Feeds

IT staffers on ragged edge of burnout and cynicism

Stress survey says companies failing staff

Seven Steps to Software Security

RSA 2012 A survey of stress levels among IT security staff, thought to be the first of its kind, has shown that an alarming number of staffers are suffering dangerous levels of cynicism, leaving them depressed and unable to function properly.

The survey (securityburnout.org) was organized by Jack Daniel, founder of the Security B-Sides conference, joined by friends in the industry who are becoming increasingly concerned with the lack of support within the IT community for staff. So far, only 124 valid survey samples have been returned (which the team admit isn't good on a sampling level ), but the results are worrying.

Less than half of those surveyed felt that they weren't exhausted by their job, and 13 per cent reported levels of exhaustion and cynicism that are highly deleterious to someone's health. As an industry, IT – and particularly IT security – showed an average score for job cynicism that was at the extreme edge of what's healthy. Over a quarter of those surveyed felt that they were not achieving their job's goals.

"Other professions know that this is a problem and have strategies to deal with it, but there's no recognition of this in IT," Daniel told The Register. "In part it's because we're a very young profession that's constantly changing. But this needs a doctorate-level study, not something put together by six security professionals in their spare time."

He pointed out that security professionals are known for workaholic tendencies – joking that most people loved 40-hour weeks so much they worked two of them every seven days – but warned the risk of staff burnout is very real. The nature of the job was also an issue, in measuring the effectiveness of what you do – with IT security it only takes one mistake and the end result can be disastrous.

"There's a real business case for this," team member and cofounder of the SOURCE security forum Stacy Thayer said. "Five year ago, when I looked at what underperforming staff cost the industry, the figure was $90bn in lost productivity. Now it's $328bn."

IT pros = rampant substance abusers

Thayer remarked that alcohol abuse was rife in the industry, and as an organizer she was constantly being asked to set up bar facilities in events at all hours. Team member Martin McKeay, security Evangelist at Akamai Technologies, agreed, saying that alcohol and drug abuse was common in the industry.

"When you go to conferences you realize how much stress behavior we show," he said. "How many people get drunk and then get fired because of behavior at conventions – it happens with every ShmooCon and DevCon. That's an indicator that there's a problem."

Some companies are at least recognizing there is a problem. Josh Corman, director of security intelligence at Akamai and a team member, praised companies like SpiderLabs and Trustwave, which allow staff to take time out during the week on research that really interests them. Staff were happier, he said, and the work fed back into the company.

Management may also be the problem, not the IT worker. "As an experiment," Corman said, "explain to your children what it is you're trying to explain to your chief security officer. If they get it and he doesn't, then the problem isn't with you."

He also pointed out that security staff are at a premium at the moment, and there is zero unemployment in some sectors of the market. Staff shouldn't be unwilling to jump ship – indeed, spending too long at a company is seen by some employers as a sign that a staff member has reached their intellectual limits.

IT staff should also learn from other high-stress professions. Security consultant Gal Shpantzer pointed out that in careers such as piloting or military special operations, people never work alone, and always worked in pairs at minimum. The industry could learn from this, he said.

"Despite the media portraying elite troops as lone wolves, in fact they never go out in units of less than two. It's OK to ask for help, and it's usually a really bad idea to rely solely on yourself – you can't win this battle alone."

The presentation, given at the RSA conference in San Francisco, was a popular one. RSA's opening day is traditionally slow, with low attendance ahead of the main keynotes tomorrow. But Daniel's session was packed, leaving many unable to participate due to overcrowding – and indicating that he could well be onto something. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.