On The Cyber Jack Podcast we sat down with Karen Worstell, Senior Cybersecurity Strategist, VMware Carbon Black to discuss how cyber companies can beat employee burnout and create a culture of inclusion. Karen has been studying employee burnout and D&I in cyber for the past 10 years.
[automated transcript for your reading leisure]
Today Karen Worstell, senior cyber security strategist at VMware Carbon Black joins us to talk cybersecurity employee burnout and how organizations can keep a healthy workforce. All this and much more on this show.
Karen, thanks so much for joining us today. We're very excited to have you. To kick things off, could you tell us a little about yourself, your role, specifically, and what you're focused on right now.
Karen Worstell 00:38
I have been in the cybersecurity industry for about the last 30 years and a good portion of that time, over the last ten years, I've spent researching issues relating to stress burnout in our industry, and how we have a more inclusive work environment in order to have a more productive work environment. So I am now a senior cybersecurity strategist for carbon black. I'm thrilled to be there. And I am excited to have a conversation today.
Yeah, I'm really excited to talk about this topic. It's really important to the industry and how we attract new talent and foster the talent that we already have. So let's just jump into this recent VMware research data point that said 51% of security professionals had experienced extreme stress or burnout over the past year; what does that tell you about the challenges security professionals are faced with today?
Karen Worstell 01:32
Yeah, you know, it's a stressful industry, it was, it's always been an industry where you're constantly fighting against an unseen enemy, and you have anything that can happen at any time. And we have very little control over our circumstances. So the issue that I think has escalated this problem now is that we have too many silos in the organization, we have a lot of handoffs that are not working well, between different groups who are trying to work on it, and security and variety of other things that are related and need to work together. We have an attack surface that's really complicated. It's just gotten incredibly more complicated, we don't have good visibility of it, and the ability to see what's out there and have context and to be able to determine what's going on has gotten much more difficult in many of our modern environments. And so the team that's charged with looking at this and trying to figure out how to prevent bad things from happening has an incredibly difficult job as a result of, you know, major digital transformation that has happened as a result of COVID and a number of other things with related to work from home.
So what can CISOs do to prevent burnout within their security teams? And maybe it's the CISOs and the managers?
Karen Worstell 02:47
Yeah, that's such a great question because the managers, the CISOs – the line managers have a lot to do with how well the team is doing. And I would say, the first thing to do is to make it okay to not be okay. A lot of people hide their burnout, until it's way too late. And the reason they do that is that they don't want to appear weak, and they don't want to appear unfit for duty, they're afraid that their teammates are going to think that they are somehow less capable, because they're, you know, dealing with burnout, or the potential of burnout. So that's it. That's one thing that managers can do. We've kind of grouped these things as we've looked at them into three categories. So we want people to think about self-care, empathy, and empowerment. And the managers have a tremendous amount they can do to foster an environment that makes it okay for people to prioritize self-care to have an environment where there's empathy, like making it okay to be not okay. And then the whole idea of empowerment, what is the management doing to try to create an environment where it's easier for people to get their job done well.
And so what can the security professionals themselves do to address their well being within the workplace?
Karen Worstell 04:10
There's a human need for us to have goals and have something in our life that's meaningful, that matters to us, that that's where we focus our energy. I do think that the makeup of people who are in the cybersecurity industry, I certainly saw this with my own teams over the years are people who are very passionate about the work that they do. I call them cyber defenders; they have this innate drive to go out there and do the right thing to protect an environment to find out what's broken and fix it. And that drive can be a bit overwhelming. And it can also take them to the point where they're focusing on how important it is for them to do this mission to the expense of other things in their life that are really important. And they find themselves after, after a certain point at a level of emotional exhaustion that's a little bit hard to claw your way back from. And so what I would say is a best practice is to know yourself, and know what your goals are, know what your know what's important to you be willing to make that a top priority. And, and you know, right alongside your work, it's not less than less important than your, then your work and your vocation. It's just as important. And I think we're getting better at that overall. But in the heat of everything we have to do at work, the thing that we have, we feel like we have the most discretion over is our own personal life. And we cut out sleep and we cut out, we cut out other things that we need to do having, feeling joy and being out in, in doing something that you really care about those that that's what I would say is really important for people to not lose sight of.
Having a hobby, or an outlet that's really separate from work is important for anybody's sanity. So let's shift gears a bit and talk about diversity inclusion. So how can business leaders encourage and accomplish a more diverse and inclusive workforce?
Karen Worstell 06:26
It's really interesting, especially having come over the years of my career where I was very often the only woman in the room, and I was the only woman in the room, but I was a white woman in the room. And, and it was years before we had women of color in our community at any kind of recognizable level, those numbers are still way behind where they should be. And the reason why I think it's important to have what I would call an inclusive work environment is that there is a tremendous advantage in having a community in terms of its innovation, its collaboration, its ability to be creative, and get things done, when people feel that they belong there.
And it's quite easy for a white man and a white woman to feel that they belong there. Even though women are in the minority. Technically, women, white women feel like more like they belong, because they don't have to identify as a white woman in order to belong there. But when you have people of color, for example, they are often not feeling quite as part of the group like an intrinsic part of the group. And they have an identity that feels like it sets them apart. And sometimes I would say most often, I hope we inadvertently add to that feeling. But sometimes there's also just so blatant gaffes that happen that really make people feel like they don't belong there or that other people feel they don't belong there. So the reason that that sense of belonging is so important is because that's what drives innovation. When we know that we have a space where we're we are a member, then we can bring our whole self into the workspace. And we can collaborate with others freely and share our share our ideas with confidence. And I think that's incredibly important right now for us to solve some of the hard problems that we face, especially in cybersecurity.
And a diversity in thinking is also really important to keep in mind when you're building your culture. Well, thanks, Karen, this has been a great conversation, really appreciate your time. It's a critical topic that's affecting the industry. Any parting words for the audience here?
Karen Worstell 08:54
Oh, gosh, yeah, you know, and I think we need to pay a lot more attention to the things that we do have within our control, I would say focus your energy on the things that are within your control, because there's far more of them than you might realize. Some of the examples that I would encourage people to look at would be things like, what can we do with technology and automation? What can we do with that technology and automation to make sure that people really know how to use it? Well, instead of throwing it at them and telling them to learn a new tool, how can we be I call it being a process Ninja, the idea that we look at everything, not just from the standpoint of technology, but also from our processes and how are people collaborating together and working together in a way where it's truly a team and the ability of organizations to significantly up their delivery on quality on product on new ideas on new approaches to Getting Things Done faster, better, cheaper is having an environment where process works. People know that if they do focus on their job, it's going to get used by the next team that needs it. They're doing what they're doing what's meaningful. And yeah, so that's, that's what I would suggest from that standpoint.
Well, there it is. We'll leave all you listeners with that, Karen. Thank you again for being here. Really appreciate it.
Karen Worstell 10:27
You're welcome. It's my pleasure.