Burnout Recovery and Prevention 101 (Part 0)

Note: This is the written version of a talk I gave at BSides Atlanta 2022 called “These Violent Delights”. Since it wasn’t recorded, I thought I would make it more available to people by blogging it. You can see the slides on Github here.

It’s been about two years since I wrote all of this for the first time.

The reception of the talk version at BSides Atlanta last year was good enough that I figured publishing these ideas and lessons for everyone to access would be beneficial.

But in trying to make it all perfect and complete, I’ve procrastinated publishing anything at all.

So, to remedy this, I’m going to publish in parts.

This is Part 0. Based on my massive list (mess) of talking points, here’s what’s coming up:

• Part 1: Where To Start
• Part 2: Improving Your Personal Health
• Part 3: Setting Professional Boundaries
• Part 4: Smash In Case Of Emergency

Recovery First, Prevention After

I will talk about burnout and how to prevent it, but more importantly, I want to talk about recovery.

Why?

Because most people have already experienced burnout, and I suspect a lot are still in it. I have to suspect because, though I have tried, I cannot find any data on how many people have recovered.

There are plenty of data sources for how many people have been or are currently burnt out, and prevention only matters if you’re not burnt out already.

Why even talk about this?

Because the working world has a burnout problem, and to make matters worse. infosec as an industry also has a talent problem.

According to plenty of sources, there were 2.72 million job openings in 2021. That number is going down, but it’s not one to laugh at.

Meanwhile, 75% of employees said they’ve experienced burnout, and 56% of employers admitted to have retention issues, 36% of those surveyed by Eagle Consulting said their organization isn’t doing anything to help them NOT be burnt out, Gallup found that burned-out employees are 2.6 times as likely to be actively seeking a different job, AND that only 60% of workers can strongly agree that they know what is expected of them at work.

The bottom line is that people are burning out, a lot of them aren’t getting help, and almost as many have no idea what standard they’re even supposed to be meeting.

Maybe you can see why I’m not confident about that number going down reliably. What are we missing out on because the talented people we already have are at or near the end of their rope?

Crime pays a lot, actually

Adversaries are making more money, their jobs are easier, and they work remotely. I’ve talked to people I know who were in ransomware gangs or are currently in them, and most of them say their work lives are easier.

What they told me boils down to a few simple points:

• No one is asking them to return to the office and commute through traffic hell
• The pay is better than what they might make legitimately
• The work is generally easier (since many targets aren’t as mature)

How are salaried, commuting, underfunded infosec professionals supposed to keep up?

There is a greater mission and much of the industry is not prepared to accomplish it.

Disclaimer

Before I go any further, I need to get some things out of the way:

I am not an expert, a medical professional, or a psychiatrist

I cannot diagnose or account for existing mental illnesses, personal situations, or other variables

But rest assured, I have had my fair share of hard times. I am no stranger to mental illness nor trauma. I know that life can be hard and there are a lot of factors at play.

I get it. I’m not here to sell you a cure-all, or even a cure-most. I’m here to share what worked for me and maybe impart something useful to you.

How I Got Here

Like many, I spent the majority of 2020 working too hard, burning too hot, and not getting the things I needed to be happy.

The company I worked at was in a period of intense growth where we had plenty of new pentesting work to do, but some of us still needed to make audits happen to pay the bills.

During that time, I started to study for my OSCP, and after seven months, it had knocked me out. I would study for 3-4 hours per night and all weekend in the labs, grabbing flags and honing my methodology.

I failed my first exam attempt in late September but came back with a vengeance by the end of October. Then I descended into one of the deepest ruts of my life.

Collecting debt from yourself

What confounded me is that I was just doing something I loved: learning and improving my pentesting skill set.

But the price I ended up paying was steep, and it took a lot longer to cover my debt to my passion than it did to destroy my passion.

The year after (2021) was filled with attempts to pursue my passion without the energy I needed, leaving me feeling unfulfilled and frustrated at my sudden lack of progress in my career, but even more disappointingly, lack of appreciation for something I was once fascinated by.

I would listen to my favorite security podcasts and roll my eyes when people would talk about how energized they were and could spend hours just learning. My cynicism was through the roof, and the problem wasn’t them - it was me. I needed to feel better. My new state was not sustainable, and I needed a solution. That’s how I came up with what’s in this blog.

It took me a long time, but I made it, and I want to share that with anyone who’s in that same place.

Look out for “Part 1: Where To Start”, coming soon.