If you work in this field (information security) long enough, burn out is something you’re sure to encounter. You will fight against burn out yourself, meet somebody who is on the verge of burn out, or sadly, meet someone who has already burned out.
We work our asses off. The hours are long. The stress is real. Isolation comes with the territory.
If you are on the verge of burning out, please seek help (from me, a colleague, a friend, a counselor, etc.). We need you. We need you to fight beside us. We need your ideas. We need your perspectives. We need your wisdom. We need your support. We need your passion. We need your skill. We have serious information security problems in society. In fact, we’ve created more problems than we’ve solved.
WE NEED YOU FOR THE CREATION AND IMPLEMENTATION OF SOLUTIONS TO SOCIETY’S INFORMATION SECURITY PROBLEMS.
The letter below is hypothetical. It’s not written to anyone in particular or with anyone in mind (except the information security professional). It’s a raw dump of frustrations I’ve heard over the years from my brothers and sisters in arms.
Dear <INSERT NAME OR TITLE>,
You may not care, but you should. I’m holding shit together while you focus on life. Some of my frustration stems from your view that information security (or “cybersecurity”) isn’t part of life. The truth is, information security IS part of life. It’s a damn life skill!
Before you ask why I’m tired, I’ll tell you. I’m tired because:
- I work 80+ hours a week to protect you and all that you are responsible for.
- I’m fighting a fight I cannot win, especially without your help.
- I’m asking you to help, but you aren’t listening.
- We’re under relentless attack, but you don’t see it, so you don’t care.
- You think “it won’t happen to me” and I’m afraid it already has.
- I’m losing support from my family because they’re sacrificing their time with me while I protect you (and worse, they don’t understand why I’m doing it).
- You won’t step up and take responsibility for what’s yours.
- I need you to help me solve problems, but I can’t get you to participate.
- You think this is my responsibility, but it’s not, it’s yours.
- I tell you things with honesty and transparency, but I don’t think you trust me.
- We’re understaffed and underfunded, but you keep telling me to do more with less.
- I need you to champion this cause, but you do nothing more than tolerate it.
- I want to teach you about information security, but you are too smart or too busy for education.
- You don’t see the value in me because I’m nothing more than a cost center to you.
- You will blame me when things go wrong, but you don’t notice when things seem OK.
- Your demands for more technology and gadgetry makes protecting you harder than it already was.
- I sit behind a screen all day and my physical health is declining.
- I deal with the dark shit of this world, mostly alone, and my mental health is at risk too.
Despite all this, believe it or not, I LOVE what I do. I love what I do because I love doing good, fighting against evil, and protecting people like you. It scares me to think of doing anything else for a living. You pay me well, so I’m not complaining about money.
You know this isn’t about money, right?!
My work and passion runs deeper than money. Money provides the means to my cause, but it’s not the cause. I do what I do because I want to make a positive difference in your life and I want you to be healthy. I do this because I care about you, obviously more than I care about myself sometimes. I’m here to serve. I am here to help. I answer the phone when you call. I’m here to respond when things go wrong, even if it means I take the blame.
This is my duty and my promise to you.
Sometimes I ask myself if it’s worth it. Is the frustration worth the reward? Is this all worth it, knowing that I’m destined to fail?
You might be inclined to ask “what do you mean, destined to fail?!”
I’m destined to fail because you ask me (directly or indirectly) to do the impossible, you won’t enable me to succeed even it were possible, and you have expectations of me that can’t be met
You ask me to keep you “out of the news,” but I can’t promise you that. No matter what I do, I can’t protect you from all the bad things that can/will happen. I’ve always told you the goal is risk management, and not risk elimination. Risk elimination just isn’t possible.
I don’t want you to take pity on me, and I don’t want any outward acknowledgement. I want you to own what’s yours! I want you to get in this game and play ball. You can delegate all sorts of things to me and others, but you will never be able to absolve yourself of your ultimate responsibility. The wolves in our industry will fool you into thinking they can solve all your problems without your attention or worry, just your money. They can’t. It’s a lie. They prey on your ignorance to mislead you and steal your money, not unlike the attackers we’re trying to fight against in the first place!
All of us need you to step up. We need you to own what’s yours. We need you to lead. Ultimately, the security and safety of all things and people under your control is your responsibility. It’s time to step up before I give up. I’m your best hope, but we’re hopeless without each other.
-Information Security Professional (on the verge of burnout)