The following article originally appeared in eWeek.
Cloud security professionals are already in short supply. Combine that with alert fatigue, a surge in demand, and the “always-on” nature of the modern workplace, and it is clear why employee burnout is increasing.
In 2019, Gartner projected that the cloud market would grow to $355B by 2022. Reaching that level depends on the development and advancement of cloud-native security solutions, which puts tremendous pressure on cybersecurity organizations and the employees developing them.
Understaffed Security Operation Centers (SOCs) eventually reach a breaking point, which typically leads to additional exits or oversight – and can lead to costly breaches.
These factors create a negative feedback loop within SOCs. Workloads increase for those who stay on, and the quality of work suffers, which yields further burnout and resignations and the increased potential for more customer breaches.
So, how does a cybersecurity organization get out of this negative feedback loop?
6 Ways to Avoid Cyber Burnout
Strong Security Leadership
As a security leader, particularly those who oversee Infosec teams and functions, you have a fiduciary duty to fight internal battles and deliver a message that resonates with internal stakeholders. You must persuade employees to think long-term and understand the consequences of slowed productivity or inadequate quality of work.
Many security professionals have achieved recognized technical expertise, but the leader of the security group must also be able to effectively communicate the risk the current security staffing level poses to the organization. They must ensure that this risk is within the risk tolerance of the company.
Addressing these problems might require building relationships outside the technical groups because, ultimately, securing additional resources means the company may not fund something else. This also might require focus on other skills such as communication. It’s easy to de-prioritize these soft skills when the technical skill might be more fulfilling.
Effective Hiring and Mentoring
Leaders should focus on effective hiring and mentoring. Some security teams have a haphazard approach to hiring, but to attract and retain the necessary talent, leaders must inhabit the role of a manager entirely. If the transition from being a “doer” to a hiring manager is not complete, teams may suffer because leaders select the wrong person or don’t satisfy a new employee’s particular aspirations, which results in the new hire not being fully productive.
Many security teams are small and because of this, there may be less focus on being an effective hiring manager and an effective manager overall – the technical demands are simply too pressing.
Treat talent acquisition as a team sport. Everyone on a security team should know about skill and resource gaps and tap their networks for the best possible hires.
Hiring managers, talent acquisition, and people operations professionals should actively make tradeoffs wherever possible. Ability can—and should—trump pedigree and years of experience.
Open your criteria and seek talent that can demonstrate results versus the ideal education, previous employment, or years of experience. This strategy widens the candidate pool and levels the playing field for candidates from all walks of life who are passionate about cloud security and want to make it their life’s work.
Enable Great Work
Enable the best work possible from your staff. Hiring new cybersecurity and cloud computing professionals is just the beginning. It is critical to have clear deliverables and a metric-based understanding of what success looks like for a SOC role during the onboarding phase.
Communicate this to the new hire and the incumbent team. After all, the team cannot help a new hire succeed—and improve their own circumstances—if the goalposts are always moving.
Support Continued Learning
CISOs and people operations professionals should encourage and build into the employee guidelines an infrastructure that supports continued learning and development. Cloud security evolves daily, and skill stagnation could be the poison pill that kills a team’s productivity and effectiveness.
Consider Vendors or Partners
Security teams are inclined to action and, therefore, have a tendency to build a feature that solves a problem on their own. That’s because it’s often easier (and faster) to tackle the problem rather than to buy a product or a service.
But by accepting help from a vendor or partner, leaders can become comfortable evaluating a product or service, negotiating the right terms, and then effectively monitoring the deployment of the product or service. This frees up time for teams to focus on other projects and avoid burnout.
Conclusion: Be Willing to Invest
Invest in your team and you will reap the rewards. Perks like lunches or gym memberships are great, but if companies don’t do the hard work of meaningful investment in employee development, retention will continue to be an issue. Free burritos will never make up for an employee who feels that their job satisfaction and career development are stagnant or, worse, in jeopardy.