Skip to content ↓ | Skip to navigation ↓

A week ago, to kick off RSA, there was a Professional Development Track Session (PROF-001) on the topic of stress and burnout in the Information Security industry. One of the comments made at the track was that if you do a Google search on this topic, nothing comes back. That’s something that’s easy to fix, and important that those of us who can, participate in and contribute back to the community.

The focus of the session was both on recognizing that there has previously been a dearth of work to identify people at risk in the community, or create a support structure complete with triggers to keep people from getting to a point where intervention is required. In order to know the true state of the information security community, an effort is underway to solicit feedback from practitioners. In addition there are forums for discussion available. Both of these resources are at

There are some slides available on the research done so far; and if you have access to the RSA content, the presentation I attended is there. Looking forward, there is an open request for more participation as we build this knowledge base; as well as to be aware that this is a problem, that exists. Even without research we can respond to a real need in our community. We can, as both employees and employers evaluate how we do (or do not) provide support for our InfoSec employees.

“The capacity to influence organization policies, especially those with a direct impact on a staff member’s work, reduces susceptibility to burnout. (Leiter, 1991a) Organizational settings that undermine staff member’s autonomy reduce their potential for significant accomplishments, and also increase their tendency to become cynical and distant from their work. In contrast, organizational environments that provide staff members with a sense of control enhance engagement with work.”

In addition, we can learn from other high stress jobs, such as aviation, scuba, special operations; where the design of the program requires that the people on the tip always have a partner. It enables both collaboration, as well as a safety net where no one person feels the burden of the job entirely upon themselves. If you don’t have the ability to create a real partner program, can you evaluate the options for rotation? Somehow pulling people off of the tip for extended periods of time, so that there is an opportunity to catch breath before diving back into the fray? As we know, security has no finish line, so a full out sprint will never last the distance.

Lastly, we can keep in mind the immense scale of our InfoSec environment; which is why it’s been identified as potentially the most intellectually challenging work ever. We have an obligation to the community and ourselves to try and be forgiving of the real impossibility of knowing everything. Unfortunately I didn’t catch who originated this quote, but it resonates so much that I hope someone will provide me with its rightful accreditation:

It’s too wide to master, too deep to know and too fast to photograph.