You See a SecBurnout Cult; I See Common Sense

Some folks are pissed over my recent posts about efforts in the security community to fight job burnout and depression. I won’t change your minds, so I’ll just clarify a few things and move along.

People have made five observations:

  1. The data is far too insufficient to declare a problem specific to the security community.
  2. Without data, all we have is opinion.
  3. The greater InfoSec Burnout movement and I have made it sound like this is an infosec problem or a workplace-centric problem rather than what it truly is: a mental health problem that the individual already has and brings to whatever job they have.
  4. I’m trying to superimpose my issues onto the rest of the community.
  5. I’ve gotten too caught up in the noise coming from the SecBurnout people.

That last line makes it sound like I’ve joined a cult of misguided infosec egotists who can’t see past their upraised noses. What follows is my opinion on each of the points above. I speak as an individual, not as part of any organized movement — security or otherwise.

  1. Data isn’t everything. I write from personal experience. Part of that includes discussions I have with distressed peers. It doesn’t always take a study to see a problem.
  2. Well-formed opinions based on experience are useful.
  3. I’ve said it repeatedly: A mentally ill person can be sent over the edge by their work circumstances, but in the final analysis the problem starts with them. I used to be crazy and work stress was a trigger. But the problem was always my inability to deal with stress. I had to be the change. I had to get treatment and find the coping tools. I had to create a new me. So it is with everyone.
  4. The notion that I’m superimposing my issues on the larger community is laughable. I didn’t start out on a mission specific to this community. It’s still not a security-only thing. But there are people who came to this community with mental illnesses who could use a helping hand. If I can share what I’ve learned in my own recovery with industry peers, I will. Maybe it’ll help them cope better with the stresses of the industry. Or maybe it’ll just help them cope better with life in general. Either way, it’s a win.
  5. I don’t believe I’m caught up in “noise.” I know where I’ve been and who I’ve talked to. When asked, I’ll always share what I’ve learned and who I learned it from. I’ll also be the first to admit I’m imperfect and still a work in progress.

This has never been about suggesting there’s a problem special to infosec. I don’t see a pandemic within the community. I see friends and colleagues grappling with territory I’m familiar with.

It’s as simple as that.

bill the cat giving rock sign

SecBurnout: Much Ado About Nothing?

At the SOURCE Boston security conference yesterday, I ran a session with former colleague and friend Josh Corman on the topic of security burnout. It’s an issue I’m increasingly dedicated to, given my own history with mental illness and high-profile deaths in the community.

When I think of the suicide of Aaron Swartz and the accidental overdose of Barnaby Jack, something in me screams out to act. I’m also inspired by the efforts of people like Amber Baldet and Akamai colleague Christian Ternus and want to help.

But some think this effort is a curious sideshow.

Mood music:

After reading about the session, one infosec practitioner took to Twitter and asked, “How many of us have lost it and started shooting up a place?”

It’s true there hasn’t been an explosion of people in the industry losing it and gunning down a bunch of co-workers. Therefore, he feels, the problem isn’t worth the efforts some of us have embarked upon. He added, “Something is wrong, alright. But let’s not make a big deal here.”

My skeptical friend isn’t the only one to make these points. Others have pointed out that the SecBurnout effort is a waste of time because antisocial, caustic behavior is a staple of the profession. Nobody will change those people, nor should anyone try to.

Those who can’t handle it simply need to grow a set of balls or go do some other kind of work.

I agree with that — to a point.

As Corman noted yesterday, this effort isn’t going to “cure cancer.” We can’t tell people how to think, and we don’t want to. We’re advocating more kindness and civility in the profession, but we know the more negative elements will always be there.

Also true is that you can’t cure things like depression, bipolar disorder and OCD. We can learn to manage these things better, however, and keep them from controlling us.

But all that is beside the point of SecBurnout and similar efforts.

We don’t expect to change the world. We do believe it’s worth trying to suggest a better approach. If we can inspire just a few security shops to adopt a more humane environment that inspires people instead of crushing them — and if that leads to fewer cases of depression and suicide — it will be worth it.

Maybe this isn’t a big deal to you. If that’s the case, congratulations for staying above it all. But if you or your friends and colleagues are casualties of burnout, it’s a big deal.

I do see progress. When I was stuck in the deepest depths earlier in my career, you simply didn’t talk about this stuff. It was a sign of weakness and could get you fired.

That’s not as true today. I and many others are talking openly about our demons, and it’s making a difference. As a community we’ve recognized there’s a problem. Amber Baldet took it a step further by sharing suicide intervention techniques.

The next step is to attack the conditions that fuel depression in the first place, to tear at the roots of the problem so fewer people reach the point where they need an intervention.

And so we press on.

lighting a row matches