back to article Feeling highly stressed about your job? You must be a CISO

Almost all cybersecurity professionals are stressed, and nearly half (46 percent) have considered leaving the industry altogether, according to a DeepInstinct survey. For its annual Voice of SecOps Report, the endpoint security biz commissioned a poll of 1,000 senior-level security professionals in the US, UK, Germany and …

  1. Anonymous Coward
    Anonymous Coward

    They're probably stressed because they aren't the right people for the job.

    Quite a few people I've come across in a senior cybersecurity position have never held a technical post prior. When times are dandy, these guys have very little to worry about, but when the shit hits the fan, they haven't a clue what to do.

    Furthermore, since they never had a technical role, they don't know how to hire their underlings and so end up with a shitty team around them.

    1. Anonymous Coward
      Anonymous Coward

      So true

      Have to agree, the job title seems to attract a certain type, best described as 'Charismatic Figureheads', who make a lot of noise but with little substance, relying on the people around them to carry them as best they can.

      The last CISO I worked under had two major goals:

      * Be a speaker at as many conferences as possible.

      * Put all dev and support staff on a few day's Agile training with the expectation that by the end of the course the business would be 'Agile'

      The subsequent use of Agile elements (User stories, Epics, Sprint planning, Program Increments, Retrospectives etc.) was a complete clusterfuck.

    2. NoneSuch Silver badge
      Coffee/keyboard

      Or, and here's a counter-opinion...

      "They're probably stressed because they aren't the right people for the job." - AC

      The team is burned out because of continual patching of security products (firewalls, VPN, switches, routers, DC's, web sites, SQL, wifi access points, etc.) across five countries and four datacenters for years while also dealing with a pandemic. By the time they get everything up to date, a new round of "Critical" patches is waiting. We've received notifications of critical patches mid-way through applying critical patches FFS. They can't patch during the day because people are working so that leaves evenings and weekends. Lots and lots of late weekends and evenings.

      Then there are the users. The mouth breathers who click on every link offered in the dodgiest looking of emails needing a security intervention of their account and review of the impact of their actions when they blindly accept the 2FA request that follows. Then chasing the motherclicker to change passwords only to be told "can we do it later, I'm really busy?" Sorry if our actions trying to prevent hefty GDPR fines for leaked PII is inconvenient to you Mr. VP, sir.

      Microsoft, Cisco, Adobe (Have you seen the amount of patches these weenies put out in any 30 day period?), et al. are the largest cause of the issue releasing under tested code that borks systems and protections resulting in more patches. The proverbial house of cards. Then there is the day-to-day break and fix things that pop up.

      The average IT team fights that battle daily to keep a largely unappreciative staff in the position where they can continue do their jobs. Now, I do admit, unlike you AC we are not perfect. You work from 9-5 M-F exclusively, patching your three or four Mac Book Airs from the graphics department then go home for a day of massages and spa treatment. Good on you for perfecting the lifestyle.

      1. Anonymous Coward
        Anonymous Coward

        Re: Or, and here's a counter-opinion...

        Yeah all of that is typical no matter the size of the business you're supporting.

        I used to look after an auction house that had offices and galleries in 8 or 9 countries at a given time with around 1,000 staff members who would constantly be moving around across the world between sites. The infrastructure for them was crazy complicated and on top of the fixed infrastructure we had to be able to deploy a new temporary auction house with 48 hours notice including cabling, broadband installations etc.

        The IT team was 3 people. One in the US, me in Europe and another chap in Asia. We were a great team and we never had to work insane hours because we kept things under control. We used the timezone differences to our advantage. I.e. any critical updates etc that needed to be done could be done out of hours by another chap in a different time zone.

        Occasionally we'd have to work 3 or 4 days straight (literally, no sleep, or quick naps on the server room couch) if there was a major auction on, but we'd get the following week off no questions asked. We'd also get paid handsomely for the additional time and effort required. For an auction we'd get an extra £2,000 a day because it was understood that putting in the effort to support an auction round the clock was insanely difficult and potentially damaging to our health.

        90% of the time it was less than 9 to 5 (because we had timezone overlaps), and usually only 4 days a week. Our team was left to be pretty much autonomous and we'd cover for each other to reduce our time commitments (we were acutely aware of the possibility of burn out), which the business was perfectly happy with as long as we kept things running smoothly and we waded in full tilt if there was a situation that required it...which would happen from time to time...dodgy updates, failed hardware etc.

        Basically, we made sure that when we were required for some sort of emergency or major problem we were as fresh as possible...that's half hour job as a techie...if you're constantly burning the candle at both ends just doing regular maintenance, you're going to be pretty worthless during a serious issue and the recovery time for the business is going to suffer.

        As a techie you're not paid to be busy, you're paid to be available when the shit hits the fan to ensure the time to recovery is as low as possible. You're not a factory worker, you're a trained specialist. Your value is in your expertise and ability to respond not your time commitment. If you believe your salary is specifically calculated based on the hours you put in, you should stacking shelves not working in tech.

        Put it this way, how can the business expect you to dash into the office at 2am if there is an emergency if they grind you into the ground for 10 hours a day? If I had to work a shift that long, would I get up at 2am? Hell fucking no.

        Would I do it if I was permitted to set my own hours and do everything in my power to reduce my time commitment? Hell yes.

        Would I cover for a techie colleague that needs a day off to ensure my team is always fresh? Damn right I would.

        If you're finding yourself working daft shifts you need to be speaking to your manager and explain how your time commitment might effect your ability to respond in an emergency. If you're overworking and burnt out you have no obligation to run to the office if the shit is hitting the fan. They can't fire you if you've been doing unpaid overtime and you refuse to respond. That's grounds for constructive dismissal.

        Moreover, if your entire team is overworked with no slack, you need to re-assess your processes and work with your team to organise a less crazy setup. If you're all working the same shift at the same time for the same hours, you're all idiots. Spread yourselves out, overlap your shifts. If you aren't all actively working towards reducing your time commitments by supporting each other your team is toxic AF or you have a dickhead managing you that doesn't know what they're doing.

        If you're having to manually review every update before you manually update every endpoint you're wasting time. Updates are 99% of the time not a technical task. What we used to do was appoint someone in a given department to update themselves first before telling everyone else to update. That way we weren't wasting time on proxy desktop updates.

        For example, we had a design department responsible for the auction catalogues. Adobe heavy. The team leader would run updates on his machine first, if there were problems, we'd be informed and we would respond. If there were no issues, he'd instruct his team to run the updates.

        Periodically, we'd check in on random teams at random times to ensure updates had been run etc.

        Security updates and critical updates were always applied automatically via our central update servers. I can't remember the platform we used, it was 12 years ago now...but it would look after Windows Updates and various other product updates.

        We always kept updated and pre-built images for various departments machines to allow us to swap a disk out if there was a major issue to get them back up and running straight away without having to hang around their desks etc.

        We'd take the disk with the broken install away and re-image it, check the SMART status and add it back to the pool...in some instances we'd replace the entire device if we could.

        As for switches, routers etc...as mentioned earlier, down out of hours by someone in a different timezone. For the configs we had crib sheets that you could tweak in excel that would spit out the configs should something go wrong. In the rare event that something went horrendously wrong or the remote person got locked out etc we'd just nip into the office. No big deal if you're not overworked....then just get into work the next day an hour or two late if it was a late night or early morning call out after dropping the third guy a note to let him know that calls might be diverted to him for an hour.

        It's probably worth noting that we didn't have a manager or team leader etc etc all three of us reported directly to the CEO or COO. There was no CTO, CISO etc etc. it just wasn't necessary.

        We also did away with the ticketing system as we worked out that benefits of the time saving outweighed the benefits of a historical log of issues...instead we kept a wiki that we'd add any processes to that we felt were worth knowing about for future issues. We also built a custom platform to allow us to keep tabs on each others whereabouts...basically, we could check the system to see which building we were in and with which member of staff etc and how long we were there for and whether we were remote or off work etc.

        To reduce the desktop support burden we'd do user training on a semi-regular basis (twice a month roughly) which we would also use to gather feedback on matters relating to desktop requirements, what's working, what isn't etc. The staff actually liked this and would usually take advantage of the hour or so alloted to discuss any major issues which would then become a focus if necessary.

        Basically, as a team our primary focus was the infrastructure and keeping that going (stability, security and so on), secondary was ensuring that we constantly reviewed our processes to keep them as streamlined as possible, tertiary was desktop support. We found that if we kept the users up to date with training, we'd reduce the desktop support burden significantly.

        There's an enormous amount can be done to streamline tech work, but a lot of tech departments are too rigid or set in their ways to change, you can usually pin point one or two team members that work hard to keep the status quo. Usually they are senior.

        1. Version 1.0 Silver badge
          WTF?

          Re: Or, and here's a counter-opinion...

          AC, that would have been a good extension to the article in El Reg.

          1. Anonymous Coward
            Anonymous Coward

            Re: Or, and here's a counter-opinion...

            Thanks!

        2. Anonymous Coward
          Anonymous Coward

          Re: Or, and here's a counter-opinion...

          And meanwhile, in the world of micromanagers, AC and his people would have those managers tearing their hair out at the thought of a global team working together as techies and keeping them out of the loop.

          I can testify that giving people the responsibility (and the backup support) to manage their own work and therefore, their work-life balance works.

          I have spent the last 20 years primarily working from home. One day a week in the office became a chore until COVID hit. Now? We meet one day a month at an office that is rented for the day. Our old office has been downsized to around 20% of its former size. The company is still growing in terms of headcount and profitability and AFAIK, our service levels are better than pre-COVID.

          My main customer is in the Middle East so I tend to work hours that match their workday. I'm done by 3pm. While it won't work for everyone, it works for me and in the summer, gives me quality time in my garden to relax at the end of the day.

        3. ecofeco Silver badge

          Re: Or, and here's a counter-opinion...

          Great overview of how things should be and should also be required SOP, but you nailed the problem in the last sentence.

      2. Anonymous Coward
        Anonymous Coward

        Re: Or, and here's a counter-opinion...

        "Now, I do admit, unlike you AC we are not perfect. You work from 9-5 M-F exclusively, patching your three or four Mac Book Airs from the graphics department then go home for a day of massages and spa treatment. Good on you for perfecting the lifestyle."

        I don't work 9-5 M-F, never have. In my earlier days, I'd work longer shifts on fewer days...these days I work shorter "shifts" spread throughout the week...because I only work when I'm required to. I don't sit at a desk for the sake of it, waiting for phone calls / emails. Scheduled maintenance is on fixed days, unless there is something urgent pushed out by a vendor. In which case, I act.

        I have clients that understand how infrastructure management works and respect me as a professional. If systems have to go offline for updates etc to happen, that's on them not me. If they can't handle a rolling outage during a work day due to time pressures, then they have to pay me for my time during unsociable hours...I am under no obligation to donate my spare time to them because "it must be done". I am paid to be available, not to be sat at a desk. I don't take the piss by having tons of clients either, I make sure that I keep my time as free as possible to ensure I can react when needed. If a client comes along with a better offer than an existing client, I might replace a client...but I always make sure that I keep demand well within supply. I'm better off, my clients are better off...everybody wins.

        In terms of overage, It's up to the bean counters to decide whether it is financially viable to wait for out of hours or take the hit on a working day...it's not up to me to rescue the business financially, it's up to me to make sure the tech works. If a client is paying me...say...£2,000 a month...the expectation is that I am at the end of a phone as and when I'm needed...that £2,000 doesn't cover a specific number of hours...what it does cover is when I can be called upon...anything beyond 6pm or before 5am or on weekends and bank holidays, I charge extra at my discretion...if a client has been particularly quiet for a while, I might throw them a bone to be fair.

        If a business doesn't understand that, it's up to me to point that out...and herein lies the problem...there's a large chasm between what a techie is actually worth and what they're told they're worth...which for some reason prevents a typical techie standing up for themselves and speaking out...there is no such thing as "market rates" in our industry...because the value you bring to a business can vary wildly depending on the type of business they are and the impact you have. For example, to a firm of accountants that are largely cloud based and have a relatively simple setup, you're not worth much because at worst, they might lose an hour or two due to a dodgy update or something or a network switch blowing up. They have two hard deadlines a year.

        However, for a manufacturing company, you might be responsible for the network between all their machinery...a two hour outage for them might cost millions of pounds.

        In the former example, the accountants might just call the outage an extended lunch...therefore you have had relatively little financial impact on their operation...however, in the latter example, there are deeper financial consequences, despite the work being largely similar. You are worth a lot more to the manufacturers than the accountants because the impact on you not doing your job properly is vastly different.

        Keeping on top of the infrastructure at somewhere that loses millions per hour vs somewhere that loses thousands an hour changes your value significantly...and that should reflect in the way you are paid and treated. Is it stressful replacing a switch at an accountancy firm? No...a 1-2 hour outage for accountants is barely a blip...is it stressful replacing that same switch at say...an airline? Hell yeah. Flights might get cancelled, bookings might not go through, payments might stop authorising, check in might stop working...all manner of bad shit can happen. The difference is, if you work out of ours for the airline, you're potentially saving them millions in potential damage, if you work out of hours for an accountant, you're just providing them with convenience.

        It doesn't matter that the work is trivial, the impact might not be and therefore the value of the work is not the same and the situation is not equal.

        Even if I am supporting just 4 MacBook Air's in a "graphics department"...that graphics department might be in a radiology department of a cancer treatment facility. You might be looking after a gigantic kubernetes cluster in a datacentre hosting thousands of websites...but you might be working for a cheap hosting service that attracts hairdressers, dog walking services etc to your 99p a month hosting deal.

        My scenario has lives at stake, your scenario, relatively, has nothing at stake.

        The size and complexity of the infrastructure you maintain has very little to do with your value as an engineer. When you next go hunting for a job, and you're reading the job spec and you think "yeah that's for me", just take a minute to understand what that business does and how that might impact your value. Also think about how they are structured, you can usually ask this in the job interview...because then you will understand how you will be treated professionally and what their actual expectations will be.

      3. Anonymous Coward
        Anonymous Coward

        Re: Or, and here's a counter-opinion...

        you're still patching when you need to patch again... that is crazy

        1. ecofeco Silver badge

          Re: Or, and here's a counter-opinion...

          That is IT life. Shit, untested, un-documented vendor products have been SOP for decades now.

    3. ecofeco Silver badge

      So true.

      Even worse, they won't let people who DO know how do the job, actually do their job.

    4. patashnik

      It's oddly reassuring...

      ...to read this and other comments as someone who's gone back to school to (finally) get certified in the field. At undergrad level at least, the 'career in cybersec' hype is still very much alive... in sharp contrast to the humanities, for instance, as I certainly wasn't regularly reminded of all the opportunities awaiting me back when I studied for a BA in English!

      I was already sceptical of that culture, perhaps better described as a meme, of this high-paying cybersec/networking industry with more openings than new graduates can fill, here, there and everywhere. It reached a point that what attracted me, as with many students, in the first place - cybersec, digital forensics, all those buzzwords - has become something I'm not particularly excited about the prospective of. Not after being honest to myself, anyway, about what I imagine it'd be like in practice to facilitate incident recovery or pulling irregular hours in general.

      I've no doubt there are still ample opportunities, (relatively) meaningful work and a good living to be made, as the universities are thrilled to remind us. A job's still a job, though, so no denying the reality of turning up each day (even if only to your study wearing pajamas). A good old-fashioned network technician or sysop specialising in Linux is therefore more appealing to me as someone who seems to be growing older and more cynical faster than he can gain qualifications.

      As another user remarked about the wave of faux techies entering the industry in the '90s only to find after some years that it wasn't really for them (imagine that!), I'm reminded of my rather diverse class. It's great seeing all ages, genders and backgrounds having the interest and ability to enter STEM, sure, but I can't help but notice how few are deeply passionate for tech (yup, IT classes with barely any nerds). Be that as it may - my less tech-inclined peers and the institution of further education can keep their cybersec hype and associated ideas about this IT rockstar career if it means leaving me to Linux servers and more regular hours!

  2. elsergiovolador Silver badge

    Legal?

    "We are too reliant on the hero mentality – we have some people who are working 16- to 18-hour days at times,"

    Often in employment contracts overtime is unpaid. Now if someone is doing 18-hour a day regularly, it may turn out that they actual hourly wage is below the legal minimum. Always log your hours, so that you can make a claim.

    Now, if you do work without getting paid, you are not a hero - you are a mug!

    1. Anonymous Coward
      Anonymous Coward

      Re: Legal?

      This. I have no respect for people that burn themselves out working long shifts for nothing.

      Someone working 16-18 hours a day even with paid overtime is no hero to me...they definitely aren't a hero to their kids and families...if they somehow manage to have them.

      Even worse are people that don't take holiday time or use their sick days up. I fucking hate people that turn up to work and sit at their desk snotty, sneezing, coughing and downing lemsip...just go home you fucking idiots.

      Coming to work sick is not dedication, it's moronic. Even if you're not ill, if you have sick days left, use them to "recharge", you're entitled to it...book a massage, go for a hike somewhere...whatever, if it's for your own wellbeing and sanity, it's a legitmate "sick day". Just tell your employer you're burned out or whatever and you're taking a day or two of sick leave...if your employer refuses, you've outed them as being bastards...they don't care about you...quit and go elsewhere. If you can't go elsewhere, take the days anyway...they can't fire you / punish you for it, you're legally entitled to it. You don't need permission, at worst you just need to give them fair warning.

      1. elsergiovolador Silver badge

        Re: Legal?

        turn up to work and sit at their desk snotty, sneezing, coughing and downing lemsip...just go home

        Ah this. So many times I had to change my plans (and incur financial loses) because some moron came to work ill. There is no way I don't catch it.

        Thank cod for WFH, now I don't have to deal with these people anymore.

      2. sanmigueelbeer

        Re: Legal?

        This. I have no respect for people that burn themselves out working long shifts for nothing.

        One of my junior jobs was exactly this. I was "required" to work long hours. If anyone has a change, it was given to us "noobs" to implement and the senior tech/engineers were at home. Never did I have to call them because it was also our "requirement" to troubleshoot if things go wrong.

        It has its ups-and-downs.

        The bad part was management (local and the mothership) did not really care with our welfare. For them, we were a "disposable item". This practice was not just tolerated but very much encouraged.

        Back in 2007, I was coughing (not so bad) so I called my supervisor to say that I could not come in because of my condition. He told me, "If you are good enough to call, you are good enough to come in." No choice. I have to come in or go and find another job, he said.

        So in I went. The next day, the coughing because so bad that another supervisor from another team went stormed into our manager's office and demanded that I be sent home on sick-leave. Why? Because two of his team members have started coughing. (My supervisor, who still insist I continue to stay, got overruled.) By the time I came back from sick leave, half of the floor were out sick.

        From that time forward, whenever someone exhibit any sign of cough or cold, they were told to stay away from the office.

        And this was how that multi-billion-dollar company treated us.

        1. ecofeco Silver badge

          Re: Legal?

          I quit cold jobs like that.

          Don't care if I live or die? Fuck right off and goodbye. No matter what my bank account said. It's hard to find another if you are dead or disabled. It also tells me they will NEVER appreciate any work I do.

  3. Anonymous Coward
    Facepalm

    To Clarify this Article

    "nearly half (46 percent) have considered leaving the industry altogether"

    This was a different survey and it was 46% of us peons, not of C-suite execs. I doubt that many of them are willing to leave.

    "46 percent of those professionals claimed their stress levels had risen over the past 12 months"

    Ya think? I can only assume the other 54% are completely insulated from the real world.

    "When given a list of 12 potential causes"

    Looking at the causes that were offered, a glaring omission is "budget and revenue targets" which is what C-suite types know will get them the boot.

    All in all, this falls between meh and duh.

    1. Anonymous Coward
      Anonymous Coward

      Re: To Clarify this Article

      I dunno...I am freelance and work with a lot of C-Suite people...specifically CTOs and the like...they tend to care more about not looking like idiots than the numbers.

      You'd be surprised how many CTOs are willing to pay consultants to shadow them and make them look good.

      I have two at the moment, I never set foot in the businesses and I have no involvement at all other than advising them.

      Good CEOs are rare but some of the CEOs I've worked with have been solid and willing to listen to reason without being overly concerned about the numbers. I've worked with a couple of CEOs that have had crazy focus on making their staff jobs easier to reduce presenteeism. C-Suite exacs fucking hate it when people overstay at work. It costs a lot of money to keep the building going past normal working hours...especially now with energy prices skyrocketing.

  4. Plest Silver badge
    Pint

    And we're back to the 1990s

    Around 1990 tons of people who'd shown no interest in tech or computers suddenly decided there was really good money working in tech and computers. When I was as school in the late 1980s there was a small nerd clique of about 5 of us, no one else was interested in computers. I checked back in to Freinds Reunites around 1997 and about half the kids I knew at school who were absolute morons were working in computing.

    Thing was, most dropped out after about 10 years when they realised how you had to love tech in order to keep up with the constant changes, if you don't love tech and computing as many of us have since we were young kids, then you will find it a really hard work.

    I seem to recall around 2012 that cybersecuirty ( dear God I hate that word! ) was the latest, hottest computing "sub-genre" to work in, it was cutting edge, it was paying crazy money. And here we are in 2022 and the promised land of the perfect hi tech job that paid easy money for simply reading CV notes and installing a copy of McAfee, actually turns out to be just like evry other tech job, bloody hard work that requires you to like tech and be able to keep up and stay on the edge of what's going on, just like all other tech jobs.

    1. Version 1.0 Silver badge
      Facepalm

      Re: And we're back to the 1990s

      The reason so many people jumped into this business in the 90's was that the computing industry started selling the idea that there were lots of new well paid jobs ... they succeeded, kids got "qualified" and everyone was told that the computing industry had plenty of workers so companies could start upgrading and jumping into the new networked environment, expanding the internet everywhere by buying and installing the new systems.

      Employees are just corporate food.

  5. stratcat

    Remote working has increased the attack surface.

    So has the move in recent years to move various things to various cloud services, which in turn has added various other attack surfaces...

    ...as well as a number of other moving parts to tie it all together, which require extra time and expertise to configure and maintain ...and which often present their own attack surfaces.

    The CFO in the meantime wants to know why the time spent on updates and patching isn't making their computer faster. And is questioning the increasing number of $x per user/month services that are on the bills each month, having patted themselves on the back for the reduced capex that came with moving things to the cloud.

    The CFO's 2IC has recently built a hackintosh at home and is now a security expert, thinks all the after hours patching work is fake, and has been deducting regular annual leave hours for IT staff time-in-lieu requests and hoping they don't notice.

    Line Manager X doesn't work in IT, but is very much up to date on various security advisories and uses this to justify their long-standing lack of effort/usage for any given system. Today, perhaps understandably, they will no longer use Confluence despite the fact their inability to either write (or read) documentation in any form (even a word document) has been longstanding.

    The CEO, also very much up to date on various security advisories, uses this to constantly decree that we shouldn't use various vendors. Which at this point means we should theoretically be using pen and paper. Also refuses to use MFA despite their email account being under attack on an almost hourly basis. Is also against most forms of email security after a smoking red-hot email exchange with their partner once triggered the worst possible category of email content alerts.

    So, yep, a bit stressful.

    Our front line staff fortunately navigate any security related potential inconveniences like MFA, computer updates and other measures with ease.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like