Cybersecurity doesn’t have to suck. Let’s fight cynicism and burnout.

“We’re not afraid of the circumstances of what we fear. We’re afraid of who we are in those instances.”
- Dr. Stacy Thayer

Amidst all of the learning and conversations I had in Vegas during Hacker Summer Camp, this quote wormed its way into my brain, bothering me like a scab over a wound, where itchiness is a sign of healing.

This quote came out of a community roundtable session Dr. Thayer held after her talk at Black Hat USA 2022 titled “Trying to Be Everything to Everyone: Let’s Talk About Burnout.” As I listened to other security practitioners speak about their personal experiences with burnout, one thing really stood out to me: intertwining personal identity with our job inevitably leads us to confronting what any bad event says about me, or you, when things go wrong. This is why recovering from and preventing burnout is a deeply personal journey. 

There’s no quick fix, silver bullet, or five step formula. 

There are helpful markers along the journey to benchmark your progression, but more on that later.

What’s burnout?

According to this article in World Psychiatry, “[b]urnout is a psychological syndrome emerging as a prolonged response to chronic interpersonal stressors on the job.”

As Dr. Thayer emphasizes in her talk, burnout is about the interpersonal, meaning it relates to relationships and communication between people.

Occupational burnout is as much about the individual as it is about their surrounding work environment.


How does burnout show up among security professionals?

There are plenty of articles on the Internet describing the effects of burnout. If you’re concerned that you are experiencing burnout, please set up time to talk to a licensed professional, whether through teletherapy or in-person sessions. While I can’t help you diagnose your situation, I can help you learn more about it. At its core, there are three dimensions to experiencing burnout.

Emotional exhaustion - fatigue, feeling depleted, and a total loss of energy


Cynicism - loss of idealism, negative and overly detached attitude toward work, withdrawal


Professional efficacy - reduced productivity, decline of achievement and capability


A research study Dr. Thayer and several other security professionals conducted in 2012 showed that security professionals were more likely to express burnout through cynicism. Why might that be?

Two contributing factors to manifesting burnout through cynicism

Consider these thoughts from ultramarathoner and former Netflix VP of Security Jason Chan:

Jason Chan:
Yeah, I think like burnout. I mean, I would probably see those as slightly separate problems because I think the burnout in security is primarily because we're in a field where we're like constantly, at least you're if you're on the defensive side, you're constantly trying to prevent something bad from happening, so you have relatively fewer chances to celebrate. 'Cause if you think about at least in the engineering and the tech space, if you're, say, a UI engineer or whatever, you know, you have some big project product release and it moves your company's metrics, like we acquired more users. That's a really tangible thing that you can tie your work to. Whereas in security and defense, it's just like, ah, well, I don't think anything happened today. I'm not sure, but we don't know. We haven't seen everything. So it's that kind of like constant dread and there's no there's no release valve for that. So I mean that to me, and I think also like it's hard to generalize across an entire profession, but I would say a lot of the folks I've met in security, they're in it, you know. Yes, it's a job. It's a paycheck. But it's like, they're passionate about it and they care a lot about it. And they put a lot of their personal identity into their job. And then when something bad happens at work, then that kind of spills into like your own self concept and how you think about yourself. So I think it can be pretty damaging. So I think we need to do better. And you know, it's one of these things where it's like, do as I say, not as I do, because that was something I had to learn was to be more vocal about celebrating. I was not great about that.

Watch the full episode of Cyber Therapy with Jason Chan here.


There are two points that Jason touches on: 

The first is the lack of control in the security profession.

There is a clear link between lack of control and burnout. The lack of control in security stems from the modern decentralized way of working and the legacy mentality of security being only security’s job. IT and security can no longer operate as the gatekeepers to technology advancements, nor can they scale as the sole department responsible for the fate of the company’s risk management practices. Cloud resources are spun up and utilized more dynamically than ever. New software is being developed to help every part of the business operate more efficiently. The ways of working are changing all throughout the business, and somehow security teams are still stuck with the perception as the primary responsible team to protect and respond to threats.

The second point is the interwoven nature of personal identity and the job.

It is common for people to blur the line between who they are as an individual and their career. As a litmus test on how tightly you wrap your identity with your career, just ask yourself, “Who am I without this job? How would I describe myself? How does that make me feel?”

Depending on how tightly you mesh your personal identity with your job, a bad day at work can lead to you questioning what that says about who you are as a person and a spiral of negative self-talk. Instead of tackling the separation of personal identity and work, the more common way of coping is to distance yourself mentally and emotionally from the thing that is triggering the ugly spiral - the job.

If you compound these two points with society’s unrealistic expectations of perfection and zero breaches, it’s no wonder cynicism is the most common way burnout is expressed in the security industry.

So where do we go from here? How do we fight cynicism and burnout?


Fighting cynicism and burnout in security beyond “self-care” tips

There are just as many articles on the symptoms of burnout as those outlining “self-care” tips claiming to be the antidote to burnout. While written with good intentions, research has shown that the most effective ways to reduce burnout are self-efficacy and social learning theory. 

As Dr. Thayer puts it, self-efficacy is “the belief in your own ability to learn from a situation and control your behaviors to achieve a desired result.”

Social learning theory considers how people learn through observation, modeling, and imitation.

Basically, the real journey to battling burnout is a deeply personal journey of self-discovery, learning what triggers your stress and equipping yourself with skills to manage your stress. Then you can help reduce burnout by modeling your new skills in the workplace.

But what about the environmental factors that contribute to burnout? What if the work environment is toxic, unsupportive, inflexible, unappreciative, etc.?

Well, friend, those things are out of our immediate control. We can only affect what is within our control, and we are in control of knowing ourselves and how we respond to external factors. While you do the work to fight burnout, it’s important to emphasize that burnout is not your fault.

Here’s some advice from Caroline Wong, Chief Strategy Officer at Cobalt, if you’re burned out and recognize you need a change of environment.

Caroline Wong:
I do have advice and my advice comes from me having lived life experiences where sometimes things get real bad. Sometimes people are mean and sometimes unfair stuff happens. And sometimes people that you love get sick and die. Like sometimes bad stuff happens, and sometimes the first thing you need is just a break. Like, there is a time for, like, big warrior fighting change, and there is a time for rest. And if you are severely burnt out and exhausted, the first thing to do probably is to find some rest. And if it's possible, maybe what you do is you just chill out. And your current job, you try to emotionally detach and you just rest and you just eat nutritious food and you try to sleep if you can and you find out the things that bring you joy and you do those things. And then when you're a little stronger when you've hibernated, then it's time to apply to each and every single job that you could possibly be qualified for. And, you know, one of the cool things about this industry is there's all these like groups of people like join a group and and if you find someone that you like. Become friends with them and text them every day about what's going on in your life. It does not have to be your coworker who doesn't respect or listen to you like there are communities in InfoSec that you can join and that you can tap into and there are wonderful people to connect with and you can leverage that energy and then go and find your next thing where people will appreciate what you bring to the table.

Watch the full episode of Cyber Therapy with Caroline Wong here.


Dr. Thayer shares a nifty taxonomy for us to recognize the progression from survival mode to self-efficacy.


She also shared a variety of advice and tips, as well as resources. For the full deck from her talk at Black Hat, click here


You are your greatest asset, so take what you need from this post to join us on the journey to fighting burnout.

If you’re in survival mode, stop here, take a break, and breathe.

If you’ve progressed to the “understanding” stage of dealing with burnout and are open to discussing what we can do about the “lack of control” in security, let’s continue on. 


Tackling the “lack of control” in security

The dynamic nature of cloud technology and innovation has exacerbated the legacy asset lifecycle processes that IT and security had when assets were more tangible and more labor intensive to deploy. But this hasn’t changed the two basic questions security professionals must answer:

  • What do I have?
  • Where am I most vulnerable?

Manual asset inventories become obsolete as soon as they are complete, so how can security teams regain some control over their everyday operations? The first step will always be improving your own visibility without introducing hurdles to your business counterparts. With such a fragmented technology landscape to run a business, the only way to keep up with the data stream is to integrate and pump the data into an adaptable system of record. With that system of record, you can query it, graph relationships between assets and vulnerabilities, and visualize things like the blast radius of compromise or dependencies.

Guess what? I work at JupiterOne, and that’s what we do.

One of the reasons I love working at JupiterOne is because of what we aspire to be:

We shine a light and provide complete asset visibility in the cyber security universe. We empower our customers to create order from chaos and embrace a bold new vision of security - not as an inhibitor but as an accelerator for business. We invigorate the industry and inspire our users to recognize the critical importance of their work. We burn as a beacon for those who believe, as we do, that cybersecurity doesn't have to suck."

So if you want to learn more about how we help security teams bring order to their complex cyber asset universe, check out JupiterOne platform or sign up for a demo to talk to one of our technical experts.

And if you want to chat more about fighting burnout, you can find me on LinkedIn and Twitter!


Posted By Ashleigh Lee

I binge on noodles and do marketing things.

To hear more from Ashleigh, get our newsletter. No spam, just the good stuff once or twice a month. Sign up below.