Burnout among security teams is a very real, very costly problem. I have seen it within my teams and at times within myself. Moving a million miles an hour, switching gears among dozens of projects, putting out fire after fire. Sometimes you just hit a wall.
Security professionals are the equivalent of the Dutch boy who put his finger in the dike. Only today, that dike is riddled with thousands of holes. One survey concluded that the average enterprise sees more than 10,000 security alerts daily, with nearly 30% of them reporting more than 1 million alerts. Alert fatigue sets in. Burnout rises.
People often think taking time off will fix the problem. But when they do manage to take a vacation, they may come back refreshed for a day, but burnout often re-emerges.
Instead of this rinse-and-repeat cycle, our security team has found a better solution to the problem, one rooted in a timeless Japanese workflow system known as “kanban.”
Crafting a solution
By definition, security pros have stressful jobs, with sophisticated threats coming from every direction and major security failures capable of crippling an organization. Compared with the average American worker, security professionals are:
- More than twice as likely to report poor work-life balance.
- More than three times as likely not to take a full vacation.
- More than five times as likely to worry about job security.
Similar stress extends to security management and leadership as well, where job security is tenuous. The average job tenure of a chief information security officer is 18 to 24 months—much shorter than the nearly nine-year average tenure of a CEO.
How people work naturally plays a critical, underlying role in security-staff stress and burnout.
The usual response to these challenges is to hire people and add technologies, including intelligent automation systems to reduce workload and time-consuming repetitive tasks. Both are important. But companies too often think these are a magic bullet.
I believe these approaches ignore, at their peril, the importance of workplace processes, the third leg of the “people, technology, and process triad.” How people work naturally plays a critical, underlying role in security-staff stress and burnout.
At Tanium, we received a CSO50 innovation award for our efforts implementing kanban, an agile workflow process that Toyota created to support “just-in-time” manufacturing and which is now used in software development. A central kanban insight is that multitasking looks good on paper, but rarely succeeds in practice. If everything in a workflow process is equally important, nothing is important.
The “just-in-time” approach ties very closely to the workload we see in cybersecurity, as opposed to other agile methods like Scrum, and allows us to continue to prioritize and reprioritize our tasks as things change on a daily, or even hourly, basis.
Making work visible also lets management gain insight into the team’s workload and the demands being placed on it.
Key to the kanban method is visualizing a team’s workflow. That way, everyone can see the team’s priorities and what everyone else on the team is working on. We have found that greater transparency inspires greater teamwork, as people see and share a challenge. When the team succeeds in a shared goal, it’s a win not just for one, but for all. It allows us to rely on each other and embody a one-team-one fight mentality.
Making work visible also lets management gain insight into the team’s workload and the demands being placed on it. Faulty workflow patterns quickly emerge. We can then remedy them by setting better stakeholder expectations or cross training team members on new skills. By empowering our team to take on new challenges we can close skills gaps, provide growth opportunities, and improve our ability to keep up with demand.
Tracking our metrics
We began tracking metrics: the time it takes to finish a task (cycle rate), the rate at which new tasks come to the team (arrival rate), and the rate at which our team finishes work (throughput rate). For example, when the arrival rate exceeded the throughput rate, we had a data-driven signal that either our processes and tools required further optimization or that we needed more people on a project.
In the end, we found that this workflow system improved the performance of our security analysts. By visualizing our work in one place, we quickly learned that our team was working on too many tasks simultaneously in an attempt to meet our increased demand. Rather than hiring more people or buying new technology, we used kanban to set limits on the number of simultaneous work-in-progress (WIP) tasks everyone could take on.
We reduced the inefficiencies caused by constant task switching, and we saw our cycle time shrink from 15 days to six days.
That sounds counterintuitive. But by reducing WIP tasks, we reduced the inefficiencies caused by constant task switching, and we saw our cycle time shrink from 15 days to six days. In other words, we could now complete two and a half tasks in the time it used to take us to complete just one. Additionally, our defect rate—the rate in which we produced a bug or a suboptimal output—decreased, on average, by more than half.
Ending the burnout cycle
Burnout is a deeply rooted, systemic problem among cybersecurity professionals. It creates a repeating cycle of onboarding, resource depletion, and departure.
Nothing hurts more than losing a member of the team to burnout. If one team member is feeling burned out, odds are that others are feeling it too. And when one person leaves, the problem only gets worse. Everyone else has to pick up the slack, leading to more burnout.
But things don’t have to be that way.
By adopting kanban, we improved our work-life balance. Gone were the burdensome and stressful task-switching and individual backlogs, replaced by a shared effort and faster completion rates. Because we finished tasks more quickly, each team member felt they could take needed extended breaks without letting down their colleagues.
Tackling the burnout epidemic head-on demands changing our culture. As cybersecurity leaders, we must let our teams know it’s okay to have a capacity limit. Sure, our jobs will always require us to push and even surpass that limit at times. But if we optimize our efficiency, we can ensure that our teams are not running too hot for too long.
We are never going to totally solve the burnout problem. But we can hold ourselves collectively responsible for finding new ways to deal with it. Leaders in the security field need to give agile workflow methodologies like kanban a try.