teissTalk: Protecting yourself and your infosec colleagues

On 20 April, teissTalk host Thom Langford was joined by Kerissa Varma, Managing Executive - Cyber Security, Vodacom Group; Kiera Lillie, Head of Information Security and Compliance, EMIS Group; and
Chris Waynforth, GM & VP International, Expel.

 

Views on news

New research conducted by Expel has reported about cybersecurity budgets unspent, IT team burnout, and a mostly reactive approach to security. The report has found that many IT teams sense a breaking point, with team members experiencing burnout and a negative impact on their work/life balance when they regularly miss personal commitments because of cybersecurity risk. Cybersecurity is typically part of the IT budget and therefore often has a technology focus and little emphasis on people and processes. Also, usually, more time is spent on purchasing new technology than getting the basics right.

 

There is a strong demand from companies to understand what technology is good for in plain English, while vendors, for example, use a lot of acronyms and buzzwords. There are two opposing trends – while cybersecurity budgets have been increasing sharply, the available talent pool is shrinking. As shadow IT is becoming common practice, breaches via the cloud are becoming more frequent, but regardless of whether the CISO has been involved or not in buying a cloud service, if something goes wrong, the buck stops with them. Cybersecurity is often seen as a monolith, but it comprises many different areas from training and education to policy to processes, which can’t all be covered by 2-3 people – a common number of personnel for the function. 

How to detect and fight burnout

Burnout among cybersecurity professionals is now highly recognised. There is always a risk of overburdening the superstars of your team, and leaders tend to be oblivious of it while concentrating on colleagues who don’t perform so well. Co-workers may be faster to pick up signs of burnout than line managers - everyone should be looking after each other. Also, different cultures will express anxiety in different ways.

 

Signs are even harder to pick up in a distributed work environment. Rewarding people who keep overperforming can also create a self-perpetuating cycle. What is often seen as moaning by younger generations can function as a more effective coping mechanism than sucking it all up. Cybersecurity incidents are periods when pressure peaks.

 

Unlike the military, cybersecurity is not seen as a high-risk career. To improve the preparedness of the organisation for cyber incidents, incident response needs to be practised across the whole organisation on a continuous basis. Cybersecurity people have to avert and manage threats, but their performance is only measured by failure, and that can make them feel being on edge all the time. It’s also key that leaders model authenticity by not being afraid to show their vulnerabilities from time to time. 

 

The panel’s advice

Choose which fires you let burn, as you can’t address all vulnerabilities but only prioritise the ones that present the highest risk.   

People will give different reactions to pressure and stress. Some signs are obvious, but you’ll also have to care about colleagues who tend to withdraw when the burnout process starts. 

Staying calm under extreme pressure is a skill that cybersecurity professionals should acquire on the job - and many of them do.

Sharing information internally about attacks that the SOC team prevented from happening may be a good approach to giving more recognition to cyber teams and fight burnout and fatigue.