When it comes to penetration testers, we often talk about the gap in the market; that we need more people entering the industry whether that’s graduates or career changers. Perhaps we need to discuss why there is this gap? Cyber security is a fast-growing industry which leads to an increase in demand for penetration testers, a demand that current penetration testers are struggling to meet. This is down to multiple factors including a lack of newcomers to the industry and burnout in current penetration testers.
What is burnout?
Burnout is described by Mental Health UK as being “a state of physical and emotional exhaustion. It can occur when you experience long-term stress in your job, or when you have worked in a physically or emotionally draining role for a long time”. Burnout rarely goes away on its own as it’s usually a direct result of struggling at work. Whilst not always easy to spot, employers should keep the common signs of burnout in mind when interacting with employees. Common signs of burnout can include:
- Feeling tired or drained most of the time
- Feeling helpless, trapped and/or defeated
- Procrastinating and taking longer to get things done
- Feeling detached/alone in the world
- Having a cynical/negative outlook
- Feeling overwhelmed
Is Burnout a big issue for penetration testers?
A recent study conducted by Edelman Data and Intelligence on behalf of Microsoft showed that 50% of employees and 53% of managers said they were burnt out at work. The study was conducted across 11 different countries and included over 20,000 participants. Whilst this study was not aimed at penetration testers, the data is reflected in the cyber security industry.
‘The State of Pentesting 2022’ by Cobalt investigated burnout within the industry. This report found that of the 602 cybersecurity and software development professionals surveyed, 58% said they are currently experiencing burnout. Of this 58%, a further 63% said that this was impacting their mental health, and 64% said the stress of the job has affected their physical health. This ongoing stress due to burnout has led to 54% of the surveyed security respondents saying they are considering quitting their jobs.
94% of the security professionals surveyed stated that they had been affected by the current labour shortages. Whilst the fact that there aren’t enough candidates to fill the amount of roles available is a contributing factor to this shortage, the study found that people quitting their jobs due to burnout is also an important contributing factor – 84% of respondents said that someone from their team has left within the past six months.
90% of those surveyed who have experienced shortages or had team members leave their roles stated that they are now struggling to manage their workload. The study found that security teams have faced issues in the following areas:
- 66% struggle to maintain high quality security standards
- 79% struggle to consistently monitor for vulnerabilities
- 69% struggle to monitor for and respond to security incidents
How can we fight burnout?
The difference between stress and burnout is that stress is more short term, and burnout is often the result of extended periods of stress that affects people on a longer-term basis. As such, a good way to prevent burnout in the first place is to effectively manage your stress levels. One of the ways you can help manage your stress levels is maintaining a good work/life balance, making sure you take regular breaks away from your work to keep a clear head.
Penetration testers have a higher level of utilisation compared to other roles and are expected to consistently deliver at an elevated rate as a result. It is important to advocate for yourself to your PMO to get the necessary days to upgrade systems and catch up with research/CPD.
Another way to help fight burnout is communicating with your team, colleagues, and management. Elements of your job that contribute to burnout can easily snowball if ignored. By sharing the mental load with your team, it helps you to stay present in the moment and can ensure the workload is being shared equitably. If you feel you are starting to struggle, speak up. Those around you would rather help than see you leave your role in the cyber industry.
From a management perspective, make sure you keep up regular communication with your team. Encourage the members of your security team to say something when they feel overwhelmed with their work. Another way to help beat burnout is investing time and energy within your team, helping to facilitate training and help them reach their career goals. This will prevent you from having to try to fill their position if they eventually leave, and in the short term will help you build an excellent team of penetration testers.