The art of balance has never been as important as it has in the past two years. The toll that job pressures and burnout can have on the workforce is at an all-time high and at the forefront during daily conversations.
As security leaders, we can't ignore the list of ramifications that stem from employee burnout, such as apathy, disengagement, or other more serious mental health concerns.
Practical Steps Toward Security
Although battling something as big as employee burnout may seem daunting, there are practical steps security teams can take to streamline and ease user stress when it comes to security.
- Cultivate a transparent security culture: Cultivate a proactive and interactive security culture to create a safe place for employees to ask questions and have transparent, open communications with security. Promote and ensure data-use policies are clear and concise. Be transparent about what you're monitoring and collecting, as well as what you're doing with that data.
- Investigate with empathy and assume positive intent: Over three-quarters of insider data breaches this year have been considered nonmalicious. When you see possible data exposure or leaks coming from an insider, first presume that the users had positive intentions and approach the situation with empathy. That means asking questions to get context about the situation and a clear solution to reversing the action before it causes any damage to the organization.
- Minimize shadow IT, prioritize user productivity: Provide users with the right tools they need to do their jobs — and make it easy for users to contact the proper people if they want to use an alternative — so they don't have to or won't be tempted to go around security. For common business practices like sharing files externally, share the "best practice" method and make this information easily accessible to users. The more security can prioritize users' work preferences, the less burnout users will have in the first place.
Standardize Security Best Practices
I would be remiss to discuss burnout without acknowledging burnout among security teams. For chronically understaffed security teams who operate in a constantly evolving environment where threats, zero-day vulnerabilities, and data loss incidents are everyday occurrences, there unfortunately is no silver bullet to reduce stresses on security and technology teams. However, the one critical tip security teams should take is to:
- Automate, automate, automate: Turn fire drills into standard operating procedures and automate work wherever possible. Security should create workflows to manage the most common security alerts that require the most standard response, which frees up time to focus on the most pressing security concerns — and not just spinning unnecessary cycles and flaming burnout across security teams.
As we look toward the second half of the year, I encourage security leaders to take factors like workplace burnout and employee retention rates into consideration in tandem with the general movement toward more empathetic workplace cultures.
The notoriously stoic cybersecurity culture is changing. I expect that we'll see more organizations adapting to this shift, changing traditional titles such as "Security Manager" to "Security Culture Manager" to align with the overdue need to recognize that the culture a security team brings to the overall business is equally as important as the protections it brings to the business.
Security leaders — and their teams — play a strategic and impactful role in helping to create a safe space for employees at work. When they work across the entire organization, they can have more impact on the security culture and innovation of the company altogether so that mental health and well-being can be top of mind for all.