informa
6 min read
article

The CISO as Sustaining Force: Helping Infosec Staff Beat Burnout

To protect their staffers, leaders should focus on identifying and alleviating root causes of burnout.

Staff burnout has plagued many workplaces for the last several years — so much so that the World Health Organization (WHO), in a historic first, classified burnout in 2019 as an official "syndrome" that results from "chronic workplace stress that has not been successfully managed."

Not long after the WHO's designation, the COVID pandemic hit, accelerating the burnout syndrome. For example, by the first half of 2020, signs of burnout among US workers increased by more than 30%, according to surveys of millions of professionals compiled by LinkedIn.

Information security staffers were not immune to this burnout acceleration. In a VMware survey released September 2021, 51% of cybersecurity professionals said they experienced "extreme stress or burnout" over the past year.

Truly, these are challenging times for CISOs who want to keep their staffers healthy, whole, and resilient. But they also present opportunities for managers and leaders to seize the moment and act as a sustaining force for the teams they lead.

In many situations, CISOs can help their staff members beat burnout. To do so, the CISO should first understand the components of burnout and the factors driving it, and be willing and able to address these factors before actual burnout sets in.

The Anatomy of Burnout
Under the WHO's definition, burnout has three major components. The first is exhaustion, or feelings of energy depletion. The second is depersonalization, in which a team member begins to feel alienated from his or her own job and starts going through the motions. Work becomes less meaningful.

Exhaustion and depersonalization can combine to produce the third component of burnout: reduced personal accomplishment. When this happens, the depleted staffer loses executive function — the ability to focus, strategize, and analyze in a nuanced fashion.

To protect staffers from reaching this point, CISOs should focus on identifying and alleviating the root causes which often drive burnout.

These root causes may include workweeks that consistently exceed 60 hours; perpetual expectations of working off-hours and on weekends; constant deadline time pressure; and a very travel-heavy schedule. Most of these factors are not uncommon among information security staffers.

In addition, research has pointed to two factors involving a firm's everyday working conditions that can drive burnout. One is role ambiguity, which occurs when team members are not clear on what is expected of them. Another is perceived unfairness in manager-staffer relationships, which can include favoritism, failure to recognize contributions, and unreasonable work demands.

Coping with these stressful conditions often requires significant emotional resources, which may sap a team member's energy. CISOs that make good-faith efforts to avoid both factors in day-to-day operations will likely reap great benefits in staff engagement and resilience.

Signs and Solutions
Of course, proactive detection and treatment of burnout factors is not always successful. Thus, CISOs should also be looking for common signs of burnout itself which team members might be exhibiting, including:

  • A sharp drop in quantity and timeliness of output.
  • A general lack of energy and enthusiasm around job functions.
  • Continual signs of anxiety and stress.
  • An extreme irritability toward co-workers and duties.
  • Significant changes in social patterns with co-workers.

If some of these characteristics are present, the CISO has a few options for addressing them.

One is to examine possible workload issues. Even the most resilient team members can burn out if the workload is crushing. If a staffer is exhibiting signs of burnout, an assessment can be made as to whether certain tasks should be spread out among other staffers, if possible. When taking this route, it's important for the CISO to let team members know that this is being done to gain more scale, not as a punitive measure.

If the burnout signs point to an especially stressful infosec assignment, such as protecting assets from threats that are rapidly increasing, a discussion regarding giving the staffer more support may help them feel less alone in a challenging situation.

The CISO may also consider a strategic operations analysis. Such an effort may reveal that although the team is generating more output with an increasing workload, burnout and turnover risk are also increasing, as is the likelihood of costly mistakes. Is the output worth the risk? Hiring additional help or outsourcing some tasks may in the end be cheaper than the long-term costs due to turnover and errors.

Such an operations analysis may also allow the CISO to better understand where workloads could be reduced. In some cases, it may reveal that certain time-consuming tasks are at least partially unnecessary.

Resilience Measures
Another way for a CISO to be a sustaining leader is for him or her to take forward-looking measures that help team members build up resilience so they are less likely to reach the burned out and depleted stage.

For example, granting team members some decision authority, whenever possible, helps give them a sense of autonomy and strength, and this helps them avoid feelings of powerlessness that can lead to depletion.

Offering coaching feedback that is timely and specific helps team members make adjustments and lets them know they are on a productive course, not just spinning their wheels.

Checking in with team members on a periodic basis to learn how they are feeling in terms of their own energy levels and internal resources helps keep CISOs aware of their staff members' well-being.

Finally, choosing a partnering style in working with team members, rather than a parenting style, is an excellent way for a CISO to help staff build resilience. The parenting style of management assumes that the leaders have knowledge that the team member will never have. This sets up the staffer for helplessness and lack of agency, which can deplete inner resources.

In contrast, a partnering style, such as one where the CISO solicits ideas, solutions, and perspective from staffers, cultivates the decision-making and problem-solving skills of team members, which fortifies their resilience.

This article is based in part on excerpts from Mark Tarallo's new book, Modern Management and Leadership: Best Practice Essentials with CISO/CSO Applications, published by CRC Press. You can find the book here: www.routledge.com/9780367558918