SecBurnout: Much Ado About Nothing?

At the SOURCE Boston security conference yesterday, I ran a session with former colleague and friend Josh Corman on the topic of security burnout. It’s an issue I’m increasingly dedicated to, given my own history with mental illness and high-profile deaths in the community.

When I think of the suicide of Aaron Swartz and the accidental overdose of Barnaby Jack, something in me screams out to act. I’m also inspired by the efforts of people like Amber Baldet and Akamai colleague Christian Ternus and want to help.

But some think this effort is a curious sideshow.

Mood music:

After reading about the session, one infosec practitioner took to Twitter and asked, “How many of us have lost it and started shooting up a place?”

It’s true there hasn’t been an explosion of people in the industry losing it and gunning down a bunch of co-workers. Therefore, he feels, the problem isn’t worth the efforts some of us have embarked upon. He added, “Something is wrong, alright. But let’s not make a big deal here.”

My skeptical friend isn’t the only one to make these points. Others have pointed out that the SecBurnout effort is a waste of time because antisocial, caustic behavior is a staple of the profession. Nobody will change those people, nor should anyone try to.

Those who can’t handle it simply need to grow a set of balls or go do some other kind of work.

I agree with that — to a point.

As Corman noted yesterday, this effort isn’t going to “cure cancer.” We can’t tell people how to think, and we don’t want to. We’re advocating more kindness and civility in the profession, but we know the more negative elements will always be there.

Also true is that you can’t cure things like depression, bipolar disorder and OCD. We can learn to manage these things better, however, and keep them from controlling us.

But all that is beside the point of SecBurnout and similar efforts.

We don’t expect to change the world. We do believe it’s worth trying to suggest a better approach. If we can inspire just a few security shops to adopt a more humane environment that inspires people instead of crushing them — and if that leads to fewer cases of depression and suicide — it will be worth it.

Maybe this isn’t a big deal to you. If that’s the case, congratulations for staying above it all. But if you or your friends and colleagues are casualties of burnout, it’s a big deal.

I do see progress. When I was stuck in the deepest depths earlier in my career, you simply didn’t talk about this stuff. It was a sign of weakness and could get you fired.

That’s not as true today. I and many others are talking openly about our demons, and it’s making a difference. As a community we’ve recognized there’s a problem. Amber Baldet took it a step further by sharing suicide intervention techniques.

The next step is to attack the conditions that fuel depression in the first place, to tear at the roots of the problem so fewer people reach the point where they need an intervention.

And so we press on.

lighting a row matches

Assessing Suicide Risk and Learning Intervention Tactics

Having lost my best friend to suicide in 1996 and suffered my own bouts of depression over the years, I’m grateful for those who rise up to stem the tide of this often-misunderstood scourge. In my industry (information security) I’ve met a lot of good people who suffer in silence. Among them are folks who refuse to sit back and take it.

And so we’ve seen the rise of such endeavors as the Information Technology Burnout Project and talks at a series of hacker conferences on how to spot someone with depression and intervene before it’s too late. One such talk happened at the DEF CON 21 conference in Las Vegas last weekend. The talk was given by Amber Baldet, who has also given the talk at such events as SOURCE Boston.

Mood music:

Baldet wrote of last weekend’s experience on her Idiosyncratic Routine blog and has graciously shared her presentation with me and others who couldn’t make it to the talk. You can view the full slideshow here, but let me give you the highlights.

Early in the slideshow, Baldet describes suicidal behavior as a contagion that “directly or indirectly (via media) influences others to attempt suicide.” I never attempted suicide myself, but my experience is that the depression of a friend, colleague or loved one can rub off on those who inhabit the same environment. It can deepen someone else’s depression and, if that person is so inclined, it can make them suicidal. Media coverage adds fuel to that fire, as noted in this slide:

We're Doing It Wrong

Another slide focuses on the clinical aspects, conditions that lead to depression and, in some, suicide:

Clinical Stuff

There are a lot of traits in the security community and beyond that spark depression and suicidal behavior. One is the tendency of hackers to stay up all night as they follow one code-based rabbit hole after another. “I’ll sleep when I’m dead, too busy CRUSHING IT,” as Baldet puts it.

There’s also a high degree of paranoia in our community. Paranoia is a disease I know well. I’ve lived it and watched my best friend get eaten alive by it.

The most valuable slides focus on specific ways to help others:

Rethink Our Service Model

Indetifying Risk

Oh Shizz Now What

Building Rapport

Bringing 'It' Up

Threat Assessment

Action Plan & Next Steps

I highly recommend you check out the full presentation, Suicide Risk Assessment and Intervention Tactic.

Thanks for sharing, Amber.

DefCon 21