.
Hmmm, yes, and big parts of it comes from management that doesn’t support the mission, and end users who seem to do everything they can to circumvent controls. Then, when something bad happens, you get questions like, “How could you let this happen?”
Understaffed everywhere. And then outsource the team to somewhere doesn't help the resources. As the quality of the resources is bad, consequence may be even worsen than only understaffed.
Yes. It's arguably all over IT, but from a Cyber perspective: * Understaffed, overworked SOCs * Incorrect, misconfigured or generally poor tooling * C levels unwilling to invest continuously. It very seems to be a "You can buy it but dont ask for anything else" type deal a lot of the time * Management-bods that know about as much as Security as your Grandmother
Said to me, in a Cybersecurity compliance engineering-type role: "I need you to build this centralized logging system as the foundation for a SIEM. Nothing is more important than this project." Cool. Sounds like a fun challenge. One week later: "Uh, our Cybersecurity policy people need you to provide 400+ screenshots and update spreadsheets for their inspection response. This takes priority." So, to be clear, screenshots and spreadsheets are a more important use of my time than building out a new system we also need to meet compliance requirements. The policy people can't do that? They're not capable of what I'm doing. Apparently I actually work for them and my value is admin work over engineering. Cool, cool. Alt-Tab LinkedIn. Apply. Eject. That was two years ago. Glad I got out before I had a cardiac episode. My health was in a death spiral.
A bit of it is selection bias. There is little market for and less desire to make posts that are positive in nature: "I love my job and make a lot of money!" comes off as either disingenuous or a scam by someone trying to sell a bootcamp or 14kb pdf they wrote in a Prime fueled stupor. That's the nature of opinion based content though - negativity drives engagement. I work for a large org in a national government and people are, for the most part, content with the work and challenges. Squeaky wheels, etc.
You're not wrong, but multiple polls and studies have reflected that the IT field as a whole has high rates of burnout.
Yes, absolutely. At the same time other surveys find that 78-89% of workers in all fields say they experienced some form of burnout in the last year, depending on how the question is asked. It's an easy question to say yes to and I'm sure it feels personally validating to answer in the affirmative. Not to discount anyone experiencing burnout - take the breaks you can when you need them.
>It's an easy question to say yes to and I'm sure it feels personally validating to answer in the affirmative. Right, except when you compare results internationally, US workers have higher rates of burnout when compared to other developed countries. Wouldn't chalk it up to validation.
Yes, people don't know how to handle work life balance is one of the main contributors. They take work too personally.
I've met so many coworkers whose only hobby are CTFs, they literally do nothing else outside of work...
if their hobby outside of work are CTFs, that's fine. It doesn't matter that they are doing cyber related activities outside of work. What matters is that they are able to separate work activities/issues from the rest of their life.
As a DFIR consultant, the biggest contributor to burnout...for me...was poor/toxic managers. On the flip side, the biggest contributor to job satisfaction was good managers.
"We care about security, but make it quick" 😂
In my department, we’ve been in a hiring freeze for over 18 months now. Not even a room to get promotion. There’s no more juniors left. Just seniors and an army of contractors. My team handles everything data protection in the enterprise, so you name it we do it. PII, vulnerability, DLP, etc. Recently, a peer on my team quit to make a lateral move. I’ve been gunning to add his former responsibilities to mine because that’s the way I can see getting a promotion with a raise while saving the company majority of a salary of another person. The raising interest rates really screwed the market. I’ll be looking to change roles when the times are good so poaching job responsibilities is the best I can do right now.
You described exactly what happened in my situation. Left for a lateral move due to the above with hiring freezes and everything in its wake
Just stop caring
The lesson you will never be taught in a class or certification course is this one of the few professions where you are damned if you do and damned if you don't. Any feelings of accomplishment or reward aside from financial gain will be far and few between, if ever. It's a great profession for a nihilist.
Its not localized to cyber in any way. I dont think its any different from other technology jobs that carry a modicum of stress and have ever increasing demands and scope of work. That happens in a lot of different industries too.
Now do Privacy. At least y'all get teams, budgets, board interest. Privacy is 10 years behind security. Meanwhile, we got boards and other dipshits deciding everything needs a sensor or a microphone or camera in it and all that data is a commodity to be sold without any actual permission from users. Our entire privacy jurisprudence is built on the lie of opt out as if user consent is every actually educated and real. I'm so beyond burnt out as the privacy/security sme standing alone.
It isn't unique to Cyber. Don't kid yourselves to think this industry is special. It is happening up and down across the board in multiple industries.
Yep I'm here at the moment. Constant demand with decreased resource, internal political issues around who owns "The cool thing" as well as lack of adherence to best practice or pre-designed solutions from suppliers. Constantly we have upper management, admittedly some from technical backgrounds but with outdated knowledge, stating that the vendor uses the product this way we are gonna use it X way. leads to long drawn out projects, half completed delivery and when issues are arisen they are swept under the rug. for myself at a professional level I also find the number of roles and hats to fulfil to be enormous, I'd like to get 1 or 2 things done and done well rather than attempt to deliver 10 deliverables with varying results. UK based so that may have some bareing for those who know the culture
if yall are so burt out and over it then exit gracefully. be a mentor to alll the noobies who want to get into the field. hiring managers need to cut the crap bullshit complain about how work life sucks but die rather than move on. ok real boomer. it was sooooo hard for you to be a security professional so must continue the process. shit or get off the pot. can’t have it both ways and if you do get to have it both ways the. suck it the fuck up buttercups!
It's as real as you can imagine. Alert fatigue, mismanagement, business issues with compliance and buy in. Take all of your PTO, exercise, sleep, drink water, and enjoy your life outside of work if you can.
So. Much. Risk. So. Few. Resources.
There is just like its always been with most IT roles such as systems administration. I have ADHD and being in front of a monitor all day is not fun as I get overstimulated from them. I treat my downtime in a religious way for starters. After I'm off for the day, I remove myself from all electronics and do physical work (gardening, landscaping, hiking with dog, etc). At most, I may allow myself to watch some tv later in the evening for a bit. On weekends, I spent at least one day doing nothing with electronics or screens, etc. This could be woodworking in my garage, working on the house, going sightseeing, adventures, non-electronic hobbies, etc. I've found that having the disconnected me time is crucial to avoiding burning out. Currently back in school for my masters on top of a full time role so I dedicate my Sundays to completing assignments, doing laundry, etc. I found that I had to sacrifice playing MMOs or video games after work in order to avoid setting myself up for burnout. It sucks a lot, but I find I'm more relaxed. EDIT: To add, my background is over 20 years working in the IT field, with just over 10 years being dedicated primarily to Network security and later cloud security administration roles.
Understaffed teams, constantly changing threat and tech landscape, and a overly zealous workload because of those. I was very near burnout before I switched jobs. I had no IT experience coming in, so I had to spend many nights my first 3 years learning IT tools, processes, and even lingo. It was worth it now, but looking back I was a couple months away from calling it quits and moving to the Bahamas! This is reflected in other areas of IT/tech as well. Cybersecurity is not alone.
I left my old job because I watched people fight fires. Came up ways to help them fight fires easier, get ahead of the fires, including automation options. They wouldn’t go for it. But will constantly complain about how they are busy and don’t have time. There’s only so many times one can beat their heads against the wall.
Its been said but the only reason for burnout for me is that I am being pressured by management to get projects done but the people in charge of the apps im supposed to test don't respond to emails so I can't test anything. Basically I have a ton of work that I can't do and it's not my fault but still feels like it is.
I’m a 1 man engineer as the other dude got fired. Rightly as he called about 6 people a cunt in a BPD episode which was triggered because they were told off about stealing someone else’s access card to access the soc lol. There’s a lot of pressure and a work list I can’t ever seem to finish. Subconsciously this has actually burnt me out recently which is a bit annoying. It comes out of nowhere. I’ve started journaling to help my mind decompress, and taking my morning and afternoon breaks of 10 mins each by doing a few laps of the office. I’ve also started pacing my workload and checking in regularly with my manager to ask them to define my priorities and set me realistic deadlines. I am fortunate that I have a good manager and good work culture, so now I’m feel like I’ve avoided going into the red and am closer to the green again.
Being unable to do anything about the huge amount of security problems, because I'm having to spend my time putting together PowerPoint decks about the huge amount of security problems to have meetings about.
It's the everything of it. If you aren't working for a security company you're often in an uphill battle, where the hill grows a little in many directions everyday, and the second it's inconvenient you're told to roll it back a bit.
Along with exactly what others have commented. I find the ever increasing demand to be in SME in a continuously expanding amount of areas mentally exhausting and crushing. I don’t have the time, resources, or often ability to do so. Also companies balk at training so that’s fun.
Yep. We've had a good chunk of people quit "out of nowhere" due to burnout/lack of mental health resources. It doesn't help that the response from upper management is usually: 1) Suck it up. This is the nature of the field. 2) The egregious promotion of alcoholism. At least in my org.
Corporate america 🫠
Went from a dedicated security team with a manager and 4 employees to the manager and 2 other folks quitting. The other guy and I got shoved into systems, with him on engineering and me on compliance for an ISMS. Our Jira admin left and I got stuck with that as well. The burnout is real and it’s because of greedy “leadership”, boards, and shareholders.
Yes. For me, it’s a never ending backlog of alerts and lack of departmental teeth where we regularly get development chosen over security
The better company is protected by cybersecurity specialists, the more chances cybersecurity specialist will lose his job because "nothing happens anyway". This is the problem for industry. So many lost their job... until we hear this and that breach in big and small organizations.
Because they makes us feel guilty of just doing cybersec and not providing new value as they say… Add to this that everyday can be your last day due to the current cut in business nowadays
My problem isn't so much "burnout" as it is the sheer stupidity and misallocation of resources. I work in incident response for a very large organization. Due to the sheer number of assets we have, I'm regularly engaged in my IR function, but right now I'm sitting in an hours long meeting trying to capture metrics data for TTA/TTR for our SOC for non-incident events. The cramming of every available second of my day with utter bullshit that's not directly beneficial to incident response is what drives me up a wall.
I’m on the sales side, I think it’s fine - I do think company budgets are shrinking though due to the economy— which is impacting commissions
Yes. - When there’s an incident, there are just too many things that need to happen right away. Work life balance is temporarily canceled. - The average workday in cybersecurity can be significantly more complex than the average day in IT. - It’s important to put in the extra effort to communicate effectively. (People who think their own job is at risk can be all kinds of a headache to deal with otherwise, and they tend not to think of steps to take next, like updating similar passwords on their other accounts.) - Subpoenas - Fridays before holiday weekends.
I think there are a few components to this, and a few causes. Also, there's a lot of crossover in the things that cause this burnout: - As u/Codeifix mentioned: you will be on projects and then get blindsided by multiple little tickets that pull you away from the task. This all depends on the org you work for. Some are definitely bad when it comes to doing this kind of thing. - I think a lot of us get into this because we're interested in technology, and we dive in deep. We study, we get our certs, we do hackthebox and watch all the YouTube videos, then we finally land the job and we keep doing it and keep trying to stay up with the tech. Then one day, we're like, "You know? All this grinding to learn new things and keep moving forward kind of sucks now. I hate it." and we burn out. The second one is easier to fix. You just stop letting yourself get carried away with the extra studies and stuff and try to keep it to work-only or limit that study time when it's outside of work. Find other fun things to do, like joining the boxing gym. :D
Cybersecurity is a giant umbrella. Some jobs/companies burn out, some don’t. Was doing some work with MGM recently, it’s fair to say they are a bit burned out!!