Burnout is a health hazard in any high-stress workplace, especially in any industry where highly skilled professionals must tackle urgent demands at unpredictable intervals and where effective response is time-sensitive or even urgently needed. Employee burnout is a security and business continuity issue. It directly impacts both an employee’s performance and the organization’s stability and resiliency. In fast-paced environments, it can be difficult to tease out the symptoms of burnout under the best of times. And these are anything but the best of times. The personal pressures the pandemic places on all of us as individuals, the communication gaps that can arise from remote working as a security team member, the pressure of supporting a hybrid/remote worker population that likely includes security apathetic non-security team members and the “scan-demic” exploits and phishing campaigns to which user communities are more likely to fall victim all take a toll on security team members. The effects can place such employees at risk of burnout…and this is how attackers can get in.
Teasing Out Potential Burnout
It can be difficult for even the best managers and team leads to determine when a reliable employee is suffering from burnout. Here are indicators to watch for:
- Are tasks being handled within an expected and acceptable timeframe?
- Has a normally good-natured person become either withdrawn, frustrated, more sensitive to and around others, quick to anger or more frequently out on sick days?
- Do they react negatively or fail to react and engage when being given new assignments that would benefit from “in the game” exchanges of information and guidance?
- Are email responses lagging?
It’s difficult for managers to determine the morale and mental status of remote team members, but especially now, it’s crucial for an effective manager to take the added time, effort and steps required to regularly check in with their employees. If you suspect either burnout or heightened levels of stress (which can come through as hypervigilance), it’s important to be responsive.
How to Reduce the Occurrence of Burnout
For signs of burn-out, here are steps to consider taking:
- Time off: Help them overcome any level of guilt they may associate with taking time off – even if it’s just an extra day or afternoon. Be supportive as a manager, and assure your team members that it’s okay.
- Check in: As a manager, set up weekly one-on-one virtual meetings with your team members to help figure out what to prioritize and whether specific tasks would benefit from additional talent. Ask team members to make to-do lists and go over them together to make sure you’re on the same page with regard to priorities.
- Weekday downtime: Remind employees that time off should be just that. They should not be expected to look at and respond to emails when it’s not during work hours. In fact, they should be discouraged from doing so. More miscommunications (and most phishing attacks) tend to occur during off hours – late at night, weekends, etc. Let them know that they need to be awake before they check emails. Enjoy that first tea, cup of joe or other morning ritual. And definitely, they are not to open any emails during happy hour!
- Implement regular weekly “No Meetings” day: These are days where no meetings or calls are scheduled so that everyone can focus on their own to-do’s and catch up on anything that might have been put on the back burner. This really helps in lowering stress levels, and as icing on the cake, it also improves focus and attention dedicated to your projects.
- Make your security team’s job a bit easier by reminding non-security employees that they must follow strict security and communications hygiene. Examples:
- Wi-fi passwords should be upwards of 50 characters in length.
- Reinforce the importance of cybersecurity to all employees. Since most may still be working remotely or may likely do so in future, remind them that they each hold a key that can be used to take down the company through ransomware, phishing attacks, etc. – even if they’re not physically in the building or consider themselves a target. Everyone is a target.
- Remind employees that they be smart and aware when using Bluetooth devices when out in public. Attackers lurk everywhere.
- Be extremely careful about clicking links, especially on mobile devices, and double-check any incoming requests to click a link or share anything of value (whether a transfer of funds or a login credential) through a sender’s trusted second channels such as Slack, IM, text, etc.
- Don’t micromanage: Learn to trust your workers. When you micromanage, you are setting them up to get burnout.
Burnout is a serious problem, and the stakes have never been higher. If burnout is suspected, be there for them. It’s your job.
About the Author: Chloé Messdaghi is an InfoSec Advocate & Activist who strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to fight for hacker rights. She is the VP of Strategy at Point3 Security, Founder of WeAreHackerz (formerly known as WomenHackerz) & the President and cofounder of Women of Security (WoSEC), podcaster for ITSP Magazine's The Uncommon Journey, and runs the Hacker Book Club. You can follow her on Twitter and check out her website here. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.