How Information Security Teams Can Help Reduce Stress and Burnout

Work across the organization and take practical steps to ease user stress — prioritize user productivity by offering the right tools to avoid shadow IT and cultivate a transparent security culture. Remember the security team, too, and automate as many processes as possible.

Jadee Hanson, CISO and CIO, Code42

June 15, 2022

3 Min Read
Burned match with unburned matches
Source: RRphoto via Alamy Stock Photo

The art of balance has never been as important as it has in the past two years. The toll that job pressures and burnout can have on the workforce is at an all-time high and at the forefront during daily conversations.

As security leaders, we can't ignore the list of ramifications that stem from employee burnout, such as apathy, disengagement, or other more serious mental health concerns.

Practical Steps Toward Security

Although battling something as big as employee burnout may seem daunting, there are practical steps security teams can take to streamline and ease user stress when it comes to security.

  • Cultivate a transparent security culture: Cultivate a proactive and interactive security culture to create a safe place for employees to ask questions and have transparent, open communications with security. Promote and ensure data-use policies are clear and concise. Be transparent about what you're monitoring and collecting, as well as what you're doing with that data.

  • Investigate with empathy and assume positive intent: Over three-quarters of insider data breaches this year have been considered nonmalicious. When you see possible data exposure or leaks coming from an insider, first presume that the users had positive intentions and approach the situation with empathy. That means asking questions to get context about the situation and a clear solution to reversing the action before it causes any damage to the organization.

  • Minimize shadow IT, prioritize user productivity: Provide users with the right tools they need to do their jobs — and make it easy for users to contact the proper people if they want to use an alternative — so they don't have to or won't be tempted to go around security. For common business practices like sharing files externally, share the "best practice" method and make this information easily accessible to users. The more security can prioritize users' work preferences, the less burnout users will have in the first place.

Standardize Security Best Practices

I would be remiss to discuss burnout without acknowledging burnout among security teams. For chronically understaffed security teams who operate in a constantly evolving environment where threats, zero-day vulnerabilities, and data loss incidents are everyday occurrences, there unfortunately is no silver bullet to reduce stresses on security and technology teams. However, the one critical tip security teams should take is to:

  • Automate, automate, automate: Turn fire drills into standard operating procedures and automate work wherever possible. Security should create workflows to manage the most common security alerts that require the most standard response, which frees up time to focus on the most pressing security concerns — and not just spinning unnecessary cycles and flaming burnout across security teams.

As we look toward the second half of the year, I encourage security leaders to take factors like workplace burnout and employee retention rates into consideration in tandem with the general movement toward more empathetic workplace cultures.

The notoriously stoic cybersecurity culture is changing. I expect that we'll see more organizations adapting to this shift, changing traditional titles such as "Security Manager" to "Security Culture Manager" to align with the overdue need to recognize that the culture a security team brings to the overall business is equally as important as the protections it brings to the business.

Security leaders — and their teams — play a strategic and impactful role in helping to create a safe space for employees at work. When they work across the entire organization, they can have more impact on the security culture and innovation of the company altogether so that mental health and well-being can be top of mind for all.

About the Author(s)

Jadee Hanson

CISO and CIO, Code42

Jadee Hanson is the Chief Information Security Officer and Chief Information Officer at Code42, where she is responsible for business technology strategy and purchasing and leads global risk and compliance, security operations, incident response, and insider risk programs. Prior to Code42, Jadee held senior leadership roles in security at Target Corporation, where she implemented compliance, risk management, and insider threat programs. She also served as the security lead for the sale of Target Pharmacies to CVS Health. Before Target, Jadee was a security consultant at Deloitte. Jadee also co-authored the book, Inside Jobs: Why Insider Risk Is the Biggest Cyber Threat You Can’t Ignore, and in addition to her day job, Jadee is the founder and CEO of the nonprofit organization Building Without Borders.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights