It's no secret that many IT professionals find their work stressful. According to a recent survey, 79 percent of IT admins are considering leaving their jobs due to work-related stress.
A Reddit discussion of the survey drew more than 600 comments, some from folks who sound as if they are at the breaking point. User gnarlesincharge, for example, referred to his job as "a gut wrenching roller coaster of stress most days."
While many IT pros seem stressed, are information security professionals even more stressed than most?
Out of Control
Jobs with high levels of unpredictability are stressful, especially for people who enjoy being able to control their environments, said Jack Nichelson, global information security and network manager for Ohio-based manufacturer GrafTech International. That description tends to fit security pros, many of whom were server or network admins before switching to security.
He and other security pros "pride ourselves on being able to command technology to be able to do what we expect it to do," Nichelson said, noting that the proliferation of data and devices has made traditional security techniques ineffective. "The walls we were comfortable with to protect our data are no longer secure. It's beginning to break down."
Data breaches seem more personal now than they did in the past, Nichelson added. "They aren't just going after servers now, they are going after people."
And the stakes are getting higher as bad guys pull off hacks that end up in newspaper headlines and send companies scrambling to try to contain damages, he said.
"When there is a security issue or breach, it can be very hard to figure out exactly what is going on, even when you do forensics or bring in outside experts," Nichelson said. "When there is a data loss, it comes right back to the person in charge of security. What was the strategy? Were the right controls in place? Were you implementing them correctly and reviewing them regularly? You will be in front of your CEO, your CFO, your general counsel, all of whom will have questions."
As the security landscape changes, infosec pros find it tough to keep up, said Bill Gardner, an assistant professor who teaches Digital Forensics and Information Assurance at Marshall University and is also president and principal security consultant of Blackrock Consulting.
"The pressure to keep up with the latest developments in the field and to keep certifications and training up-to-date is relentless and underfunded. People do not understand or appreciate what we do. As a result, information security folk feel overworked, undervalued, and generally burnt out," Gardner said.
These issues are often exacerbated by a disconnect between security organizations and other business units, said Jack Daniel, a technical product manager at Tenable Network Security and a former director of the National Information Security Group. "Business people do not understand what we do and we sometimes do not understand what they do, and they do not always listen to us," he said.
Sergio Galindo, general manager of the Infrastructure Business Unit at GFI Software, sponsor of the survey that found nearly 80 percent of IT admins are considering a career change, suggested that companies need to provide "realistic IT budgets and staffing levels" and also invest in technology that automates personnel-intensive activities like deploying software updates.
While bigger security staffs and budgets certainly won't hurt, Nichelson said infosec pros may find even more value in learning soft skills that can help them better cope with crises on the job.
"You are never going to have enough people and money. You're always going to have pressure, and your boss is always going to have high expectations," he said, noting that infosec pros can benefit from learning how to better manage their time, prioritize tasks and communicate with others.
For example, he said, infosec pros will find that clearly communicating the reasons behind policy changes tends to cut down on complaints from users. "If you push through a policy you know will protect your organization but do it without explaining why it's necessary, then you are disliked. But if you take the time to build relationships through education and create more of a partnership relationship, you won't get so many angry calls."
Many security professionals will require a nudge to obtain such training, he said, noting that if given a choice most of them will choose to take classes in technology topics instead.
Reducing Infosec Stress
What else can security professionals and their employers do to bring down stress levels? Tenable's Daniel offered some tips.
Offer flexibility. "Micromanagement drives everybody crazy, but for security people it's even worse," said Daniel, suggesting that employers should offer infosec pros some flexibility when possible. "So you could present a set of goals and say something like, 'You need to accomplish these three things in the next month. You can prioritize them in the order you want as long as all three things get done.'"
Encourage a team outlook. While many infosec pros prefer working solo, Daniel said it makes sense to build a team mentality. "It may be a challenge because strong egos are likely involved, but it's helpful," he said. "Soldiers do not go alone, first responders do not go alone, Boy Scouts swim with a buddy. It's good to know someone has got your back."
Small changes can make a big difference. If possible, give security pros time to pursue personal projects. "If you've got someone who focuses on crisis-reactive tasks, give them one day a week or one day a month to explore other things in the security environment," Daniel said, adding that helping infosec pros obtain training to help keep their skills fresh is a good idea too.
Make them mentors. It can be helpful for security veterans to heed the advice they give to up-and-coming infosec pros. "If a younger person asks you about keeping skills up to date or how to keep from stagnating on the job, you might find yourself saying, 'Maybe I should listen to what I just said.' It makes you hold the mirror up to yourself," Daniel said.
And for infosec pros:
Find new outlets for your expertise. Acknowledging it seems counter-intuitive to recommend taking on more projects, Daniel said infosec pros often benefit from giving presentations at local user groups or tech meet-ups. "It reminds you that you know what you are talking about and gives you the opportunity to feel good about contributing back to the community," he said. "Plus if you do even a halfway decent job, people will say things you don't hear often enough at work, like thank you."
Know when to say when. Though Daniel said he does not encourage people to respond to stress by leaving a job, he said sometimes it is a necessary move. The good news: "If you have reached that point and you have a current skill set, it's probably not a bad time to be there," he said.
Why Infosec Stress Matters
Above all, said Daniel and Nichelson, it's important for companies to recognize the costs of stressed-out security pros.
"If your company suffers a breach, these are the people that will run your incident response. These are the people who will update your general counsel, your CEO and CFO. They will coordinate with IT and with an outside forensics firm. They may assist with writing press releases," Nichelson said. "If this is someone under extreme pressure and having a hard time, are they going to make the best decisions? Are they going to manage the situation correctly? Could they cause more risk and pressure if they mismanage an event because they can't handle the stress?"
"Companies need to ask themselves: Do they have an adequate number of people to do what needs to be done? Can they find qualified people easily? The answer is inevitably no in both cases," Daniel said. "So can you afford to burn out and drive out your existing talent? No."
Ann All is the editor of eSecurity Planet and Enterprise Apps Today. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.