Friday, December 21, 2018

Managing Burnout

This is not strictly an information security post, but the topic likely affects a decent proportion of my readership.

Within the last few years I experienced a profound professional "burnout." I've privately mentioned this to colleagues in the industry, and heard similar stories or requests for advice on how to handle burnout.

I want to share my story in the hopes that it helps others in the security scene, either by coping with existing burnout or preparing for a possible burnout.

How did burnout manifest for me? It began with FireEye's acquisition of Mandiant, almost exactly five years ago. 2013 was a big year for Mandiant, starting with the APT1 report in early 2013 and concluding with the acquisition in December.

The prospect of becoming part of a Silicon Valley software company initially seemed exciting, because we would presumably have greater resources to battle intruders. Soon, however, I found myself at odds with FireEye's culture and managerial habits, and I wondered what I was doing inside such a different company.

(It's important to note that the appointment of Kevin Mandia as CEO in June 2016 began a cultural and managerial shift. I give Kevin and his lieutenants credit for helping transform the company since then. Kevin's appointment was too late for me, but I applaud the work he has done over the last few years.)

Starting in late 2014 and progressing in 2015, I became less interested in security. I was aggravated every time I saw the same old topics arise in social or public media. I did not see the point of continuing to debate issues which were never solved. I was demoralized and frustrated.

At this time I was also working on my PhD with King's College London. I had added this stress myself, but I felt like I could manage it. I had earned two major and two minor degrees in four years as an Air Force Academy cadet. Surely I could write a thesis!

Late in 2015 I realized that I needed to balance the very cerebral art of information security with a more physical activity. I took a Krav Maga class the first week of January 2016. It was invigorating and I began a new blog, Rejoining the Tao, that month. I began to consider options outside of informations security.

In early 2016 my wife began considering ways to rejoin the W-2 workforce, after having stayed home with our kids for 12 years. We discussed the possibility of me leaving my W-2 job and taking a primary role with the kids. By mid-2016 she had a new job and I was open to departing FireEye.

By late 2016 I also realized that I was not cut out to be a PhD candidate. Although I had written several books, I did not have the right mindset or attitude to continue writing my thesis. After two years I quit my PhD program. This was the first time I had quit anything significant in my life, and it was the right decision for me. (The Churchill "never, never, never give up" speech is fine advice when defending your nation's existence, but it's stupid advice if you're not happy with the path you're following.)

In March 2017 I posted Bejtlich Moves On, where I said I was leaving FireEye. I would offer security consulting in the short term, and would open a Krav Maga school in the long-term. This was my break with the security community and I was happy to make it. I blogged on security only five more times in 2017.

(Incidentally, one very public metric for my burnout experience can be seen in my blog output. In 2015 I posted 55 articles, but in 2016 I posted only 8, and slightly more, 12, in 2017. This is my 21st post of 2018.)

I basically took a year off from information security. I did some limited consulting, but Mrs B paid the bills, with some support from my book royalties and consulting. This break had a very positive effect on my mental health. I stayed aware of security developments through Twitter, but I refused to speak to reporters and did not entertain job offers.

During this period I decided that I did not want to open a Krav Maga school and quit my school's instructor development program. For the second time, I had quit something I had once considered very important.

I started a new project, though -- writing a book that had nothing to do with information security. I will post about it shortly, as I am finalizing the cover with the layout team this weekend!

By the spring of 2018 I was able to consider returning to security. In May I blogged that I was joining Splunk, but that lasted only two months. I realized I had walked into another cultural and managerial mismatch. Near the end of that period, Seth Hall from Corelight contacted me, and by July 20th I was working there. We kept it quiet until September. I have been very happy at Corelight, finally finding an environment that matches my temperament, values, and interests.

My advice to those of you who have made it this far:

If you're feeling burnout now, you're not alone. It happens. We work in a stressful industry that will take everything that you can give, and then try to take more. It's healthy and beneficial to push back. If you can, take a break, even if it means only a partial break.

Even if you can't take a break, consider integrating non-security activities into your lifestyle -- the more physical, the better. Security is a very cerebral activity, often performed in a sedentary manner. You have a body and taking care of it will make your mind happier too.

If you're not feeling burnout now, I recommend preparing for a possible burnout in the future. In addition to the advice in the previous paragraphs, take steps now to be able to completely step away from security for a defined period. Save a proportion of your income to pay your bills when you're not working in security. I recommend at least a month, but up to six months if you can manage it.

This is good financial advice anyway, in the event you were to lose your job. This is not an emergency fund, though -- this is a planned reprieve from burnout. We are blessed in security to make above-average salaries, so I suggest saving for retirement, saving for layoffs, and saving for burnout.

Finally, it's ok to talk to other people about this. This will likely be a private conversation. I don't see too many people saying "I'm burned out!" on Twitter or in a blog post. I only felt comfortable writing this post months after I returned to regular security work.

I'm very interested in hearing what others have to say on this topic. Replying to my Twitter announcement for the blog post is probably the easiest step. I moderate the comments here and might not get to them in a timely manner.


Anonymous said...

Great post and thank you for sharing! Glad to hear that you're still pushing ahead with continual learning and growing yourself. I just finished a finance degree to top off all of the insurance and risk management work around InfoSec I've been doing for over 10 years. I also decided to take a bunch of non-tech/business electives like Buddhism Studies. I definitely agree that a person needs more than just their primary activity. Good luck in the future!

Anonymous said...

I am so happy I ran across your blog. First thank you for sharing your journey and how you have dealt with burnout working in security. I lead a security team responsible for critical infrastructure protection and have been feeling major burnout for the past 6-months or so. I too have some conflicts with my work culture, specifically working with developers who think IT and security serve them. I totally agree with finding something physical to take on for me its Brazilian Jiu Jitsu though Krav Maga looks fun! You have given me a lot to consider, I do miss the early days when everything was exciting and I had a deep passion for security. Maybe it is time for a break?

Anonymous said...

Thanks for this. We need to get better at this conversation.

A while back I took a radical career change, ditching seniority and compensation. I may be headed back to the field, but I am so glad I took on challenges outside our bubble. If you need a break or want to try a different path, roll with it - the recruiters aren't going anywhere and life is jazz.

Unknown said...

Too many people get burned out and D on't take a break. It helps everyone, self, family, work, to refresh. Thanks for sharing!

Sandi said...

Thank you for your insight. After almost 40 years in numerous variations on Infosec, I find that taking breaks to look at things from fresh perspectives has intellectual as well as physical benefits. Sometimes observing actions or processes that ostensibly have nothing to do with information security brings innovative approaches. And so glad you found a cultural fit. All the difference in maintaining curiosity and sanity...

Anonymous said...


Many kudos for your openness to sharing a very personal experience regarding your journey through the PhD / job transition/ career path of the past few years. I would agree that many, if not most of us in the Cyber career path (as well as other high-performance careers) eventually experience "burn-out" or at least start to ask if what we're doing at that point is what we really want to do. I look forward to your continued blogging and seeing how this new set of activities engages your passion for learning and making a difference. -fellow USAFA grad.

happy2019 said...

TBH I always thought school as a waste of time that is also the reason I left my university and never even thought to go back. I would advise every youngsters against it. In Todays information age all the information is open and available. You can learn everything from the Internet from languages, 3d graphics to security and cisco switches.

Universities are all about ripoffs, they taking your life, takin your money leaving you with a pice of paper. Me as a manager would never hire a university graduate for a post, I would 100x times prefer enthusiasts with eagerness to learn or experienced people over people with useless degrees.

I could be ranting on this all day long but it's a universal truth no need to be repeated.

I was also working for years as sysadmin then switched to IT sec then back to sysadmin and now I'm happy where I am. I would not go back to security for any costs just doing good old sysadmin tasks all day long. I would never consider doing anything else either like becoming a real estate agent, a lawyer or doctor. I have completely zero interest to those professions regardless how much more money do they make compared to IT.

I don't understand university fanatics, neither those BOSS type of characters who just work work work and don't even enjoy the wealth they accumlate during the process.

The more things change, the more the more they stay the same.