Feeds

IT staffers on ragged edge of burnout and cynicism

Stress survey says companies failing staff

Providing a secure and efficient Helpdesk

RSA 2012 A survey of stress levels among IT security staff, thought to be the first of its kind, has shown that an alarming number of staffers are suffering dangerous levels of cynicism, leaving them depressed and unable to function properly.

The survey (securityburnout.org) was organized by Jack Daniel, founder of the Security B-Sides conference, joined by friends in the industry who are becoming increasingly concerned with the lack of support within the IT community for staff. So far, only 124 valid survey samples have been returned (which the team admit isn't good on a sampling level ), but the results are worrying.

Less than half of those surveyed felt that they weren't exhausted by their job, and 13 per cent reported levels of exhaustion and cynicism that are highly deleterious to someone's health. As an industry, IT – and particularly IT security – showed an average score for job cynicism that was at the extreme edge of what's healthy. Over a quarter of those surveyed felt that they were not achieving their job's goals.

"Other professions know that this is a problem and have strategies to deal with it, but there's no recognition of this in IT," Daniel told The Register. "In part it's because we're a very young profession that's constantly changing. But this needs a doctorate-level study, not something put together by six security professionals in their spare time."

He pointed out that security professionals are known for workaholic tendencies – joking that most people loved 40-hour weeks so much they worked two of them every seven days – but warned the risk of staff burnout is very real. The nature of the job was also an issue, in measuring the effectiveness of what you do – with IT security it only takes one mistake and the end result can be disastrous.

"There's a real business case for this," team member and cofounder of the SOURCE security forum Stacy Thayer said. "Five year ago, when I looked at what underperforming staff cost the industry, the figure was $90bn in lost productivity. Now it's $328bn."

IT pros = rampant substance abusers

Thayer remarked that alcohol abuse was rife in the industry, and as an organizer she was constantly being asked to set up bar facilities in events at all hours. Team member Martin McKeay, security Evangelist at Akamai Technologies, agreed, saying that alcohol and drug abuse was common in the industry.

"When you go to conferences you realize how much stress behavior we show," he said. "How many people get drunk and then get fired because of behavior at conventions – it happens with every ShmooCon and DevCon. That's an indicator that there's a problem."

Some companies are at least recognizing there is a problem. Josh Corman, director of security intelligence at Akamai and a team member, praised companies like SpiderLabs and Trustwave, which allow staff to take time out during the week on research that really interests them. Staff were happier, he said, and the work fed back into the company.

Management may also be the problem, not the IT worker. "As an experiment," Corman said, "explain to your children what it is you're trying to explain to your chief security officer. If they get it and he doesn't, then the problem isn't with you."

He also pointed out that security staff are at a premium at the moment, and there is zero unemployment in some sectors of the market. Staff shouldn't be unwilling to jump ship – indeed, spending too long at a company is seen by some employers as a sign that a staff member has reached their intellectual limits.

IT staff should also learn from other high-stress professions. Security consultant Gal Shpantzer pointed out that in careers such as piloting or military special operations, people never work alone, and always worked in pairs at minimum. The industry could learn from this, he said.

"Despite the media portraying elite troops as lone wolves, in fact they never go out in units of less than two. It's OK to ask for help, and it's usually a really bad idea to rely solely on yourself – you can't win this battle alone."

The presentation, given at the RSA conference in San Francisco, was a popular one. RSA's opening day is traditionally slow, with low attendance ahead of the main keynotes tomorrow. But Daniel's session was packed, leaving many unable to participate due to overcrowding – and indicating that he could well be onto something. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.