American poet and theologian Robert Frost spoke eloquently about diverging from the crowd by stating, "Two roads diverged in a wood and I – I took the one less traveled by, And that has made all the difference." Frost deviated from the well-worn road and, in effect, chose to experience another reality and learn from another set of expectations. These expectations manifested in a difference in all aspects of his life.
Now, if we apply this divergence Frost spoke of to the cybersecurity career and examine the current crossroads before us, we can see that change – or, more specifically, balance – is needed.
With one Internet search on life balance, it is easy to see the many views on life balance. Buddhism, Taoism, Ikagai, Christianity, and many other theologies all focus on the idea of balance. For example, technology journalist Yukari Mitsuhashi wrote an article for the BBC detailing the Japanese affinity for balance in work and life while maintaining low stress and overall happiness with life. David A. Bednar, former president of Brigham Young University–Idaho, spoke more than 10 years ago about the importance of balance in our lives, specifically technology's potential effect on mental and spiritual well-being.
But regardless of theological or religious leanings, learning how to balance our lives with the bombardment of requests, priorities, essentials, must-haves, and needs is a discipline we cybersecurity professionals can't afford to ignore.
After all, we are pulled in many directions and involved in many competing priorities that often oppose our very commission to secure information, data, money, and people. With all of its facets, cybersecurity is a mentally and emotionally demanding career in which many of us may experience technology addiction, emotional indifference, malnutrition, unhealthy stress levels, loneliness and isolation, depression, and/or a sense of fatigue from chronically losing uphill battles (what I refer to as the "why bother attitude"). Any of these, over time, can lead to burnout and a degradation of mental health, which directly impact physical health. I have personally experienced a number of these issues in my own cybersecurity career.
There are techniques we can try to help minimize and manage burnout, but they don't get to root cause. Time management and organization, as examples, are critical elements to the solution. But they don't truly remediate the imbalance stemming from being on the corporate or consultant "grid" for large swaths of time.
So how do we get to the root of cybersecurity's burnout problem and fix it? Well, it depends. Some organizations have attempted to turn the tide of poor employee mental and emotional health by employing a variety of methods, such as frequent hardware refreshes for staff (including larger monitors, quicker machines, and more bleeding-edge devices), team-building activities, physical and emotional wellness campaigns, and monetary incentives.
While these efforts can make a difference for some people, they don't necessarily scale and can quickly become expensive. In addition, they typically focus only on work versus overall life balance.
In my opinion, we need a more holistic approach to mental health and balance in work and life. Cybersecurity is a highly demanding career; employers and executives must push past generating results for the organization and move toward empowering employees to increase their personal balance. This will lead them forward – to a true understanding of themselves. Starting with a personality assessment like Myers-Briggs or the Enneagram gives context to who we are as individuals, which leads to a better understanding and balance of views of ourselves and others.
One of the more modern concepts about allowing for more balance is the idea that a full eight-hour workday is not truly an effective way to work. Many workweek experiments outside of the United States show that a "full" 40 hours of work doesn't always translate to a fully engaged staff. Shorter workweeks have the potential to provide a more condensed, focused workday, while giving time for employees to employ more balance to their lives. Some US-based companies have tried shortened workweeks, but the adoption rate to date is negligible.
Another concept that has been brought forward for alpha testing is a results-based work schedule, which allows employees to accomplish a weekly set of deliverables in the time that works for them. Generally speaking, if the work is accomplished, regardless of how fast, for the week, the employee keeps the time left over, thereby increasing life balance. I have seen this at play with very structured and projected workload teams, such as project or consulting teams, such as MSSP companies.
It's important to note that change doesn't happen overnight. Many conversations about balance need to happen among employers, employees, and, as needed, health professionals is key. Talking through your thoughts with peers, trusted friends, or family can also help you figure out your needs and how to articulate them.
Today's organizations are focusing on employee satisfaction scores and vying for a slot on "best places to work" lists. All the while, cybersecurity pros are fighting uphill battles to protect all that their employers, and society, hold dear. It is my belief that employers focus more completely on the whole employee and aimfor balance in all aspects of their lives.
I have heard it said many times in new-employee orientation classes that when these people come onboard, they are joining a family. With that in mind, let us work together to find balance and be catalysts for change to increase our ability to be whole, inside and out.