Staying sane in cybersecurity and dealing with burnout

World Mental Health Day is recognized annually on October 10. At Detectify, we witness the fast pace of cybersecurity each day and to keep up we sometimes need to slow down. We recognize the important of mental health and this year, we asked Crowdsource hacker and founder of Haksec, Luke “Hakluke” Stephens, to share how he manages stress to avoid burnout as a cybersecurity professional. 

Working in infosec is an intense blend of creativity, technical prowess, and responsibility. When infosec becomes your job, it can be quite demanding to sustain this intense level of performance long term. We are facing a severe mental health crisis as an industry, and something needs to change.

Just to give an idea of how bad this is, here are a few statistics:

• 51% of cybersecurity professionals have trouble sleeping due to work-related stress.
• 47% of cybersecurity professionals are working between 41 and 90 hours per week.
• 48% of CISOs reported that the level of stress they are under has affected their mental health
• 97% of the C-Suite said that the security team could improve on delivering value for the amount of budget they receive

And here is a poll that I did on my personal Twitter account:

Before we jump into the tactics for avoiding or dealing with burnout as a cybersecurity professional – I want to give a personal account of my own experience burning out. Different people in different circumstances burn out in different ways, so I think giving some background is essential.

I’ve had a couple of massive burnouts in my life, but this one was probably the biggest. 

My Burnout Story

As soon as I finished school, I started working casually at a tech startup. The more hours I logged, the more I was paid, so naturally, I filled all my free time with work. At first, this was fine because the only commitment I had was this job from the time that school ended (November). I made friends with the people who worked there, and the culture was very chilled, so there was room for more.

Around February the following year, I took on extra work tutoring music to school kids, and it paid an hourly rate better than my IT job. In total, it was an added 6 hours of work per week on two different days, and both schools were about 45 minutes drive from my house. 

Around the same time, I started a computer science degree. The schedule looked easily manageable on paper. I had four different timetabled units. Each unit had a 2-hour lecture and a 1-hour tutorial each week, a total of 12 hours split over 4 days each week.

My weekly schedule technically worked as long as nothing went wrong. On paper, I had enough time in the week to make all of my appointments but my calendar started to feel like a game of Tetris. I didn’t mind at first because I really loved everything I was doing, but slowly I became tired, unfocused, and unmotivated. As time went on, my body and mind started deteriorating further. I drank energy drinks to stay awake during uni lectures (they didn’t work). I crashed on the floor at my mate’s dorm room to save the trip home giving myself 90 extra precious minutes to cram assignments. My car boot became my secondary wardrobe.

I was completed unfocused on school or work

Somehow I found the time to binge every episode of NCIS, but I was only just scraping through every assignment submission deadline, and my performance at work was average. I started staying up late at night to finish tasks – not because I wanted to but because I had deadlines to hit. 

Each day started bleeding into the next, and I began to dread waking up because each day’s tasks became too overwhelming. I started developing really bad wrist, neck and shoulder pain that worsened whenever I typed on a keyboard, which was 12+ hours every day.

I was totally burned out

I lasted two whole years before I reached my breaking point. I received an email out of nowhere from my old school music teacher telling me about some openings in a 1-year intensive music course that was starting interstate in a tiny country town. I took this as a message from the gods. A chance to ditch all the stress in my life for a whole year. Who could resist?

I quit everything and moved out of the city to a tiny country town where I did nothing but play trumpet and drink beer for a whole year. Slowly I felt my body unwind, and less to constantly think about on my mind. As the end of the year edged closer, I started to feel anxious because I did not want to return to my old life. I carried on and completed a whole music degree and became a musician. 

As it turns out, the musician life ultimately led me to another burnout five years later, but that story is a whole other blog post. The point is that it took me 5 years to recover enough from tech burnout to the point where I liked the idea of getting back into tech. I had a great time in those five years, and I regret nothing, but part of me sometimes wonders how much further I would be in my tech career (and financially) if I didn’t need to take those five years out.

Prolonged Stress is the Enemy

In my unfortunate experience of burning out multiple times – I have learned a few things:

If our goal is to feel motivated, inspired, ecstatic, focused and productive – continued stress will not get you there. Stress is a perfectly normal human reaction that has played a vital role in human evolution. Still, moments of stress have been short and rare for most of human existence, like when a hungry sabretooth tiger is gaining on you. In the 21st century, we deal with other types of stress. Working in a stressful job invokes long periods of stress frequently, providing the perfect environment for the dreaded burnout to set in.

What is Burnout?

Burnout is a result of long-term stress. It’s that feeling you get when you’ve given all you’ve got, and you’re done. Your motivation plummets, and focus is near impossible even if you are passionate about cybersecurity. The promise of promotions and bonuses is no longer enough to motivate you. Dread sets in, and you start daydreaming about desk flipping, living off-grid, moving to a remote island, and telling your boss where to stick the performance review.

Burnout is the least of it though, long-term stress is also linked to:

• Depression
• Cancer
• Insomnia
• Eating disorders
• Anxiety and panic attacks
• Back, neck, and shoulder pain
• Colds and viruses (compromised immune system)
• Circulatory issues
• Ulcers
• Diabetes
• Delayed physical healing, leading to increased infection
• Heart problems

One study even showed that heavy stress decreases your life expectancy by 2.8 years. Not only are you opening yourself up to an array of crippling health conditions, but you’re also literally shortening your life.

Flow State is what you want

Typically people want to be productive, and they often unknowingly conflate stress with productivity. It is easy to feel as though you aren’t being productive unless you are stressed. Thankfully – this is totally false. In fact, stress hinders your ability to perform at your peak. Peak productivity is achieved in a stressless state that has been dubbed “flow state.”

You have probably experienced the flow state before. The feeling of intense focus, clarity, and complete absorption in the task at hand. Time passes quickly and a sense of ecstasy sets in – creativity comes naturally, and all distractions fade into the background. If you’re a hacker, there’s a good chance you have experienced this state while hacking.

I would estimate that I experience “flow state” maybe 5% of the time I spend in front of a computer – usually late at night when I am heavily caffeinated with good tunes in my ears. It is one of my favourite things ever. Wouldn’t it be nice if we could feel this more often?

Maybe we can!

Flow State was popularized by two positive psychologists, Mihaly Csikszentmihalyi and Jeanne Nakamura. They studied this state by interviewing many high performers from different disciplines, including athletes, surgeons, ballet dancers, and chess champions. They made some interesting observations, finding that the flow state is easiest to achieve when:

• Completing tasks that are challenging or engaging but not too difficult.
• Completing tasks that you are good at.
• You are focused on the process rather than the final product.
• There are no interruptions or distractions.
• You are focused on a single task.

When I think back, I can see that every time I have been “in the flow”, all of these conditions have been met. Now consider this – what conditions would induce the opposite of flow state? We could deduce that they would be:

• Tasks that are either boring or too difficult
• Focusing on the final product rather than your current task
• Constant interruptions
• Multitasking

I’m sure you can think of a time where you have met similar conditions, most likely at work. You’ve been tasked with a boring and difficult, uninspiring task. Somehow you need to complete this task amid the distracting barrage of “urgent” slack messages, emails and @#$%ing Zoom meetings. And how did you feel? Wait, wait… let me guess. Stressed.

Should you do what you love?

There is so much conflicting advice about whether you should do what you love as your main source of income, or whether you should avoid it. The arguments on either side tend to go something like this:

For:

“Do what you love! If you love your job, you will never work a day in your life!”

Against:

“If you do what you love as your job, you will be too emotionally invested, won’t love it anymore, and ultimately burn yourself out.”

The reason there is so much conflicting advice is that the question is not clearly defined. For example, I could say that I love pentesting – but do I really love it?

Things I love about pentesting:

• Hacking interesting targets

Things I hate about pentesting:

• Deadlines
• Writing reports
• Bad clients
• Being on a customer site
• Wearing a suit
• Being away from my family
• Corporate culture
• Meetings
• My advice being ignored
• Checkbox tests

So do I really love pentesting? Or do I just love hacking interesting stuff?

It’s totally possible that someone thinks they are in a career they love, but are blind to the fact that they actually can’t stand 80% of what’s expected to be done.

Another thing to take into consideration is that the things people love and hate change constantly. When I was 15, I thought coffee tasted like dirt, but now I can’t get enough of it. A couple of weeks ago I was really enjoying learning stuff about AWS, then I had to cram a 26 hour Udemy course to pass an AWS certification and now I get a twitchy left eye whenever I open the AWS console. Right now, I love cake, but if I sat down and ate 28 cakes in one sitting, eating another cake would be torture. Likewise, right now, I love hacking, but after a week straight of hacking 20 hours a day, I’m done.

So should you do what you love? YES! Of course you should! You only have one life to live. You would be crazy not to spend as much time as possible doing things you love. But it’s important to pinpoint exactly what you love in this particular moment.

Over the last five years or so, I have slowly set my life up in a way that I have many different threads going at any one time, and I try to never focus on one of them long enough to burn out on it. 

How I avoid burnout as a cybersecurity professional

As soon as I start detecting signs of burnout or stress, I drop what I’m doing and pick one of the other threads up. I consciously and constantly ask myself if I love what I’m doing right now, and if I don’t, I do something else. This allows me to remain interested and motivated more often. To achieve this freedom, I needed to quit my job and go self-employed. At the moment, I’m splitting my productive time between:

• Creating videos and blogs like this one
• Freelance pentesting jobs
• Bug bounties
• Coding
• Business admin

I am very privileged to be in a position where I could quit my job, and I’m not saying that everyone should do the same, but if you are in a job that is literally shortening your lifespan, it’s probably not a bad idea to explore.

The best cure is prevention

Burnout is a bit like sunburn. By the time you realise you’ve got it, it’s probably too late. The best way to cure burnout is to actively look for early signs and act on them for prevention. Here are some early signs of burnout to watch out for:

• Consistent tiredness
• Cynical / negative outlook
• Mood swings
• Difficulty focusing
• Anxiety
• Loss of enthusiasm, especially for work
• Difficulty sleeping
• Physical ailments
• Substance addiction or reliance (including caffeine, alcohol and painkillers)
• Feelings of failure, self-doubt and helplessness

If any of this sounds like you – it’s time to take a step back.

Recovery and prevention methods

Here are some things that have helped me to recover from burnout in the past. These can also help prevent from getting burnout in the first place.

• Sleep: Go to bed early enough that you always wake up naturally before your alarm. Don’t be afraid of embracing the day nap.
• Set boundaries: Refuse to work longer than your contracted hours. Get comfortable saying “no”. Set clear boundaries between work and home.
• Exercise and eat well: Yes mom.
• Ditch perfectionism: Sometimes good enough is good enough.
• Make a change: Daring to make an exciting change can make all the difference. Switch jobs, move to a new city, work from home, buy a new computer.
• Use your annual leave: Use your hard-earned vacation time. Don’t even think about answering calls/emails from work.
• Get some nature time: Getting out in nature is a great way to recharge your energy. Go for a bushwalk, swim at the beach, go camping.
• Awareness: Being aware of your own burnout risk is the first step to preventing it. You can use this quiz to gauge your risk: https://burnoutindex.yerbo.co/.
• Get Professional Help: Reading blogs by some dude on the internet is not a replacement for seeing a psychologist. Don’t wait until you’ve hit the wall.

Burnout traps

There are some common traps that people fall into, causing them to burn out. It’s good to be aware of them so that you can recognise them as they pop up.

Trap #1: Living for the future

As your career progresses, it’s easy to fall into the trap of always striving for the next best thing. First, you’re happy to get a job at all, but it isn’t long before you have your eye on your manager’s position. After a year or two, you finally get promoted, but you barely stop to celebrate before you have your eye on the senior manager role. It’s easy to think, “I’ll just over-exert myself for one more year until I get this next promotion, and then I’ll be content.” But there is always another level. You end up running on a treadmill that just keeps getting faster until you finally hit a wall.

Try to replace this cycle with gratitude for what you have now. Instead of focusing on what you don’t have yet, focus on how far you have come. Congratulate yourself for getting to your current state. You deserve it.

Trap #2: Loyalty to an organization

One thing that keeps many employees chained to one particular job is that they feel a sense of loyalty to the organization they work for. Learning from my own experience, it’s clear that being loyal to an organization is not in your best interest because the organization does not feel the same about you.

I have watched too many friends succumb to terrible mental health issues trying to meet the demands of huge organizations they felt loyal to, only to be made redundant. You should always be open to considering new career opportunities, no matter how much you love your current role. Knowing what’s out there can also help you figure out working conditions that better suit you. If your mental health isn’t a good enough reason, check this Forbes article out; people who switch jobs every 2 years or less earn 50% more over their lifetime!

Trap #3: Imposter syndrome

Feeling like you’re not good enough can cause you to overwork because you feel like you need to work extra hard to catch up with your colleagues. I want to write a whole other blog about dealing with imposter syndrome, but in a nutshell you are good enough.

Some affirmations for anyone who needs to hear them:

• You made it through the hiring process and were chosen over others for your current role.
• Your employer hired you because they feel that you are the best person for the job.
• The only difference between you and people who are more experienced than you is knowledge.
• Knowledge is obtainable by anyone.
• You are a valuable human who has immense value to offer the world.

As a cybersecurity professional, you have never been in higher demand than you are right now. This means that you do not need to settle for a job or gig that negatively affects your mental health. Burnout can affect anyone, no matter if you are employed or freelancing. Learning the signs that what leads to burnout can help you prevent it.

If you feel that your mental health is being jeopardized, speak with your manager or teammates for support. You can also try the same analysis I shared above to find what really matters to you. It is so important to work somewhere that will value your time and mental health, and with the things that bring you flow and joy.

Take care!

Watch the vlog of Staying Sane in Cybersecurity by Hakluke: