Some folks are pissed over my recent posts about efforts in the security community to fight job burnout and depression. I won’t change your minds, so I’ll just clarify a few things and move along.
People have made five observations:
- The data is far too insufficient to declare a problem specific to the security community.
- Without data, all we have is opinion.
- The greater InfoSec Burnout movement and I have made it sound like this is an infosec problem or a workplace-centric problem rather than what it truly is: a mental health problem that the individual already has and brings to whatever job they have.
- I’m trying to superimpose my issues onto the rest of the community.
- I’ve gotten too caught up in the noise coming from the SecBurnout people.
That last line makes it sound like I’ve joined a cult of misguided infosec egotists who can’t see past their upraised noses. What follows is my opinion on each of the points above. I speak as an individual, not as part of any organized movement — security or otherwise.
- Data isn’t everything. I write from personal experience. Part of that includes discussions I have with distressed peers. It doesn’t always take a study to see a problem.
- Well-formed opinions based on experience are useful.
- I’ve said it repeatedly: A mentally ill person can be sent over the edge by their work circumstances, but in the final analysis the problem starts with them. I used to be crazy and work stress was a trigger. But the problem was always my inability to deal with stress. I had to be the change. I had to get treatment and find the coping tools. I had to create a new me. So it is with everyone.
- The notion that I’m superimposing my issues on the larger community is laughable. I didn’t start out on a mission specific to this community. It’s still not a security-only thing. But there are people who came to this community with mental illnesses who could use a helping hand. If I can share what I’ve learned in my own recovery with industry peers, I will. Maybe it’ll help them cope better with the stresses of the industry. Or maybe it’ll just help them cope better with life in general. Either way, it’s a win.
- I don’t believe I’m caught up in “noise.” I know where I’ve been and who I’ve talked to. When asked, I’ll always share what I’ve learned and who I learned it from. I’ll also be the first to admit I’m imperfect and still a work in progress.
This has never been about suggesting there’s a problem special to infosec. I don’t see a pandemic within the community. I see friends and colleagues grappling with territory I’m familiar with.
It’s as simple as that.
It’s a real phenomena. The problem is, that it isn’t addressed. I know people who have burned out, but covered their troubles in booze & drugs & whatever until they are done. Done as in gone, either drop out and join some monastic cult, or burn out and erase themselves via drug overdose or suicide, or burn out, and then some sort of undetermined step happens and they end up selling timeshares or cloud services. The problem is, with the ego that the infosec community has, the social cost of burnout is very, very high – it’s ego and identity shattering. Infosec is a very competitive field, full of alpha-personalities (or those good at faking it), and bullshit artists. You’re young and eager (under 18), youthful vibrant and genius (18-30), experienced or has-been (30-40), management or dead (40+). Ok maybe that’s an exaggerated generalization but come on, who starts in infosec later in life? It’s not like some laid-off assembly line worker can get retrained to tiger-team. We’re like professional athletes, with a limited shelf life – after that it’s obscurity, death, insurance salesman, or coach. The problem is we’re not paid that way. True infosec talent is rarer and more valuable than top-notch athletes, but salaries top out at what, $200k? Oh yeah, team up with some startup and maybe get rich, maybe not. The whole economy is completely screwy, and few people know or care. No wonder there are so many criminals.
Then change the name of the project. Thinking healthcare personnel and people who risk their lives on a regular bases, like law enforcement, could use this as well. No argument that making six figures with no real barriers to entry (degree requirements) other than talent is extremely stressful.
I’m going to start out by saying that discussion about mental health issues is worth having, even if you aren’t suffering at this very moment. Even people who don’t have pre-existing mental issues can break down during difficult circumstances. While the issue isn’t specific to infosec, the work we do is emotionally and mentally intense and recognizing the mental health aspect is the only way we are going to ensure our long term well being and employability. I suspect that the idea that we are “professional athletes” is partly based on the fact that no human being can tolerate certain kinds of stresses for their whole life time. With proper recognition of mental health as an aspect of physical health, we might be able to extend our shelf life.