What are the factors that lead to burnout in cybersecurity? And is the industry getting more stressful or are we finally opening up about the stress we’ve always experienced?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Shawn Bowen, VP, Deputy CISO – Gaming, Microsoft. Joining us is Patty Ryan, senior director, CISO, QuidelOrtho.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, GitGuardian
Full Transcript
Intro
0:00.000
[David Spark] What are the factors that lead to burnout in cybersecurity? And is the industry getting more stressful, or are we finally opening up about the stress we’ve always experienced?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining me as my guest co-host, it’s Shawn Bowen, who is the former CISO over at World Kinect Corporation. Although I should say when you’re hearing this he’s the former CISO, but as we’re recording this, you’re still the CISO there, correct, Shawn?
[Shawn Bowen] Yes, I’m still responsible for the cybersecurity of World Kinect.
[David Spark] Good. But when they hear this, you’re not responsible for it anymore.
[Shawn Bowen] Well, I think there’s like statute of limitations on some things. But yes, hopefully I am not responsible.
[David Spark] Our sponsor for today’s episode is GitGuardian – ship secure code, remediate vulnerabilities at scale. All right, let’s get to our topic at hand, which is a topic that I hear every time we go to a trade show, Shawn, and that is about, well, cyber burnout. So, for an industry that always complains about staffing shortages, it seems like we’re only just starting to think about how to take care of mental health of our current staff.
We’ve acknowledged that burnout is an issue, but what are the factors that cause it? So, I’m sure you’ve seen burnout in your industry before, maybe had employees deal with it, maybe yourself as well, Shawn, yes?
[Shawn Bowen] Yeah, absolutely. I think there’s several factors at it. There’s a lot of folks, just as they are with any job, any career, we’re very passionate about our jobs. And that’s no different than a chef or a graphic artist or a dancer or whatever it might be, except for the break dancer from Australia.
[David Spark] [Laughter]
[Shawn Bowen] But we’re all passionate. And so we put in a lot more than just showing up to work, just clocking in, clocking out type thing, and so we carry some of that psychological components of it. And then I also think that there’s just a chaotic world that we live in of cybersecurity. It doesn’t have a solid structure.
We don’t have a way of working that is the same everywhere you go. And so as we’re figuring things out, that burden is laid upon people as well. And so it’s just a multitude of factors that weighs on people’s psyche showing up to work.
[David Spark] And we’re going to get into great detail of this all throughout today’s episode. Note, today’s discussion is based on a discussion on Reddit. I am not going to quote the Redditor usernames or handles, but you are welcome to go look for yourself as we’ll provide a link to the discussion on the blog post for this episode.
Now let me introduce our guest who is actually in studio. It’s a rarity. We don’t get this opportunity all the time. He’s the senior director and CISO for QuidelOrtho, none other than Patty Ryan. Patty, thank you so much for being here physically.
[Patty Ryan] Yes. Thank you very much for having me. I’m looking forward to this.
Why is this relevant?
3:12.783
[David Spark] One Redditor said, “Legacy unsupported hardware and software with thousands of unmitigated vulnerabilities that the organization refuses to upgrade because it’s too expensive or too hard.” So, referring to one frustration from cyber professionals. Another said, “Worst is a myth of the security person being a super hacker so they will know how to fix whatever BS is thrown at them.
I love instant response work but put me on call for an entire year at a place where 95% false positive rate is a good day. I’ve moved over to a more dev-like role and couldn’t be happier. No more BS waking up in the middle of the night for alerts we aren’t allowed to tune out because, ‘What if it’s the big one?'” So, both of these Redditors complained about just the overwhelming onslaught that they don’t seem to be able to fix.
Have you worked in environments like this, Shawn?
[Shawn Bowen] Absolutely. I think I just had a meeting about an hour ago where we were discussing technology, and the comment from one of the business leaders was, “Whatever solution you provide to me has to be free.”
[David Spark] What?
[Shawn Bowen] And what we know that that’s… Yeah, it’s one of those things where we’re trying to move on from an older system. And you look at the cost that requires to invest in it. And you have to come up with a really good business case of where you have to spend X dollars to upgrade this operating system or upgrade this platform, whatever it might be, and that’s going to take away from our bottom line.
So, are we going to reap any benefit? It doesn’t increase our revenue to upgrade as a person talks about old hardware. Upgrading your operating system from 2003 to 2019 isn’t magically going to increase any profits, so you have to have a very good case on it, and it’s generally back to what if something happens?
And that’s not the mindset we want to be in, but you have to weigh out a lot of factors in the risks and the opportunity. What’s the impact if this happens? And then there’s the whole, if it’s an internal or external system, I think that managing your attack surface is very important and prioritizing that.
And that’s something we don’t do. We treat a lot of things…everything as equal. It’s unfortunate to hear the comment about the false positives, you know, what if it’s the big one? That to me just implies someone who doesn’t have a grasp on – not the person that posted it, but the person who’s making that comment – doesn’t have a grasp on the reality of what’s happening.
You should find things and tune those out so that you’re paying attention to what’s important. And I think that there’s also…
[David Spark] I think in this situation the concern is the fact that they don’t have the power to tune it out. You’re talking here, but we’re talking about burnout, and this is not the issue.
[Shawn Bowen] Well, that’s why I say it’s on the leader’s fault for not understanding the risk and managing it. Because I think there’s also a difference between false positives and benign true positives, which you have to be aware of.
[David Spark] All right. Let me toss this to Patty. Patty?
[Patty Ryan] I think actually a lot of this comes down to the management and what people think about cyber. I consider myself a reporter. I am providing your grade, so to speak. The risk is not mine. The risk is the business’s, and the risk is something that the business needs to understand completely and accept or understand what their role is in all of this.
[David Spark] Yeah. And our audience totally knows this. They get this. But I want to focus on the obvious frustration of these two Redditors, like it’s too much for a human to handle. And I agree with them. And again, if it’s happening the way they describe it.
[Patty Ryan] Well, actually, I would look at them and say, “Is this what your management actually thinks your role is? You cannot fix everything. So, what do you say the structure is in your leadership as part of your function there?” I’ve been in that position. I’ve been the one that was on call all night.
I’ve been the one that’s had all of those types of things happen. And it does get frustrating, but then you have to sit there, say how much can you do? Right now, the sun is going to set tonight, regardless of whether or not you had 95% false positives or 50% false positives. You have to have the perspective that this is just a day.
And I think a lot of people lose track of this part of the passion that Shawn had mentioned earlier. I think part of the expectation of business leaders, they don’t understand the role, and they don’t understand what people are supposed to be doing. So, they have unrealistic expectations on nothing is going to go wrong.
Nothing is going to impact anything. It’s going to be cheap and free. And it’s not.
What’s going on?
8:01.101
[David Spark] One writer has said, “Pulled into meetings with zero context and expected to figure it out all in one go.” Oh, there’s a lot of nodding heads here going on right now, by the way. This hits home, happens all the time. Pulled into a meeting where all other attendees are four meetings ahead of you, and you are expected to render a verdict or pull the top risks out of your butt – I’m using a politer term here – after having heard a 30-second speed read of the project.
So, InfoSec, any concerns? Another Redditor – oh, by the way, I’m going to toss to you first on that one, Patty – but let me read this other Redditor. “I’m a small organization of less than 300. Seventy percent of my days are in meetings – seriously, I had eight meetings the other day – and the other 30% is focusing on our own security posture and roadmap projects.
Seems like we all beg for the day to get out of user support, only to replace users with constant meetings about everything.” So, this is very focused on the world of meetings, and either you’re getting pulled at the last minute, or you’re going to have all the answers with so little sort of prep time.
How does that happen to you, Patty?
[Patty Ryan] People attempt to, but honestly, I’m very good about pushing back. You pull me in a meeting and want an instantaneous answer, it’s not going to happen. And I will protect my team with that also.
[David Spark] Walk me through, and especially because you’re a CISO, like how someone not a CISO could pull this off?
[Patty Ryan] Well, they actually will use… I’ve established a reputation of being very protective of my team, so they’ll escalate to me. I don’t have the time to make X decision because Y information is not available, and there’s Z risk that I’m concerned about. They’ll pull me into the conversation if they are being I’ll say forced because I won’t let that happen.
You cannot have these 30-second discussions and expect the level of quality of a new architecture design or a risk assessment done because 9 times out of 10, those people who are in those four meetings don’t understand the topics about security, don’t understand what’s happening with the vendor, the software, etc.
And so you’re dealing with not the facts that you need to deal with in those 30 seconds to make a decision. So, I always push back very strongly on that always.
[David Spark] All right. Good leader supporting her staff. I bet you do the same, Shawn. But I’m sure you and your staff have dealt with these issues that these Redditors complain about.
[Shawn Bowen] Absolutely. And I think this problem is everywhere and it’s not just in security. A lot of people forward emails and go, “What’s your take?” The right professional thing to do is to summarize the 30 replies for that new person that you’re asking to get caught up on. But in this particular case I think just last week, I was having our bi-weekly security guild where everyone can join, and we just talk about whatever security things going on.
And I gave them, I said, “Year to date, we’ve had some significant improvements. I consider this one of the best years in security at our organization.” And someone asked me, “What’s your favorite improvement that we’ve made?” And I said, “Honestly, my favorite improvement is people are asking is security aware of this or is security involved earlier in the decision process.” Because as soon as you think it up, you should start consulting security folks in there.
I think there’s some other calculation. I think IBM did a study in 2012 or 13 about change. And they basically said, if it costs $1 to implement this at the beginning of the ideation phase, it will cost $10 to change it midway through development, and it’ll cost $100 to change it after you’ve deployed it.
And that’s the same concept with security, if you’re waiting for it to be deployed and ask us a question, well, it’s going to cost us $100 in retro work for security.
But I think one of the concerns that we have, or to address both of these comments, and I see this here, I saw this here earlier when I first got here, a lot of outsiders think security is security. And they just go, “Oh, well, you’re a security person, you should just be able to join my meeting.” And they don’t recognize that there’s several different disciplines of security, almost a mirror of what the CIO organization offers.
If we have software development, then we need to have a software security understanding. If we have Macs, we need secure Macs. That same concept of security [Inaudible 00:12:31] are there. And so, if I went to any software developer and said, “Well, you’re a software developer, can you fix this?” and they go “I don’t write in that language, I don’t do this, I don’t do that.” And that’s the same concept with security.
And so a lot of people, when you get thrown into meetings where the other problem is I’m person to do it. Now we look like we’re not playing nicely. Like, no, I’m the policy person. I don’t know anything about that technology, whatever it is.
And maybe that’s an extreme. But we have different disciplines, and that’s not understood by the outside. It’s just security is security. And some of that’s our fault. We feel like, “Oh, we’re security, we don’t want to read you into our secret sauce and what all of our secret meetings are.” So, again, that’s about educating our peers in the CIO and our peers in the business about the functions of security in the different disciplines and how they benefit different stages of the business.
Sponsor – GitGuardian
13:26.427
[David Spark] Before we go any further, I do want to mention our spectacular sponsor, and that is GitGuardian, a longtime sponsor of the CISO Series. Love having them back on board. Let me ask you audience listeners of the CISO Series, how confident are you that your company credentials haven’t leaked?
Malicious actors are using leaked secrets for lateral movement. We know this, it happens all the time. Just research the Verizon breach report, we see it all the time.
So, GitGuardian’s mission is to help security teams stop that, stop the leaked secrets. GitGuardian is the code security platform for the DevOps generation that facilitates a secure software development lifecycle for dev, sec, and ops teams. In the event there is a hard coded credential, the GitGuardian platform promptly alerts security teams and helps fixing the issue by directly involving the developer and they improve your mean time to remediate and keep your secrets a secret.
For companies with multi-cloud and multi-VCS environments, GitGuardian is key to building software securely. Add a layer of protection by securing your infrastructure as code IAC files, power innovative features like honey tokens to prioritize incident remediation and focus your efforts where they’re most needed.
To find out more about this, just go to their website, that’s gitguardian.com, and start scanning all your repositories, Jira and Slack, during a 14-day trial. You’ll discover where the hard-coded credentials are in your organization. Or use the community edition for your open source and personal projects completely free of charge.
But to get going on everything in your environment, you got to start the trial. Go to gitguardian.com and start today.
What aspects haven’t been considered?
15:19.424
[David Spark] One Redditor said, “The best place to work for cyber, in my opinion, is one that has potential for steady but not rapid growth as a solid ticketing/workflow process and mature established IT shop. But you’re not going to properly understand IT staff capabilities in an interview. It’s been a crapshoot for me, honestly.” Another Redditor said, “I worked in this industry for about two years, just lost my job, and I’m going to transition into something else because of all these reasons.
I don’t even care if I take a 40% pay cut. It’s awful, but I have become completely disillusioned with cyber and IT in general. I hate the industry with a passion of a thousand burning hot suns, will never go back to it, and now I understand why people get burned out. It’s impossible to recruit for it.
The industry is a flaming garbage bin.” All right, I’m going to start [Laughter] with the last one here, Shawn. We’ve been mostly offering solutions to this, but I want to know how does someone like this last person get to this point where they hate it like a thousand burning hot suns? That’s a lot of deep hate.
I’ll start with you, Shawn.
[Shawn Bowen] Yeah, well, I think the first thing that needs to happen, and unfortunately, I don’t think this is a skill you get until several years in, but you have yourself a risk appetite that you are comfortable working in. And the business that you’re working for, the organization you’re working for, has a risk tolerance that they are willing to accept.
And if you are not near each other, you’re going to talk past each other, you’re going to be in a very stressful environment. I’ve bounced around. I’ve worked in the intelligence agencies, so I’ve had a very, very low risk tolerance. We did not accept very much risk in a lot of things. I did cyber operations in the Air Force where we did offensive and defensive cyber and in warfare.
And then I’ve worked in Restaurant Brands International, which is a franchise space, Burger King and Popeyes, very different risk postures. And today I’m at World Kinect where we fuel 500-plus-thousand customers over 200 countries and territories around the world of various sources. So, I have several different risk postures throughout that.
And you have to tailor your decision making and your comfort based off of those environments.
And so I was very comfortable accepting more risk in an organization like Restaurant Brands International, where I was not accepting of that risk where we’re delivering fuel to government organizations in my current company. And that’s also not the same as what I did in the intelligence agencies. And so being able to flex based off of that risk is something that you learn over time.
We don’t inherently teach our folks that. We teach them Security 101. Everything’s got to be secure. Is it binary? Is it secure or not secure? And then sometime later on, somewhere around the director level, we start to expect you to have a risk management understanding of how do you manage risk throughout.
And so we don’t teach that early on, that sometimes you have to be willing to accept risk. We teach them it’s got to be secure. And then they go into a meeting with the IT team, and the IT team says, “We don’t really care about that,” and you need to now understand that that’s acceptable.
[David Spark] Do you think this is a situation, person just did not get risk? Just quick answer, then I want to throw to Patty.
[Shawn Bowen] I don’t know if they didn’t get risk, they were taught security as what… It needs to be secure. And that might not have been the organization’s appetite.
[David Spark] All right, Patty, I’m sorry, go ahead.
[Patty Ryan] Part of this, I’m thinking about the organization as a whole and what they think about security. Again, if you’re looking for perfectionists that are going to be able to fix everything instantaneously with very little leadership, that’s what it sounds like for some of these jobs, in some of these environments.
The thousand burning hot suns comment takes me back to times when I had environments where they didn’t understand what I did, and so they didn’t understand that the expectations were incredibly unreasonable. And I had to spend the time teaching them my job, teaching them my role.
[David Spark] That’s aggravating.
[Patty Ryan] And that is the only way you can start getting to a level playing field that they understand what security is supposed to be, what you are supposed to be as a CISO, or your teams are supposed to be.
[David Spark] Let me ask a question about that regarding the having to teach your role. Were they accepting of like, “Oh, now I get what you did,” or were they dismissive?
[Patty Ryan] It takes time. I’ve done this about four or five different times, and it’s varied. Some after years never got it. Some my current firm has actually accepted it and is very partnering. It’s something that it’s the team is respected, and they are not actually looked to do the impossible.
But every organization is different. What I’m finding now more, I think because of the importance of cyber across all government agencies, regulations, any global commerce, CEOs and others are being forced to figure out what cyber means. So, this is probably the best time to be able to start teaching executives what the function is across all the different domains and what they need to care about because legally, they’re going to have to be involved.
[Shawn Bowen] And I’ve said 99% of my job as a CISO is to educate people on cybersecurity. The other 100% of my job is doing cybersecurity work. But I think the more educated we are, the more understand [Inaudible 00:21:08]. It’s just like with anything. As HR has new things, we start… How many people knew what EQ was 8 years ago, 10 years ago?
Very few people. But as we learn to be better people leaders, we had to learn about EQ. And as we want to move up, we need to learn about finance. And so it’s going to become a standard tool in the executive tool bag, but today, it’s not everywhere. And that’s our job is to educate and we’re going to get there.
I agree with Patty, we’re on the cusp of an evolution in the cybersecurity understanding with the rest of the business.
Whose issue is this?
21:42.306
[David Spark] Another Redditor said, “My takeaway is that IT with its cyberspace became highly artificial and requires a lot of balancing out. Meaning work on your work/life balance, get grounded through other experiences in life, just to make sure that it’s A, just work. But B, you’re here for a reason to bring value.
And a lot of times, dogmatic vendor fans and political games are the primary focus rather than fixing the problem. Most big enterprises who are above 50,000 employees have big portions of people who are there to work but not make a difference. If you see value, communicate your plan and stick to it.” I like that very last quote line.
If you see value, communicate your plan and stick to it. And I think if you had that philosophy, maybe that alone could save us from burnout. Yes?
[Patty Ryan] I think so. But also, I think part of burnout is realizing, again, you are a role, this is a function. The sun will set, the sun will rise, no matter what happens in cyber for your company. As a CISO, you have some responsibility to educate, to inform, to ensure everyone is aware of risks, aware of threats, aware of impact.
At the end of the day, it’s not my risk to accept.
[David Spark] Right.
[Patty Ryan] And that’s, I think, where people feel like the CISO is supposed to accept and fix everything, and you can’t.
[David Spark] And not just the CISO. I think everyone in security.
[Patty Ryan] Everyone, yep. And so part of it for me, I go to the gym during the day. I will tell my team, “I am leaving to go work out. I have an hour free. I need to go for a run, or I need to go do something.” And as part of that example to say, “And you can do that too because this will still be here when you get back.
There’s no penalty for self-care.” And it makes it much easier to be able to deal with situations that could be very explosive if you have that balance. But you have to treat yourself with that first, and then you can start looking at others.
[David Spark] Shawn, have you dealt with employees literally on the edge, and have you pulled them back from the edge?
[Shawn Bowen] Yeah, maybe not so much on the edge of they’re going to quit or that they need the self-care attention thing. I think I’m big on that. It’s well publicized on the show. My escape is skydiving. I manage risk with my life too.
[Crosstalk 00:24:14]
[Laughter]
[Shawn Bowen] …compressed from…
[David Spark] Remind me, how many jumps have you done? You’ve done a lot.
[Shawn Bowen] I think this year I’ve only done 80-something, but I’ve taken this month off just because we moved. So, I’ll get caught back up. Self-care is a very important thing. I also think that the “on the edge” comment. We’re passionate about it, and we feel like this is the right answer. And you didn’t mean it this way, but I want to add to your statement so people remember this.
It’s not my risk to accept. It’s our risk to accept as a business, like we’re partners. And a lot of security people do take the, “Well, this is not my risk,” statement very literal. And they say, “Well, this is your risk. You just figure it out.” And they think that they have a solution to help them.
We need to be partners with our IT brethren as well as our business, and we discuss this as a whole and be accepting of that answer. When you work on that together, I think that’s where a lot of the stress comes out is where someone goes, “This is the right answer that you need to secure this workstation, or you need to do this thing.” And when it doesn’t happen, they take it either as a personal insult or that person just doesn’t know what they’re doing, and it affects them negatively where it should be like, “Well, let’s talk.
Let’s come to a decision record,” and be okay with that decision record. Whether you agree with it or not, you’ve now shared that burden. You haven’t gotten out of the work. You’ve done your part. You’ve educated them. And you’ve been part of that decision tree. You’ve educated them to make an educated risk decision.
And that’s where we’re at. There’s a lot of things I don’t like that I would much rather this be number one and that be number two. But I recognize the workload and where the maturity of the team is that number two is more likely to be successful, so let’s work on number two first. It’s not what I would work on.
But we as a team, a leadership team, my boss Josh is phenomenal at making us collaborative, and we together own the responsibility and the decision we make. And sometimes it’s not exactly what I want, but my option wasn’t exactly what they wanted. And so that’s where we are a team together managing our risk.
[David Spark] Well, that is a good point…
[Patty Ryan] That’s really good.
[David Spark] …to end our discussion right here.
Closing
26:23.936
[David Spark] So, we come to the point of the show, we’re asking you which quote is your favorite and why? And often when we say which quote is your favorite is because it made a good point, but because a lot of people are expressing frustration here. It could be just people expressing frustration. Which quote was your favorite, Patty?
[Patty Ryan] It has to be the quote of the passion of a thousand burning hot suns because that visual is just amazing, and the intensity of that pain, frustration, fear, whatever. I just think that’s one of the best ways I’ve ever heard something like this, like job frustration be presented.
[David Spark] And by the way, if you heard an employee say that, you’re like, “Okay, stop. We got to find what’s going on.”
[Patty Ryan] “Let’s go get coffee.”
[David Spark] [Laughter]
[Patty Ryan] Or “Why don’t you just go home? Just go home.”
[David Spark] That is something to take a break. All right. Your favorite quote, Shawn.
[Shawn Bowen] Well, that quote pains me the most because I am passionate about this organization. I want to help them. I want to help them see the light. But I think the one that resonates with me that stands out was the 70% of my days are meetings. I think that we’ve all felt that, and there’s absolutely been days.
My wife kind of teases me. She goes, “All you do is talk for a living.” Well, yeah, I’m in meetings, but there’s things coming out of this. And I think that when you spend a whole day in meetings, there are definitely days where you come out invigorated and inspired because we had some really good productive meetings and some super good strategy sessions.
But there are absolutely days where you go, “What am I doing here? Why did I just spend 70% of my day in those meetings?” And those are frustrating.
[David Spark] I am well aware. All right. Well, that brings us to the end of the show. I do want to mention our spectacular sponsor. That would be GitGuardian, ship secure code, remediate vulnerabilities at scale. Remember, they are the secrets management company. You don’t want those hard-coded secrets out there.
Go to GitGuardian.com. See what is in your environment right now. It may sadly surprise you. Get a 14-day free trial. Just see what’s going on at bare minimum. Shawn, as always, I want to thank you. You have been, as you know, a spectacular guest on the CISO Series. We greatly appreciate having you on.
And Patty, who is the senior director of CISO over at QuidelOrtho, we’re thrilled to have you on and to have you in studio with us. I’ve only had this a handful of times.
[Patty Ryan] It’s worked out fantastically.
[David Spark] Yes. She had meetings here in San Diego. QuidelOrtho – is their home office here or…?
[Patty Ryan] Yeah. The global headquarters is in San Diego.
[David Spark] And it’s not just the only biotech company. I was telling Patty earlier that there’s a San Diego Entrepreneurs Group that I went to one of the meetings, only to find out it’s not an entrepreneurs group. It’s people who work in biotech group. They just happened to label it the Entrepreneurs Group.
So, if you do something else other than biotech, you’re not welcome to the San Diego Entrepreneurs Group. Hey, thank you to our audience. We greatly appreciate your contributions as always. And also for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.