Cybersecurity Burnout and Organisational Culture with Yanya Viskovich & Eve Parmiter
Welcome to Razorwire! In today’s episode, we take a look at the often-overlooked issue of professional burnout within the cybersecurity field. Joining us are two esteemed guests: Yanya Viskovich, a cyber resilience authority, and Eve Parmiter, a clinical traumatologist and consultant, both of whom bring their interdisciplinary insights to our discussion.
Today's conversation uncovers the critical yet not-often-discussed crisis of burnout amongst our cyber defenders. Yanya shares her personal journey through the throes of burnout and her subsequent passion for addressing the human factors in cybersecurity and Eve gives us her clinical perspective, providing an in depth understanding of the steps that lead to burnout and how we can move towards prevention and recovery. Together, we explore strategies for cultivating an organisational culture that is resilient against burnout and the positive repercussions this can have on cybersecurity effectiveness.
Key Talking Points
Personal Insights from the Field: Yanya recounts her dynamic career path and the vulnerable moments of burnout she encountered during the global pandemic, offering listeners a glimpse into the human side of the cybersecurity equation.
Clinical Wisdom for Cyber Warriors: Eve, with her therapeutic background, maps out the psychophysiological terrain of burnout and provides actionable tactics for information security professionals to identify and manage their stressors before they escalate.
-Building a Burnout-Resilient Culture: Gain critical advice on creating strong, collaborative and health-focused workplace cultures that prioritise learning and vulnerability to fortify against cybersecurity threats as well as professional burnout.
Don’t miss out on this conversation, which is more relevant now than ever. Tune in to unlock techniques that will not only defend your organisation’s digital assets but also safeguard the wellbeing of its most valuable guardians - its people.
Embracing Failure for Cybersecurity Improvement:
"We need to have a tolerance for failure, but an intolerance for incompetence. We need to invite cultures that invite questions and difficult ones, and that invites people to challenge the status quo, to invite people to say, ‘yeah, I've noticed that something's wrong here’, or ‘I see this as a potential risk and I'm raising it.’"
Yanya Viskovich
Listen to this episode on your favourite podcasting platform: https://razorwire.captivate.fm/listen
In this episode, we covered the following topics:
- Appreciation of Crisis Management: A look into how the efforts of infosec professionals are often undervalued, especially when resolving critical issues during crises.
- Post-Lockdown Loss of Mentorship: An exploration of the pandemic's impact leading to the exit of experienced professionals from the cybersecurity field and the subsequent loss of mentorship for up-and-comers.
- Organisational Culture and Failure: The importance of creating supportive cultures within organisations that encourage learning from mistakes and destigmatising failure.
- Human Factor in Cybersecurity: Highlights the crucial role of considering human behaviour and psychology in cybersecurity strategies, alongside technology and process optimisation.
- Stress and High Burnout Rates: Insights into the abnormally high stress levels within the cybersecurity industry, leading to significant burnout among professionals.
- Industry's Perception on the 'Department of No': Discusses the challenging perception of infosec teams as constructionistic.
- Power of Recognition: We discuss the role of recognition and appreciation in mitigating work-related stress and improving employee satisfaction.
- Burnout and Operational Effectiveness: The use of the Critical Incident Technique as a framework for understanding work-related stressors and developing strategies to improve burnout and operational effectiveness.
- Burnout Recovery and Resilience: How individuals can recover from burnout and leverage the experience to grow stronger and more resilient to future stressors.
- Risk and Response to Burnout: Arguments are made for including professional burnout as a significant risk in organisational risk registers and developing multifaceted strategies to prevent and respond to it in the cybersecurity sector.
Guest Bios
Yanya Viskovich
Yanya Viskovich is a cybersecurity expert specialising in the human factor. A TEDx and Fortune 500 keynote speaker and Senior Manager in Security Consulting at Accenture Switzerland, Yanya advises and presents to CISOs, C-Suites and Boards on how to reduce human security risk and enhance security cultures, and conducts executive cyber crisis simulations. Her March 2023 TEDx talk, "Why Burnout Culture is a Cyber Risk", has been instrumental in raising awareness about the impacts of stress and burnout on organisational cyber risk and resilience. She is a former cybercrime prosecutor, has advised the Australian Federal Privacy Commissioner, trained law enforcement agencies, and held diverse senior in-house roles in large multinationals and international organisations, including the United Nations, where she strategised and implemented crisis plans and data protection policies. Yanya also serves as Chair of Cyber Law & Governance at the Swiss Cyber Institute and as an expert ethics advisor to the European Commission. She regularly guest lectures at Swiss and European universities, and contributes to publications and professional standards on cybersecurity, AI, data protection, privacy, and data ethics. Yanya is an Australian Bar-admitted attorney and holds a Bachelor of Laws, a Bachelor of International Relations, and a Master of Laws from the Australian National University; a Data Protection Officer certification from the European Centre on Privacy and Cybersecurity at Maastricht University; executive certificates in cybersecurity management from MIT Sloan School and the Geneva Centre for Security Policy, and in applied computer science from EPFL.
Eve Parmiter
Eve works as a therapist, coach, and consultant. She focuses on power, potential, and performance, and the things that get in the way, like the misuse and abuse of power, and the wear and tear of what we choose to do, including workplace burnout.
She runs a successful private practice, and has worked with the military, public, and private sectors, with new recruits to C-suite and founders, and with world-class performers in sports and the arts.
Organisations and individuals work with Eve to make meaningful changes in their teams and lives. Improving performance, developing resilience, and building wellbeing all contribute to achieving high hard goals, rich connection, deep fulfilment, and have a positive impact on the bottom line.
She graduated with a First Class BScEcon in International Relations, and a Master’s Distinction from LSE. She holds a Black Belt in Jeet Kune Do, has worked as a professional actor, and is a trained Cognitive Hypnotherapist, clinical traumatologist, and NLP Master Practitioner.
Resources Mentioned
- UN High Commissioner for Refugees
- International Committee of the Red Cross
- "The Cyber Sentinels Handbook, A Primer for Information Security Professionals"
Other episodes you'll enjoy
Preventing Burnout in Cyber Security
SolarWinds’ CISO Under SEC Scrutiny: The Impact On The Infosec Community
https://www.razorthorn.com/solarwinds-ciso-under-sec-scrutiny-the-impact-on-the-infosec-community/
Connect with your host James Rees
Hello, I am James Rees, the host of the Razorwire podcast. This podcast brings you insights from leading cyber security professionals who dedicate their careers to making a hacker’s life that much more difficult.
Our guests bring you experience and expertise from a range of disciplines and from different career stages. We give you various viewpoints for improving your cyber security – from seasoned professionals with years of experience, triumphs and lessons learned under their belt, to those in relatively early stages of their careers offering fresh eyes and new insights.
With new episodes every other Wednesday, Razorwire is a podcast for cyber security enthusiasts and professionals providing insights, news and fresh ideas on protecting your organisation from hackers.
For more information about us or if you have any questions you would like us to discuss email podcast@razorthorn.com.
If you need consultation, visit www.razorthorn.com, We give our clients a personalised, integrated approach to information security, driven by our belief in quality and discretion.
Linkedin: Razorthorn Security
Youtube: Razorthorn Security
Twitter: @RazorThornLTD
Loved this episode? Leave us a review and rating here
All rights reserved. © Razorthorn Security LTD 2024
This podcast uses the following third-party services for analysis:
OP3 - https://op3.dev/privacy
Transcript
Hello, and welcome to another edition of Razorwire. Now today, we have a feature length episode on the very important subject matter of burnout in the information security community. We all have very high pressure jobs with serious implications in the event of incidents. And there's always gonna be the danger that at some point in your career, you are gonna feel that kind of burnout phase. Now it's really, really important that you understand what it is, what the implications are of it, how to spot it, and potentially how to deal with it as well. And I've got 2 fantastic guests who are gonna be coming down and talking to us about this. Now one of those guests actually experienced burnout herself. It was a LinkedIn video that I saw one morning when I was having my coffee, and I reached out and said, would you like to come onto the podcast and discuss that? So that's with Yanya.
Jim [:And then we also have Eva who helped her through the process and advocates making sure that your colleagues and coworkers are working and able to handle and experience support with regards to things like that whole burnout process. It's really, really important subject matter. I'm really looking forward to investigating this particular side of information security. Sit down, get a coffee, get comfortable and let's see what we can produce for you. Welcome to the Razorwire podcast, where we discuss all things in the information security and cybersecurity world. From current events and trends through to commentary from experts in the field providing vital advisory on what it is to work in the information security and cyber security space. Right. And today, yes, we've got 2 fantastic guests who have come to discuss this really important topic with us.
Jim [:Yanya, who inspired me to do this through the TED talk that I saw from her maybe I think it was about 2 months ago. Yanya, I don't know. You might have recorded it a little bit earlier on, but I I actually saw your recording on LinkedIn. And then we have the wonderful Eve as well who can give us a hell of a lot more insight into the clinical side of burnout, what it means, and some of the more clinician style of what's going on and how we can spot it. So do you guys wanna give yourselves a bit of a bit of an intro? Jania, might as well start with yourself. This is inspired by your TED Talk.
Yanya Viskovich [:Sure. Thanks, Jim. It's a pleasure to be here. So, yeah, my career in cybersecurity has been very nonlinear. I currently advise organizations as a senior manager at Accenture in their security consulting area in Switzerland, helping organizations to become more cyber resilient by looking at their human factor. And as I mentioned, my my career in cybersecurity, I've worked in cyber from a number of different angles, had the opportunity to work all over the world. I began my career as a lawyer, so I've actually come to cybersecurity through the law. And I began as a prosecutor in Australia, first prosecuting, state crimes.
Yanya Viskovich [:And then after about 3 years, I then moved to the federal prosecution service. So, Jim, you're based in the UK. So are you a the equivalent would be the the Crown Prosecution Service?
Jim [:Okay.
Yanya Viskovich [:Yeah. And I I actually started, so my my portfolio is really quite broad, but, it included what we called back then high-tech computer crimes. And that, was really covering the the dark web stuff, but also using computers to commit other crimes like major drug importations and conspiracies. And part of my role was also to to work closely with law enforcement agencies to do capacity building with them, to train them, and help them understand how to run successful and lawful prosecutions, or rather investigations that would then lead to prosecutions. Did a lot of work also advising various Australian statutory bodies, including back then the Australian Federal Privacy Commissioner. So my foray into cyber and data protection really begins there, although at the time I didn't really know it. And after about 6 years there, I decided to follow a passion of mine, which was to go and work for the United Nations, devising anti fraud programs for the UN, and also strategizing contingency plans for the for the UN and for all of the various stakeholders that we in the country during the time of the Syria crisis. What I didn't know back then was that that work in figuring out what we're going to do in the event of a crisis and what every person's role would be would end up becoming highly relevant in cybersecurity.
Yanya Viskovich [:And so today, one of the things I also do is help organizations prepare for a crisis, a cyber crisis, and help them develop, cyber contingency plans for that. Then I end up in Geneva with the UN High Commissioner For Refugees, and I am presented with an opportunity, in the legal department to to edit and and help draft the UN's first data protection policy. And then I began operationalizing it, drafting guidelines to help our data security teams and our information management teams around the world to implement that. When you work for a humanitarian organization that is protecting people, it's mandated to protect people who are in situations of armed conflict, fleeing persecution, and so forth. The protection of those people's data and the security of that data really becomes a matter of life and death a lot of the time for those people because they're fleeing, you know, armed conflict, they're they're fleeing armed actors, they're fleeing persecution. So I end up going and doing essentially the same thing for the international community of the Red Cross. I, you know, this is around, when I started working on the UN's First Data Protection Policy. This was, at the end of 2014, and the GDPR was very much, in the works at that stage Mhmm.
Yanya Viskovich [:In terms of negotiation and drafting. And I just remember sitting at my desk one day going, this is fascinating. This is really interesting. And I think the world is about to become quite focused on data protection and data security. I wanna be a part of it. So I decided I wanted to become wholly focused on that topic. Sometime after that, I, decided I wanted to join the private sector. So I took a role as the global senior counsel for a data privacy program at a, an American multinational in the oil and gas sector.
Yanya Viskovich [:Not so long after I joined, COVID hit. And we had operations in China, and, we had big manufacturing operations in China. And at the beginning of, 2020, we started hearing certain things happening in China, and I just got the sense that this was going to become a lot bigger. So I started putting in place various procedures and documents that would help our colleagues manage this. We, as a company, we were classed as a critical infrastructure company because we were essentially enabling, you know, oil to come out of the ground so it could keep the lights on in people's homes. So we had to keep our business going. And that meant, of course, from a data protection standpoint, that we had to make sure when our people were going into, manufacturing sites, that that they were healthy, you know, from an occupational health and safety perspective. We also had the challenge of making sure that our staff could could keep working so that our business could keep running.
Yanya Viskovich [:But obviously, I couldn't go fast enough. Virus spread much faster than I could work. Sometime into the pandemic, I then had a burnout.
Jim [:Mhmm.
Yanya Viskovich [:My journey from the burnout onwards, eventually, went to hospital, as I mentioned in my TED talk. In hospital, I start to connect some dots and see real connections between the number of people that were coming into hospital who were from working in IT, cyber security, and I just I just started to think, you know, there's a there's some patterns here.
Jim [:Yeah.
Yanya Viskovich [:Upon coming out of hospital, I decided to, you know, what what do you do when life gives you lemons? You you try to make lemonade. I tried to, to to make something productive out of what had been a rather reductive experience, made a TED talk out of it. But in the process, however, really became super fascinated in the human factors in cybersecurity and how stress impacts behavior, and how that then impacts, an organization's cyber risk. I've continued to work in the area. I have worked since for a company that was developing organizational cultural training, so ways in which we could enhance the way their teams work together in agile ways, and using applied improvisation, which I think is a remarkable technique for helping different teams collaborate. And then ended up, working where I do now at Accenture, helping organizations understand, and mitigate human risk. So I'm heavily involved in the area and very fascinated by it and really grateful to be having this conversation with you and Eve today. That's a very long story to how I got here.
Jim [:No. It's great. I mean, you put it you you you put my career to shame with that. You know? I mean, some of the some some of the institutions that you've worked for are, huge, you know, very far reaching, and it's it's fascinating to hear people's journeys into infosec. Eve, you obviously come into the story when sort of Yanya needed some assistance and some help with what she was experiencing. Do you wanna go kinda give us a bit of your background? How did you get into counseling and doing what you do? And and how did you get involved with Yanya?
Eve Parmiter [:Well, thank So my route, so the hats I wear at the moment, I'm a clinical traumatologist, therapist, coach, consultant, many hats, many, overlaps and the links and what's particularly relevant to our conversation today is that, well, since I can remember, I've been really interested in exploring what's possible to see if I can find it within myself to bring out an even better performance, in whichever domain I'm in, which has very much been a direction of travel rather than a a destination. So that on the one hand, there has always been the sense of there is so much life to live. And then on the other hand, there's all the stuff that gets in the way of it. Of particular interest to me has been the misuse and abuse of power. So all my work has been around power, potential, and performance, mine and other people's. So short version of this. Initially, it took me, down an academic route of international relations, then to do some humanitarian work, which showed me just how ill equipped I was at the time to make a meaningful difference to the people around me. And that got me very interested in how do we actually convert theory into practice.
Eve Parmiter [:I explored that viscerally, by training in martial arts, not a natural athlete. So quite the challenge and got the black belt, got my instructor level. And what's very interesting for me in that environment is that it doesn't matter how lovely your theory is, it doesn't actually change the reality of getting punched in the face. And I am very interested in what we can actually do while we're getting hit either literally or metaphorically. So to explore that, I started therapy and retrained in therapy to become a therapist. To borrow some language, from your domain, I realized that a brute force attack of just more physical training wasn't gonna solve the problem. So bringing all of this to the work I do with training and coaching and therapy with individuals within organisations, And I've been fortunate enough to work with, some organizations in the public and the private sector. And as a civilian, providing training within the military as part of their command leadership and management programs, all of this comes back to that power of potential performance and to the wear and tear of work.
Eve Parmiter [:You know, some of it intrinsic, some of it not so, which then brings us to burnout.
Jim [:For for me, funnily enough, just before I saw Janja's TED Talk, I've been seeing a number of articles go floating around for a little while, actually, actually, about specific obviously, because, you know, I I kinda walk in the information security space. So a lot of my feed and things like LinkedIn is is very much, obviously, with marketing significantly, because a lot of them have been running businesses for years. They've experienced it. Some of them have significantly because a lot of them have been running businesses for years. They've experienced it sometimes in multiple times. But on my LinkedIn feed, I saw some really interesting stories where CSOs had been approached and said, on this particular scale, how do you feel when it comes to the stresses of your day to day work? And there was a lot of analysis that was going on from a a couple of different institutions. And the results that I was seeing from these kind of papers seemed to be abnormally high. Yep.
Jim [:70%, 80%. Didn't see anything quite in the 90%. But as with anything, you know, you when you do these kinds of things, you're gonna have a a a group of individuals. It's it's gonna be considered to be a, kind of, control group in many respects for for what the industry is experiencing at large. On one of them, I think it was 2,000 CSOs. On another one, I think it was, near close to 4 or 5, but they've got very, very similar results. So, you know, I was pretty confident that it was accurate across industry wide. Having been a CISO myself, interim CSO multiple times running my own business and doing virtual CSOing and watching my staff do that kind of thing, I've also seen from a slightly different angle.
Jim [:So when I saw Yanya's TED talk, I was really interested, Really interested in what was the journey? What did she experience? And, it was scary in many respects to listen to somebody go through that, you know, empathizing on their situation. And I think it's important for us within the information security to understand quite the pressures that we're under, and the things that we have to deal with. Because quite significantly, infosec people up until recently have been predominantly ignored in the business world, you know, as a general rule. We were viewed as doomsayers. We were viewed as pessimists. You know, why are you talking about things that have never happened before? And a lot of that does have quite a big effect on you if you're constantly being told that. Oh, why do we need a penetration test? It's expensive to do it. It's rubbish.
Jim [:We don't need it because we're secure. Because I'm telling you we're secure. Because we're in the IT department and we're we're you know, and all this all all that kind of jazz. Even when I was working for a well known newspaper in, you know, running their security, I was I was accused more than a few times of being a glorified security guard from the door, but just on a digital digital format. And, yeah, that sparked a few big interesting conversations over the years. Fast forward to nowadays, and infosec has comparatively become a big thing. Ransomware has done a big big thing to drive up the the interest in security. And it's now seen as a fiduciary requirement for businesses of any decent size, and a responsibility to their shareholders to undertake.
Jim [:So it's meant that a lot of us who've been beaten down for a long, long time suddenly got thrust into the limelight. And then when ransomware was a bit rife at the kind of during the lockdown period, we actually saw a lot of finger pointing at those poor CISOs who were sat there. You know, they're experiencing an, situation, an incident as as Yanira obviously, she she deals with incident response, you know, quite significantly. Or they just experienced it and were coming out of it. And the last thing they needed was people going, well, you should have told us what we were doing in security. Because then you sit there and you think, I've been telling you this for bloody years. Why why all of a sudden is this is this my fault? So I get where burnout in this industry comes from, and I get why the stats that I was reading seem to come up exceedingly high. But since our audience is predominantly infosec people, CISOs, that kind of thing, Yan, you'd I know you've told us in a TED talk, but do you kinda wanna go over just very briefly your journey through that in a way so you feel comfortable in in communicating?
Yanya Viskovich [:Yes. So, I mean, you've touched on a lot of really important points, Jim. And and I I agree with you. You know, professionals in the information security sector, but also in, really, the broader, you know, any any kind of role that is aimed at protecting data or the systems that hold that data in an organization are typically regarded as the department of no. And, you know, I I I sometimes think, you know, in a way, my my dad was a as a dentist, and I sometimes think that those working in information security are kinda like the dentists of the corporate world. You know, no one wants to go to them. We don't like going. We we associate with pain and torture or whatever until the proverbial hits the fan and we really need to go.
Yanya Viskovich [:Right? You know, we've got an abscess or whatever, and and we absolutely we absolutely need to go. And I think I agree with you. You know, the fact that I think COVID has also played a big role in catapulting cybersecurity attacks, cybersecurity response and resilience into the limelight. And typically, those who've been attracted to the information security profession have not necessarily wanted to necessarily be in the limelight. Many of them, you know, I mean, I think speaking generally, preferred to have a role where they, you know, they were doing that technical work, and I think the change or the the realization for businesses that actually, if you're running a business that requires you to be digital, or if you're using digital means to run your business, then cybersecurity becomes integral to your ability to to continue bringing in revenue, to continue turning a profit. Mhmm. The problem, however, is that being able to speak the language of the board, being able to speak the business language is not necessarily something that you're taught as you're training, as you're gaining experience in information security and cyber security roles. And the flip side of that is, of course, that many people who serve on boards, many in the c suite, don't necessarily understand or have the language to appreciate how the cybersecurity risks are really business risks.
Yanya Viskovich [:We see that playing out in in terms of lots of organizations don't necessarily have a cyber strategy, 1, or they have a cyber strategy that doesn't actually speak to the business's objectives, their goals, the core business, and the business's appetite for risk. So you often see this disjunct, and I think that actually plays into this difficulty for CISOs and and those in the information to information security sector to really be speaking the language of those who hold the purse strings and who make the big decisions. And I mentioned that in this to to to lead into my story because as I mentioned, my story really the the TED talk I gave, which was, you know, why burnout culture is a cyber risk, really began because I'd been working in cybersecurity, as I mentioned, from a number of different angles. Then I have this personal experience, and then when I go into hospital, in into a specialized burnout treatment program, I met so many people who were in in working in information security. I mean, as I mentioned, so it was during COVID, there were, of course, health workers there. Right? Allied health professionals as well. And you'd expect to see that during COVID because the impact on them was so huge. But the other big chunk, in fact, there were more information security professionals in hospital than there were health workers.
Yanya Viskovich [:And this to me was just staggering. And, actually, research has since shown that cybersecurity professionals are experiencing rates of burnout and attrition that are much, much higher than even frontline responders. So when you consider that and you look at the figures, you know, you mentioned a couple of figures, really high rates of burnout in the profession. When I was researching for my TED talk, I came across statistics that were showing that 50 to 85% of cybersecurity professionals were burning out, already were burnt out. Gartner has predicted that by 2025, in just 2 years' time, a quarter of all cybersecurity leaders will change their roles entirely. Like, they will leave the profession because the stress and the burnout is just unmanageable. And I think we need to understand, okay, so why is that? And you mentioned a couple of things, Jim, that I think are highly relevant in this respect. We're working in a business environment that operates, you know, let's say, 8 till 7, 8 till 6.
Yanya Viskovich [:It used to be 9 to 5, but I think the the hours have stretched these days. And yet
Jim [:Hours? Threat. And
Yanya Viskovich [:yet, the threats that information security professionals are dealing with are 247. So you have this constant threat that's playing. If you consider the way our brains work, now I'm not a medical professional, but I've looked into little bits and pieces of this and to understand my own experience. Our brains are hardwired to sense fear. Right? To to look out for things that might be dangerous to us, our amygdala. Now if you're constantly anticipating or thinking about a threat, then you're basically never giving your brain the opportunity to turn off, to switch off.
Jim [:And I
Yanya Viskovich [:think that's absolutely key when we're looking at the rates of burnout in the cybersecurity profession. Because I think it's the we are, we're dealing with the way in which humans are naturally hardwired to think and and work, in terms of our brain functioning, and then we're faced with this very asymmetrical threat. Right? It's a constant threat. And then when you layer on top of that the difficulty in convincing the boards and the c suites to adequately resource this profession, you know, to to give us the budgets we need that match the risk we're facing. As I mentioned, we're constantly seen as just asking for for money, and and what do you do? Nobody ever thanks you for preventing breaches and attacks. They only you only ever get, you know, told off when an attack or breach happens. And the other thing that happens, and I think you might have alluded to this earlier as well, Jim, is that typically once an organization experiences, a massive data breach or cyber attack, typically, the CISO is looking at being fired. And I see that as a tremendous additional stress that you're constantly facing.
Yanya Viskovich [:But also, it sends a terrible message, from morale around the workplace and particularly to the security teams. And on top of that, it's a massive loss of institutional knowledge memory, and memory and and and so forth. And there's nothing like a crisis. If there's one thing I learned in in working in conflict zones in in the UN, there's nothing like a crisis to bond you. Right? So here you have this tremendous, experience. You know, your company has just gone through this huge breach. Your team has had to respond in a ways that probably they they might not previously have realized they needed to. A huge opportunity has just presented itself for for learning and building on that.
Yanya Viskovich [:And, typically, the CISO is by it. I think that's definitely adding to the stress and the burnout.
Jim [:It's almost like, oh, thank you for helping get us out of that. Now we need a scapegoat. I mean, we have seen a few CEOs obviously go down that same route as well because there there was no other choice, you know, sheer size of the breaches. But I mean, we've had some real doozy ones recently, if you've been keeping track of what's going on in the news out there for all those watching. A certain kind of group of individuals who look after the public and respond have just lost an entire database full of, you know, full of staff information, which is really dangerous, you know? Yeah. But, yeah. You're right. You know, there's a constant low level of of stress.
Jim [:And then you attach to that as well. Obviously, you've got homes everybody's got home stresses and, you know, I've got 2 young kids. There's there's nothing more stressful than 2 young kids, running around the place, especially when you want 5 minutes worth of piece. But, you know, you layer all of this on top, and then, you know, something is gonna break. You know? At some point, something is gonna say right. Even the most stoic, enduring personality at some point is gonna go, okay. I think I've had enough now. And then, of course, you burn out.
Jim [:Eve, you've got experience with a number of people who've been in that kind of situation. Yeah. Do people burn out in the same way? Are there things that you can universally spot? Say you've got a loved one who, weirdly enough, is in infosec or you're in infosec, and you're looking at yourself and thinking, you know, Yanya's absolutely right in what she's saying. I can ex I've experienced all of this. How does it tend to happen? Where where does it all go horribly wrong?
Eve Parmiter [:Let's begin with framing it in terms of a definition. Okay. So I'm just gonna link the clinical and the workplace that Jani's just been talking about. So if you've read anything about burnout or you've just been involved in these conversations a while, you've probably come across the World Health Organization definition. But I'm going to, just invite us to look at that slightly differently to make it more usable in this whole theme that we've got, converting theory into practice, happening. So the definition talks about burnout being the result of chronic workplace stress that has not been successfully managed.
Jim [:Mhmm.
Eve Parmiter [:We really need to split that word stress into stressors and stress. So we have the causes and we have the effects.
Jim [:Okay. We do
Eve Parmiter [:need to look after our people. So the individual is the one experiencing the symptoms, so the effects of it. But organizationally, it is the stressors in the workplace. So for the purposes of today and what people might do after this conversation, let's look at burnout as chronic workplace stressors that have not been successfully managed.
Jim [:Mhmm. And
Eve Parmiter [:I've got 2 framing questions that are rhetorical at the moment, and I'd love to hear your, response to these. If the conditions that create burnout, so the stressors in the workplace, were part of your threat landscape, what would you do differently? So that's for the stressors. For the stress, if the symptoms of burnout were mal wear and tear, what would you do differently? Because one of the really interesting things that the 2 of you have described is this chronic, ongoing, inescapable set of stressors and then stress effects on the body. So the signs and symptoms that this might be catching up with you, according to Maslach, we've got decrease of energy. So we lose our energy, we lose our engagement, and we lose our sense of being professionally effective.
Jim [:Mhmm.
Eve Parmiter [:So most people know that Maslach speaks about burnout, but she's got these 5 levels just so you can see whereabouts you're at. So when your energy, your engagement, and your efficacy are high, we're engaged. Things are good. Then we can start losing our sense of being effective, so we become ineffective. Then we start it doesn't have to happen in this order, but you might get it in this order. You might become overextended. So your workload is just too much, and you're running out of energy to meet it. And at some point, you become disengaged because what's the point anymore? So if you've got the 3 of those happening, this is where burnout comes in.
Eve Parmiter [:Now in terms of what people tend to end up with when they're working with me, and just like with your profession, people don't actually want to work with a therapist. We have to get to quite a difficult place in order to go, oh, damn. Right. I, I can't solve this myself. Particularly for anyone in the helping profession. So if you are the one who fixes, solves, rescues, protects, defends, getting to a place where you go, oh, I've gotta sit in the other seat. That's a very difficult space to go.
Jim [:I can see that. Yeah.
Eve Parmiter [:Yeah. And let me say therapists, awful at it a lot of the time as well. Therapists. Anyone with our kinds of roles, normally, it's been going for so long. It goes on so long and so long when people, particularly if you're mission driven and you're doing something very important to you, we keep applying more energy. We keep working harder because we've always been able to solve things if we just put some more energy in. And then at some point, people have off the edge of the cliff moment. This is like you've probably heard the analogy of the frogs in a boiling saucepan?
Jim [:Yeah. Yeah. Yeah. Yeah.
Eve Parmiter [:You just don't notice it until it's pretty much too late. And then you are driving to work, and you drive past work because you just can't go in. Or you get up
Jim [:in your room,
Eve Parmiter [:and you can't actually get off the edge of your bed. You know, there are these moments, or you snap. There's just this moment of, right, there's a sufficient difference now. I'm in sufficient pain.
Jim [:Wow. Because young yours was in if I remember correctly from the TED talk, it was in the supermarket where you had that moment, wasn't it?
Yanya Viskovich [:Yeah. I mean, exactly. I mean, my as I said in my TED talk, you know, I I went into a supermarket to buy some food for for a friend coming to visit for the weekend. And I got a couple of meters in and I just stopped and I looked around and I didn't really I knew I was in a supermarket, but I didn't really I couldn't figure out what all the foodstuffs on the shelves were. And I just was like, I know that's food, but I don't really recognize it, and I don't know what to do with it. So it was a very scary moment, very scary, especially when you've done a whole lot of different things in your life and, you know, you've been quite high functioning and all of a sudden you you go into a supermarket and you you don't know what to do with the things on the shelves. I mean, that's that's terrifying. As Eve said, you know, you sort of it's like being a frog in in hot water, and you don't really realize until it's kind of a bit too far down the track.
Yanya Viskovich [:So sometime before, I think, like, 5 months beforehand, before that supermarket incident, my doctor had actually said to me, Yanya, you're having a burnout. It's really serious and, you know, you might need to go to hospital. And I was like, no no no no no no, you know, that that's not gonna happen. I'll be fine. And I didn't really know what burnout was at that stage. I mean, I I sort of I guess, kinda conceptually, I, you know, I understood it as extreme exhaustion, but I didn't know that it was recognized, you know, as an occupational phenomenon. I didn't know what it meant. And I think, you know, something that Eve mentioned, which I think is super important to to highlight, the World Health Organization, as Eve pointed out, has defined this as an occupational phenomenon.
Yanya Viskovich [:You know, they don't recognize it as a medical condition, but they recognize it as an occupational phenomenon. And yet it has very real effects on the individual. And at the same time, I don't think we are necessarily seeing, despite the fact that the WHO recognizes that the workplace is a causative factor. Right? You know, Gartner research shows that burnout and attrition are outcomes of poor organizational culture. I see a lot of emphasis on what individuals can do to become more resilient. What I'm interested in and what I'm working on at the moment is what can organizations do in their cultures, in their systems, in their processes, in their approaches to prevent this from happening in the first place?
Eve Parmiter [:And if I chime in there and say that the work that Maslach is doing around this, she helpfully, I think helpfully identifies 2 things. Number 1, that there is, there can be this mismatch between the person and the workplace, like a person, a job, and a workplace. And as you were speaking about earlier, there is this, what role are you in? And are you a good fit for the role you were talking about? You know, technical roles, wanting to be slightly more behind the scenes, and then needing to move into a strategic role to get things done, to have the sort of conversations that you need to be having. As we talk about this interface between, you know, the organism and the environment, if I get my therapy textbook out, You could be a great match to a role. So you could be in a great technical role, but the organization is just not for you. Or you could be in a great match with you and the organization, but you're in a technical role. You want to be in a strategic role or some other version of that. And the 6 factors that really influence this mismatch or not are workload, control and choice, rewards and recognition, social connection in the workplace, fairness, and values.
Eve Parmiter [:So as Jan is doing her analysis with her organizations, these are probably the kind of buckets to be looking at.
Yanya Viskovich [:Definitely. Yeah.
Jim [:Wow. I I to be honest, I mean, before reading what I read and then before I got to the TED talk, where Yanez discussed, you know, a bit more at length her story, I always thought burnout was just, you've just had enough. You just need a bit of time off. You know, you hear about breakdowns, but you don't necessarily attribute that to necessarily burnout as part of that. But it looks like that is pretty much the same thing. It's just maybe discussed you have described slightly differently. And obviously, there's different levels, I'm guessing. But That was it puts a little bit more perspective into some of what I'd read about how serious this really is.
Jim [:And then hearing Yanya's story about what it's like to go through it is really frightening. I mean, being able to just something one day standing in a a supermarket and pretty much feeding half of your brain just shut off for its own protection, I'm guessing. Because it's reached a point where it just can't deal with the situation. And something simple as deciding what to eat for you and your friend. It must be really, really frightening for anyone to go through that. I couldn't imagine doing that. But then I look at periods in my career where I've obviously suffered from a level of burnout myself, where, especially in the early days, early parts of my career, felt I wasn't being listened to, felt that my my thoughts and my concerns for the company's well-being wasn't being listened to or met. And I would sit at the end of my bed and say to my my girlfriend at the time, you know, I just can't face going in.
Jim [:I just can't do this anymore. And then normally, I change jobs and it would get much better for a bit. And then sometimes you would go down the same route and then you change jobs. Maybe that's why CISOs, infosec people, we do tend to change jobs a lot faster. There was a period of, you know, and I won't go into any too much detail, but there was a period in my life for about 3 years or so where I experienced significant burnout as a carer to my partner who'd gone through something pretty terrible. Not my current partner, previous partner. And I experienced a similar viewpoint to to you, Yanya, actually. And this is quite personal.
Jim [:Oh, I don't know how I feel about this one. But I just just something related to how you felt in that supermarket because I was coming back home one day to this partner who was experiencing some chronic pain, and she'd been doing it for a while. She'd been on all kinds of drugs that changed the way she was. And I just stopped at because I live in Kent, which is quite picturesque and I stopped at a bridge by a river and just looked at this, corn like waves. You know, the wind was coming down and making it move like waves and just shut down at that point. I couldn't I couldn't deal with the whole situation. Went back. Consequently, a couple of couple of months later, it all fell apart, and and I had to move on in my life.
Jim [:And she, obviously, had to move on herself. It was when I was reading about what I was going through then, I realized that carers go through and you mentioned it actually earlier, like, caregivers go through it. Paramedics, I'm guessing. That kind of instances, you know, yourself. And I did hear many years ago that psychologists are renowned for suddenly one day ex exploding and and, experiencing significant significant challenges and they let it get too too far before So it's it's interesting. All of this is really interesting information and I think any of you out there who are listening to this, seriously take this on board because I think it's actually a hell of a lot worse than maybe even the stats are are saying.
Eve Parmiter [:So many people experience something like you have just described. We are 1 like, it's the same system. So So it's the same organism that is experiencing these stresses from all these areas of life. And so even though we're talking about workplace burnout, there's this thing called allostatic load that you've probably heard of. If you think of the areas of your life as like your attack surface area, just to try and throw some subject specific terms in there. So if I break my leg playing my sport on the weekend, when I turn up to work, my leg is still broken. And so the accumulation of stresses that we have won't change necessarily in and out of the workplace. It's still the same organism.
Eve Parmiter [:I think having a language and having an awareness that this is happening is really important. And I don't think that we are trained as we are trained to do our jobs. I don't think that we are given the terms and the tools and the interventions to take care of ourselves in a way that we need to take care of ourselves. So even as a therapist in my initial training, I wasn't told about the wear and tear of the work in this way and the effects of stress in this way. So in which I think is I was listening to I've been doing a lot of listening to podcasts and listening to webinars from cybersecurity professionals. And I was listening to James Coburn from I'm Oh, yeah.
Jim [:Yeah. Yeah.
Eve Parmiter [:He was speaking with Maszach, actually, doctor Christina Maszach, and they were talking about hostility within the profession. So I'll just leave it at that because anyone listening is gonna know a lot more about that than I do from being on the inside of it. And I'm very much a guest in your space, so I'm not going to try and be too presumptuous with anything that I might might know. But when we reach those ends of our capacity, we get what can be called empathic strain. It's like, I have cared so much. I can't find it within myself to care anymore. It's like an elastic band. You know, you stretch an elastic band enough times, and the rubber just goes, ugh.
Jim [:Yeah. I know that one.
Eve Parmiter [:Yeah. What we can do then with anyone who comes to us and says, oh, I'm struggling with x, y, zed. There's this kind of inner, like, like a shrug. And you may in terms of signs and symptoms that you might be going down that way, you might have someone in your life, anyone with a teenager perhaps, who comes in at some point and says, I shan't swear on your podcast, Jim, but FML?
Jim [:Yeah. Yeah. Yeah. Yeah. Yeah.
Eve Parmiter [:I've had the worst day ever. And my cue on that is I ended up rolling up my sleeves going, well, let me tell you. Yeah. So there's this silencing response we can have to other people. And if we do this with our colleagues, this is dire because this really brings in a level of sort of hostility or incivility or mistrust or just lacking this collaboration that we can have that's needed within the workplace. Does that ring bells?
Jim [:It does. Yeah. You're absolutely right. It's it's hard when you're when you're going through things, you you don't wanna let onto your your colleagues. You don't wanna let onto your friends, your coworkers. I mean, me, I'm a guy, and it's hard for us to open up even to our mates at at times. You know, I'm not gonna go into a whole discussion of the reasonings behind that. Those are well documented and well discussed in various other forums.
Jim [:But it is tough. And it's and it especially the professional environment because it's like, no, I've got to stay professional. I'm I'm I'm a professional. I've got to do my job. I've got to got to do what I'm here to do. Harshly, it's because, obviously, you need it so you can fund your lifestyle. But on the other side of that, there is professional pride. And InfoSec people, as a general, have very high levels of professional pride.
Jim [:They pride themselves in being there and and being the rock for the organization to stand on when when the floodwaters are starting to rise. You know, I will be there to support you. And I don't think it's appreciated at all in organizations. I have seen a few situations where it has been, And that's always been when it's already hitting the fan. They've got no other choice but to rely on what you you know, what you're telling them. And they're just begging. And I have seen situations where people are begging, you know, some of my consultants who are when they're going through incidents, please, can you just help us? This is this is the end of my business if we don't get it resolved within the next 48 hours. And you resolve it, and then they're like, well, how did it get to this point? It's a little bit easier as a consultant where you're going in.
Jim [:You know? But if you're a member of the team, technically a member of the company, and you experience that, As me and Ioannis mentioned earlier on, sometimes you could be in the firing line afterwards. Not only did you fix the bloody problem and help them get through it, but then you get vilified for it. It's like, oh, cheers. So why should I bother then? But one of the things I found during lockdown, I spoke to a number of so I'm a I'm what's called a PCID assessed QSA, so I'm a qualified security assessor for a a a particular type of compliance in this industry called you know, related to credit card information. And I spoke to a lot of QSAs who and and CISOs to be fair, who when they kind of go first got locked down, they'd spent a week or 2 in the garden just chilling out and being them and experiencing the sunlight. And, and they weren't getting shouted out. They didn't have endless forms, and they didn't have this, and they didn't have that. They weren't constantly worrying about what was going on.
Jim [:And they said, I'm not going back. I'm I'm not doing it. I will do a bit of freelance stuff. I'll earn myself a little bit of beer money, as we call it. And we lost, in the industry, a massive amount of experience because they were meant to be teaching the next generation or next couple of generations of InfoSec people. And we've lost a hell of a lot of that in the industry. We don't have them mentoring the next generation. So we've got the next generation coming in.
Jim [:And they're like, come on. Teach me what I need to know. But during lockdown, a hell of a lot of infosec people who'd been vilified and probably on the cast board had burnt out. Just turned around and said, right. I'm I'm never going back. So, boom, here we are today. And, you know, you look at the stats as I go all the way back and wind us all the way back to, you know, seventies is sort of you only kind of mentioned it. 50 to 80% of CISOs burning out.
Jim [:I bloody wonder, a, there isn't enough of us. B, we're not exactly treated particularly well. C, we don't have good mindfulness within an employment environment of how our staff stress levels are. I mean, I try with my organization. We're very, very small, so it's easy to spot when people are starting to crack a bit under pressure. But if you've got an organization of, like, 2 1,000, 3 1,000, 5 1,000, 20 1,000, it's a very different scale. Yanya, how what are you doing to to kind of promote this with what you're doing at the moment? Where can you see us feasibly fixing this within the industry? As an infosec person, how are you gonna stop me from burning out, Yanya? Because by the sounds of it, I'll get a bit worried now.
Yanya Viskovich [:Yeah. I think it's really important to focus on the solutions. And I actually see that a lot of the research around what makes organizations particularly successful, both in terms of, if you look at just the research that comes out of what makes cons organizations that year on year keep performing super well. They all have one thing in common, and that is they have really strong, healthy organizational cultures.
Jim [:Yeah.
Yanya Viskovich [:If you look at Pixar, for example, they have a culture where failure is destigmatized. Right? They're one of the most successful companies on the planet, and they consistently put out top films. And I actually see that a lot of the problems we're facing in information security industry are really products or symptoms of larger organizational issues around how our organizational cultures are working. What are we doing to create cultures in those environments where making mistakes, innocent mistakes, is not stigmatized, but is seen as an opportunity to learn from? You know, if I look back, I mean, I've had a really for me, my my career has been really interesting. I've done a lot of cool stuff. If I really reflect back on my life, the things that have that I've really learned from have not been the successes. They've been the failures. You know, I wouldn't wish a burnout on anybody, and I certainly wish that I could've learned these life lessons a different way.
Yanya Viskovich [:But I did learn certain things from that burnout. And I I think we need to get to a stage in our organizations where we see that mistakes and failure are really your best opportunity to iterate and learn from and do something differently, so that next time, it's not as bad. We need to have a tolerance for failure, but an intolerance for incompetence. Right? We need to invite cultures that invite questions and difficult ones, and that invites people to challenge the status quo, to invite people to say, yeah, I've noticed that something's wrong here, or I see this as a potential risk and I'm raising it. Because when we do that, I think we ultimately then end up with a situation where phishing attacks will end up being dealt with much faster. You know, just to explain myself what I mean here, the average so phishing attacks still remain the number one way that attackers get into organizations. Right? Firstly, we need to understand why that is, but then we need to look at, okay, well, once that happens, once someone does click on a phishing link, what happens then? So the average amount of time between an attacker getting into an organization and then the organization realizing it and then being able to to to deal with it is 287 days on average. And the question that I pose is that average time, if we make it much easier for people to be able to put up their hands and say, I think I've clicked on a phishing email.
Yanya Viskovich [:I think I've made a mistake. Because at the moment, many, many organizational cultures are such that people don't feel safe enough to be vulnerable. Whether that vulnerability is, Or it is feeling safe enough to be vulnerable about having made an innocent mistake. And the other thing I think we need to look at is human factors. Right? So this is the area that I focus on. There's a tendency in infosec to concentrate on the technology, the hardware and the software. But we know that the technology is is also something that's either undermined or made more sustainable when the processes and the people that use that technology are also equipped with the awareness, the education about how to use that technology and why it's important. And I think that the tendency of the information security industry to overlook the user and user behavior also ends up being a double edged sword for us because it means that we're also less likely to be able to also leverage that I actually see the trying to mitigate a lot of our cyber issues is intrinsically linked with our organizational cultures being ones where we feel safe enough to be more vulnerable and where we really center the human.
Yanya Viskovich [:We look at how our workplace processes are either creating additional friction, which then ends up, you know, pardon my language, but pissing everyone off and making security controls look like, no wonder we see them as the department of no because they're just making me do my, you know, they're they're hindering my ability to be super efficient in my job. If however, we think about how people interact with the technology, and if we think that humans are largely like water, we try to find the fastest, easiest course route to to our endpoint. Then if we then think, okay, how can we make these layers of of security controls easier for our people? Let's talk also about how it can improve their own personal lives and then have them bring it to their professional lives. And at the same time, if we are operating in workplaces where we have reduced process friction. We are putting the human at the center. We encourage questions. We encourage people to challenge the status quo. We encourage people to put up their hand and say, yep, I think I've made a mistake.
Yanya Viskovich [:I think we're actually not only just gonna drive down and and mitigate human risk in cyber, but we're also going to, I think, significantly, positively affect the stress and the overwhelm and the burnout rates, amongst professionals in our industry.
Eve Parmiter [:I think that answer and that reflection is an indication of the both the vastness of the task Yeah. But also the 1% changes, like the smallest dominoes we can start knocking over to make a difference. So I'm gonna link some things together. Jani mentioned the word tool, and I have a particular soapbox when it comes to the word tool and tool users. When we talk about the effects of stress and what it does to us, I think it's useful to think about tools, skills, and states. Right? I'll give an really short example. If I'm a painter and I'm holding a paintbrush, my paintbrush is my tool. My skill is my ability to use my tool, and my state is my ability to use my skill.
Eve Parmiter [:If I'm in no fit state, so a painter if I'm particularly anxious and I'm shaking, I can have the best tool in the world. I can have the best training for the skill. But if my hand is shaking, I can't access my skills to use my tools. So this is where we get into the state of unforced errors. I'm not in a fit state to notice the difference in the email address, or to notice the link is a bit odd, or to have a difficult conversation, or to risk trusting the security team. So that's number 1. Then we get into a sense of co regulation. So if I am not in a great state, I'm reliant on the people around me to help me co regulate.
Eve Parmiter [:So this is the sense of community. Do I trust my people? As Jana was saying, is there psychological safety here? Can I actually say I've made a mistake and I expect to be treated fairly from this? Community can help with the use of a tool called the Critical Incident Technique. So you might have heard of the critical incident technique. It's used in organizations. It's also used in therapy and coaching where you ask someone a question like, please tell me the story about a time when you were treated with great fairness. Or please tell me the story about a time when your team was unable to solve a problem. And then we ask about, you know, the precursors, the beginning, the middle, and the end of what happened, any of the structures, any of the processes, any of the outcomes. And then we say, okay.
Eve Parmiter [:So given that, how could we, emphasis on the we, apply those lessons to this problem, to this unfairness, to this task that we can't seem to solve, to the issue of a lack of trust, to whatever it is that you have identified as being related to burnout and getting in the way of your operational effectiveness. People are and as helpers, we're probably gonna understand this. People are more likely to be vulnerable and to share their stories if they think they're doing it for a we, so we are changing the system rather than going, I'm telling you this so that you can fix me. Right? So we're empowering the person in your team to make a difference to everyone else in the team. You might have someone in your organization who has training to do that, or you can have conversations directed in that way. The final thing that I will say is, in terms of what we can do, satisfaction is really important. And James, when you were talking about the situation with CSOs in that 1st week or so of lockdown, of sitting in their guard going, done, Done. Yeah.
Eve Parmiter [:Not doing this anymore is insufficiently rewarding. Mhmm. Great satisfaction is a buffer to stress. If you can actively identify for yourself what is particularly satisfying about your work, and if you can say it to your colleagues, so you see someone doing something really well, and you tell them that was really good, what you did there, you really had a great effect. And I was listening to Bruce Hallas and his rethinking rethinking the human factors podcast, and he was chatting to a gentleman involved in the response to the Maersk incident. This person whose name I've forgotten for the moment, I apologize, he was saying that he was seeing the first non security person log back on after everyone had been offline for however long. When this person was able to log back on, they burst into tears because of how much it mattered to them to be able to get back in to do their work. And he was talking about when the security team heard about that.
Eve Parmiter [:This is how much your work matters. This is the difference you have made.
Jim [:Mhmm.
Eve Parmiter [:And so then we go, I am being effective. I do feel engaged. I'm not quite as cynical as I was before. It is worth it to do this.
Jim [:I think for the first time in the history of this podcast, I'm kind of at a bit of a loss at what to say now. I think there's a lot of food for thought here, I think. I mean, I I can tell you now, Yannier, I'm adding a new layer to my defense and depth iceberg setup that I've got for for organizations that includes psychological health of the not only the the staff, but understanding the psychological culture behind the organization. I always did a bit of that anyway whenever I walk into an organization. One of the things you you have to get in touch with is the culture. You know? When you walk into an organization in Gibraltar, for instance, it's gonna be a very different culture from if you're walking somewhere in London or Manchester or Aberdeen. Not just the culture from the the local area, but the people and the business type as well. You're a consultant.
Jim [:You know what this that's like. You go into a finance company, and it's gonna be very different from a software development company. And if you've got you're walking into an organization where it's predominantly the a lot older generation people working, it's gonna be an extremely different culture from somebody who an organization you're walking into with a very young generational group who maybe a new startup, that are creating their first AI for whatever AI is gonna where it's gonna be used for everything soon. But and then the first thing that we do is infosec professionals get a feel for the company. But I'm now starting to worry. And and I do. I worry about my consultants. I specifically say no no more billable time over a certain percentage out of their yearly work life or weekly or monthly, however you wanna term it.
Jim [:And we specifically try never to go above it. Sometimes you can't help. Sometimes, like, big projects come in and you've gotta you gotta get it done. But I always try and give them that bit of extra time off once those big pieces of projects are done to take some time for themselves, maybe do a course they wanna do. You know, reward them in various different ways because, I mean, Eve, you're absolutely right. The least you can do, if somebody has done right, is to at least thank them for it, and it goes a long way to making them feel happy. Because if you sat there and you never thanked for the work that you do, eventually, some point down the line, like those guys, I mentioned sitting in the garden, they're gonna go, what bloody hell am I gonna go back? No one ever thanks me anyway. I'll just stay here.
Jim [:Maybe that's apathy or whatever. But I think definitely both of you have convinced me that I need to re review looking at cultures within an organization to include any mental health programs they may have. You've actually convinced me now to possibly speak to Eve offline about engaging some some assistance in organizations that we're dealing with or my own organization where we've got people who are doing this day in, day out to actually kind of maybe on a regular basis. Just check-in. Is there anyone, like, on this path? Are they really close to this path and we just don't know about it? Are they fine at the moment, but just want to kind of watch out? It's like doing a pen test for people's brains, really. You know, significant resources. Because the one thing you can't have fall over during an incident is your infosec people. If they suddenly fall over with stress halfway through an incident, your incident's not gonna get fixed.
Jim [:Or, God forbid, it's gonna go to a group of people who don't know how to deal with an incident, and they're gonna deal with it completely outside of the procedure that you've you've put in place. You know, no matter even if they've got procedure in front of them. I think there's a lot this that the infosec community needs to learn about this particular subject matter because I don't think we understand it. I don't think we necessarily have taken it seriously. I don't think it's our fault. I think it's a situation, in many cases, we've been kind of thrust into. I think as infosec people, is it part of our responsibility to identify, the lack of interest in professional burnout as a security risk on our risk registers. Because if you're again, go just going down a rabbit hole, if you if you've got a single point of failure in the in the form of a finance officer, and that finance officer decides one day they're absolutely gonna lose it, burn out, and disappear to the Bahamas and never come back.
Jim [:Your organization is just you know, and I'm gonna swear now, kind of buggered really because you're not, you know, you're not gonna be able to pay any bills. You're not gonna be able to necessarily pay staff. When we do disaster recovery, sometimes we do the purse you know, the personnel thing rather than the disaster recovery thing about, you know, we've been ransomware or we do we do kind of workshops. And the last one I we did or the fur the one we did in Q1 of this year was I died. I was found dead in my office, and that was it. And my staff had to react. And I wanted to see how they'd react. And it was really interesting.
Jim [:Who's succeeding? How are they gonna carry on? How are they gonna deal with things? And we actually saw people cracking just on that workshop. You know, not in a bad way, but, like, saying, I I you know, this is this is quite a difficult scenario to run because I'm starting to feel the emotions of what it's like.
Yanya Viskovich [:I really admire your your open mindedness to this topic and your commitment to also addressing it. We have seen in a number of organizations, particularly really large organizations over the last couple of years, especially during and since COVID, increased attention on mental health of their employees. We've seen, you know, additional yoga classes given to to employees. We've seen them being given, you know, free access to meditation apps and so forth. I wanna say this, all of those measures are great, and they're important. And, of course, you know, as I mentioned in my TED talk, meditation and mindfulness has been very helpful for me, but also research has shown that using mindfulness in security awareness training programs also significantly reduces the rate of successful phishing attacks, which I think is super interesting. Right? But it makes a lot of sense. So all of these things are great.
Yanya Viskovich [:They're important. We have to do them. But the solution to this problem of of excessive rates of burnout in our organizations, particularly in our in our information security teams, requires multidisciplinary solutions that look at both the individual, but also the organization. And as I mentioned earlier, you know, the research shows that burnout and nutrition are comes of poor organizational culture, so we cannot yoga class or meditate or well-being initiative our way out of this. Those things are super important, but we really need to, you know, if we come back to the definition again from the World Health Organization, this is an occupational phenomenon. So if the causes are occupational, then that's also where the solutions lie, in in in in large part. Of course, it matters what an individual does, and the individual can either undermine their recovery or they can increase their resilience and their, reduce their risk of of being prone to burnout. But if you look at the numbers of the of people burning out, we spoke about them at the beginning of our conversation, you know, huge numbers.
Yanya Viskovich [:In 2022, Microsoft conducted a study. They conducted it across 11 countries, 22,000 people. They were looking at cross industries, cross job levels. They found that half the entire workforce was burnt out. Half. So if you just take that number, and you think, right, so is it that all of those people are just really, really bad at managing their own stress? Or is there something bigger, broader, and more systemic at play that is really compounding the problem? And I think that that we really need to look also at what is happening inside our organizations. Right? So we spoke earlier about the hostility, and that's something that I've seen across industries, across organizations, very much between departments. You know, often compliant there's a big tension between compliance and security, or or legal and security.
Yanya Viskovich [:And, yes, we understand we have to do these things, but it's holding us up. And, you know, we need to we need to push through this m and a deal. Can't we just quickly do this? So we need to look at ways of, I think, making cybersecurity core to the business. It is core to the business. If you wanna if you run a business that's reliant on the Internet, then cybersecurity is core to your business. So I think what we need to do is, as information security professionals, we need to pivot the conversation from one of fear based mongering, right, fear mongering. So, you know, if we don't do this, then this attack's gonna happen, to one of value proposition for the business. How can we demonstrate that by taking these particular security measures, we're actually securing the business's core, you know, crown jewels.
Yanya Viskovich [:We are enabling the business to to continue operating despite the threat landscape that continues to evolve. And I think, of course, the we need to perhaps get better at communicating this, but also, equally, the business, the boards, the c suites, they need to also educate themselves about how cyber security and cyber resilience is core to their business's value proposition, and core to their business's ability to continue operating despite the current risks these days. And whatever cybersecurity controls an employee or a business is willing to tolerate should be directly proportionate to the business's risk appetite that the board is ultimately setting. But, unfortunately, we see a big disconnect between, you know, boards saying, oh, we will tolerate this much risk appetite, but then taking a completely different decision when it comes to funding cybersecurity budgets. So I just I just wanna say that, you know, we we can't well-being initiative our way out of this. This is problem, which therefore requires multidisciplinary solutions.
Jim [:Yeah. I mean, do you think burnout's reached a point where so I've I've I've see so head on my shoulders. You're going through all kinds of things now. Initiatives upon initiatives. You know, I mean, we're starting to think about creating a burnout procedure where staff can recognize burnout and their leaders, they can they're like their own CISO. So especially if they've got, like, a pen testing unit, you know, the pen testers burning out, so they've got too much work, or they've got too much stress. You know, I'm I'm starting to consider it my own bloody company now. There you go, Eve.
Jim [:I've I've you've already had a had a massive effect on me, along with Yanya now.
Yanya Viskovich [:I do think it can be helpful to have, you know, some ideas or indicators that show some risks, but I think if we wind the clock back a little bit further so we don't have to get to that stage, let's wind it back to the point where we're putting in place in our organizations processes and systems, or we're adequately resourcing our cybersecurity teams in line with what the board has set is the risk appetite for the company. Let's put in place these things so that we don't need to be saying, oh, I think that person's on the verge of burnout. I mean, I really do think that there are a lot of things we can do on the organizational side to stop us from getting to that stage.
Jim [:I have a very risky question I'm gonna I can ask of you guys, actually. Bearing in mind the stats that we've seen coming out from these, and we're talking about it now, and it's not something that's been done necessarily before. Is it too late for us? People in our situation, I mean, maybe not. Obviously, the the next generation of InfoSec people coming in, they're gonna be a lot more aware of this in ways that that we have not been till now. But for us as infosec people at the top of our game at the moment, we've already experienced this kind of level of work and the and the the way that it's been. We've discussed it at a great length. Is it too late for us?
Eve Parmiter [:I think it's such an important question. You have and I'll give you a sort of provocative and controversial answer back. You were both talking earlier about an organization goes through a difficulty, the CSO gets them through it, and then the organisation says, well, we need to get rid of you. Why are you getting rid of the person who has developed all that learning and is now better able, given rest, as you said, Jim, you give them rest, time to recover, and you come back, and you have done this super compensation. Right? You've learned you are now fitter for the task. You are now in a better place for the obstacle in front of you because there will be another obstacle in front of you. Don't do that with yourself.
Jim [:Mhmm. One of
Eve Parmiter [:the effects of burnout is when we become more sensitive to future stressors.
Jim [:Mhmm.
Eve Parmiter [:Now this can be a strength or a weakness, depending on how you use it. You have better detection for stress now if you are able to listen to your body. So you know the signs. Develop your own resilience. Don't throw yourself out as if you were the CSO of your own life. Mhmm. Secondly, I'm going to make an assumption about your profession, but I imagine that most people in the profession are early adopters. That you have an enthusiasm for embracing some kind of change.
Jim [:Oh, yeah. You you kind of have to. It hap it changes so quickly in this environment.
Eve Parmiter [:So there's a temperament. There's a skill set. There's an experience about, okay, if we think back a 100 years ago on what occupational health and safety was like, we can look at that and go, what were they doing? And I hope Is
Jim [:there any?
Eve Parmiter [:Quite.
Jim [:And which
Eve Parmiter [:is the sort of conversations we're having now around burnout. Like, what
Jim [:Mhmm.
Eve Parmiter [:What are we doing with that? How are we are workplaces in terms of what you can actually do in terms of the structure to prevent it? So in 10 years from now, which is a long time in your profession, you will look back in 10 years on the situation that you're in now and go, I can't believe we were that unprepared, that we had all these vulnerabilities which we hadn't patched, again, using terms well outside of my scope of practice. So it's important not to get burnout because it's difficult to recover from, but you can use those greater sensitivities and strengths now. That's me off my soapbox.
Jim [:No. Just before I hand back over, so we can we can go through our final thoughts on the matter, I've just been looking at the time and I've tripe so I could be talking about this for another couple of hours at least, but we don't have the time. All of this is such good good food for thought. I just don't know where to begin really about approaching how I feel about this. I think this is yeah. I think this is gonna be important for anybody, any of you out there watching this. It'd be really interesting to know your thoughts. Please feel free to drop me a line up by LinkedIn or whatever or email.
Jim [:There's plenty of ways, you know, to get a hold of myself. I think this is such an important topic. I didn't I went into this knowing it was gonna be important. I didn't quite know how important. I I now find it, and it's gonna it's gonna take me a little while to process quite what we've gone through. And I'm and wow. Eve, Yania, fantastic. Yeah.
Jim [:I'm gonna hand over to the final final thoughts from you guys, because I don't really know what to say anymore.
Eve Parmiter [:Alright. Sense of agency. I'll let Janne talk about the organization side of it, and I'll suggest something that you can do as an individual. Look at your track surface area of your life. See where the stresses are. Look for 1% change.
Jim [:Mhmm.
Eve Parmiter [:So what can you Is there a stressor that if you had to, if you had to, you could take off your plate? So what can you do to reduce the load? And then once you've done that, what can you do to support yourself? Do you need to find a group you can speak to? Is there anyone, an ally in the workplace, who you can have proper conversations with about how you're actually doing? So finding a point of connection and taking something off your plate.
Yanya Viskovich [:I think the first thing is talking about it. Right? So this this podcast, you know, I've seen conference programming increasingly talking about this issue. There are there's much more attention on on this issue in the media, by researchers. There are bespoke groups coming up to to to deal with this issue. And that's the first point. We need to keep talking about this and raise awareness amongst our industry and broader within the organization because that's gonna do 2 things. 1, it's going to show how prevalent this is. You know, we talked about the numbers.
Yanya Viskovich [:It's going to, I think, increase attention on the human factor. The fact that the when we're stressed, when we're overwhelmed, it actually changes the way we make decisions, and we're much more likely to make a decision that will lead to a cyber attack if we're really stressed and overwhelmed. So that I think that's a really important point to note. I haven't yet seen a risk register or a threat model that includes burnout and stress and overwhelm. I think we genuinely need to consider whether we do start need to incorporating that into our risk registers, into our risk modeling, because there are researchers out there like professor Jeff Hancock at Stanford University who's looking into precisely the the impact of stress and understanding how stress impacts our behavior and how that then impacts our cybersecurity risk. I think we also need to think about showing that cybersecurity risk and resilience is part of the core value of a business. Start presenting it as part of the business's value proposition, and not just, you know, a a a service within the business. It's we're not just stopping cyber attacks from happening.
Yanya Viskovich [:We're actually enabling the business to continue operating in the face of grow a growing threat landscape.
Jim [:Couldn't agree more on both finishing points. And that's it, I think. So, yeah, I'm gonna have to think about this quite significantly afterwards. I've never been speechless before. So if people wanna find you, Eve, where can they find you? Obviously, you're on LinkedIn, but, you know, I know you've got a website and stuff.
Eve Parmiter [:I I do evepalmater.com. And send me a message. Let's let's talk.
Jim [:Fantastic. And, Yanya, obviously, you're on the everyone's on LinkedIn these days.
Yanya Viskovich [:Yeah. Yes. I'm happy to answer any questions, on LinkedIn. Drop me a line there.
Jim [:To all of you out there, please feel free to get in contact. If you feel that you are in this kind of situation, please feel free to reach out to Eve. You know, she's definitely somebody, by the sounds of it, who can who can help you through it, as I'm sure Yanya will, agree with. And if you wanna contact us about anything in general, maybe this maybe you wanna hear a little bit more about this kind of subject matter from these fantastic experts as it sounds like there's a hell of a lot more to it, and we've only literally just scratched the surface. So please feel free to get in touch with us. Thank you ever so much, and we'll be speaking to you again soon. Eve, Yanya, it's been absolutely amazing, and thank you ever so much.
Yanya Viskovich [:Thank you. Thanks so much, Jim. It's been great to chat with you both.
Jim [:And thank you for listening. The latest edition of Razorwire. It's always good to get feedback. Please feel free to reach out to us, you can reach out to us via LinkedIn or through our website www.razorthorn. Com. If you feel that there's something that we should cover, maybe a little bit more in-depth, a new topic, or something of interest to you or the community at large. Got any recommendations or you want us to interview people, we'll reach out to those individuals. So it'd be great to see what your feedback is.
Jim [:In addition, I do have a book recently come out, The Cyber Sentinels Handbook, A Primer for Information Security Professionals. Now this book is very much geared up towards professionals all levels of their career, be they starters, be they newcomers, be they people who've been in there for a little while and maybe looking for a little bit more direction, albeit the older ones looking to maybe reground themselves in some of the more important aspects of the trade that maybe they've forgotten over time. I've had lots of good feedback from a lot of different readers of lots of different levels, so please feel free to get yourselves a copy. We've got the e copy. We've also got the paperback copy, and if you don't wanna spend any money, you can go on Kindle Unlimited and read the book for free there as well. Thank you ever so much again. Look after yourselves, and we'll be seeing you again soon.