9.19.23 > Brian Morgan
Security burnout. A topic not often discussed, but certainly often experienced.
Allow me to read off a few keywords for you here.
EternalBlue. WannaCry. NotPetya. Heartbleed. Shellshock. Solarwinds. Log4J.
Is your heart racing? Are your palms sweating? Are you dizzy, perhaps?
If not, then chances are you either don’t work in information/IT security, or haven’t been paying enough attention over the past decade. These are the insidious incidents that kept IT and security staff late into the night. Sometimes all night, depending on the risk level. They were “significant emotional events” at most organizations. And while dramatic, and the subsequent remediation efforts herculean, we won! We beat the bad guys forever. When the patches are all installed we can just relax for a few years and take a breather.
Oh, wait… you work in security?
Yeah, there’s no relaxing here. On to the next major vulnerability, the next data breach, or the next ransomware event. The train never stops. If you aren’t responding to an incident, you’re shoring up defenses and preparing to respond.  If you’ve been in the game long enough, chances are you know what I’m talking about. Either you, or someone you know, has hit that dark point where they just wonder if all the hard work, late nights, and life energy they are committing on behalf of the “good guys” to secure and defend is ultimately worth much. That rock-in-the-stomach feeling one gets when their internal monologue concludes that they are ultimately trying to hold back a tsunami with a basement sump pump. Information security can be like that sometimes. There are a hundreds of difficult, expensive, and time-consuming things which need to be done, controls which need to be implemented, findings which need to be remediated, and tiresome, technical, and detailed work that needs to be accomplished, synchronized, and fine-tuned to be considered “secure”. But even that isn’t enough, is it?
Many, many breaches still occur through the timeless art of social engineering, when the keys to the kingdom are simply given away by unsuspecting users who are working, as expected, on your network. Multi-billion dollar enterprises get hacked. Government agencies get hacked. Even spy agencies doing nation-state level hacking, get hacked. Criminals make tens of billions of dollars a year globally running illicit and illegal schemes using technology born only in the past few decades. Are we winning this fight, or losing it? It’s hard to say. But ultimately, the constant fight itself takes a toll. Security professionals are uniquely exposed a wide variety of significant pressures. Pressure to constantly fight for adequate funding in order to do the things that need doing. The pressure of being seen as an “overhead” cost center just eating money, rather than being credited with silently keeping the stock price afloat by avoiding headlines. Pressure to constantly educate and promote security awareness to illustrate the importance of a security-conscious culture. Pressure to retain and inspire talent in an ultra-competitive marketplace. Pressure to get the technical things right 100% of the time, when operating within hyper complex software systems with possible invisible vulnerabilities which could let an attacker bypass your defenses and get access to your chewy center (and you may not even know it). Pressure in only getting recognized when security systems fail, even if it’s not your fault. Good security is largely transparent, and no one is going out of their way to applaud an invisible security feature, no matter how brilliant it is. It can all feel overwhelming, to be sure, especially since the pressures don’t really seem to let up. They only get heavier, at all levels. Alas, don’t fret… there is hope.
There are a few ways to combat security burnout. First, recognize that nothing is perfect. And, nothing will ever be perfect. That’s important to remember. Many security and IT professionals can tend to be a bit… perfectionist. It has something to do with our brains. So when something isn’t perfect, or exquisitely tuned close to it, it can drive us crazy, leading to anxiety and frustration. This can be avoided by simply acknowledging the reality that there will always be problems. There will always be vulnerabilities to remediate and risk to mitigate, and there will always be more work to do. In an ever-evolving environment, the one constant is change, and we must become truly comfortable with that.  You’ll always have gaps to fill.
Second, realize that we live in a unique time within our history. Many of us remember growing up without any internet at all. Now, nearly everything is interconnected, and nearly every person, relationship, and company relies on the internet in some way or another. If things sometimes feel out of control, or that the technology is moving too fast and it’s hard to keep up, that’s normal. I don’t think anyone feels completely and totally “on top” of 100% of the emergent technologies being implemented across the board. There’s an ocean of stuff to know. Chances are, you’re farther ahead than you realize. Don’t get frustrated. Give yourself credit for how far you’ve come. Congratulate yourself on the certs and experience you have acquired, and if you have a knowledge gap you’d like to close, sign up for a course and close it! Also, take a break! Go on vacation. Camp under the stars. Spend deliberate time recalling why you chose this profession and the reasons why you fight the good fight. This will help you stay motivated. It can certainly feel overwhelming to play the role of the perpetual white hat defender, when a literal world of black hats are probing you and your organization 24/7/365. Depending on your situation, you can do the right things 99% of the time, but that 1% error can be all it takes to wind up in the hot seat. Few professional domains have such a low margin for error, aside from military operations, doctors/surgeons, or free-climbers. To counter this, it helps to remind yourself that everything matters, no matter how trivial it may seem. Every firewall rule, every standard put in place, every security presentation, it all matters. Even if you aren’t a CISO making all the big calls, your work and energy truly matter.
So, keep fighting the fights and doing the right things. Even if there’s no winning this war, and the bad actors will keep coming back, we must do all we can each day to keep shoring our defenses and to stay on top. It all adds up to a job worth doing, and a life worth living. Don’t let your burn go out.
Brian Morgan, Director Cyber Coordination Cell (C3), Minnesota National Guard
Joint Force Headquarters Minnesota Cyber Plans Officer, and Network Development Manager at Amazon Web Services
Army Lieutenant Colonel Brian Morgan is currently a Signal and Cyber plans officer at the Joint Force Headquarters in St. Paul, Minnesota. LTC Morgan enlisted in the Wisconsin Army National Guard in 2003 as an infantryman, and was commissioned as a Military Intelligence second lieutenant in 2006. He transferred to the Minnesota National Guard in 2008 to work in the 34th Division G2 (Intelligence). He has served in both full-time, federal technician, and traditional M-Day roles within the Minnesota National Guard and has completed deployments to Iraq in 2009-2010, Kuwait in 2018-2019, and most recently to Maryland from 2020-2021 leading the first-ever deployment of the 177 Cyber Protection team. He has extensive experience in information security, technical security, networking, software, and cyber operations. He has commanded at the company level, and has served on battalion staff for the 2-135 IN RGT and on division staff in the 34th Infantry Division G2 (Intelligence) and G6 (Signal). His most significant awards include the Meritorious Service Medal with two bronze oak leaf clusters.
LTC Morgan has earned a Bachelor of Arts in Applied Mathematics & Computer Science from the University of Wisconsin-Stout and a Master of Business Administration from Saint Thomas Opus College of Business. He has held numerous professional certifications in information security and networking such as CISSP, CISM, CEH, CCNA, CCSP, CNDA, PCEP, and AWS-CCP. He is a graduate of the Army’s Functional Area 26A (Cyber and network engineering) school at Fort Gordon, and is one of only a handful of officers in the Minnesota Army National Guard to hold the full 17A (Cyber Operations Officer) MOS.
In his civilian occupation, he serves as a Network Development Manager for Amazon Web Services, ensuring the stability and security of the government cloud.
You can Connect with Brian on Linkedin