How to Keep High-Performance Security Teams Motivated
Burnout. It’s the word that has haunted organizations since the COVID-19 pandemic cranked up the pressure on remote workforces. It’s a state of perpetual emotional, physical, and mental exhaustion, and it comes with decreased motivation, lowered performance, and a negative attitude toward others or oneself. Burnout can turn overall tiredness or malaise into a state of being too exhausted to function.
While this can be personally devastating, the risk of burnout could present even deeper challenges for perpetually lean security teams. Disengaged security employees can miss warning signs of security breaches, fail to connect with other departments and stakeholders, and lose some of their passion to keep people, assets, and places safe.
Worldwide, only 32 percent of employees say they are thriving right now, according to the Gallup State of the Global Workplace 2022 Report, and 43 percent report high levels of daily stress. This is one of the drivers behind the ongoing Great Resignation; people who feel tense or stressed during the workday are three times as likely to seek employment elsewhere, the American Psychological Association (APA) found in 2021.
To combat stress burnout, however, security leaders must encourage purposeful disconnection from work without losing employees’ motivation to succeed.
For inspiration on this front, security leaders should look to military units and firefighters, says Wendy Bashnan, chief security officer for Nielsen Company. These groups are capable of sustaining periods of extreme stress and danger, interspersed with periods of rest and separation from the action. But when units come back together, they can pick up where they left off, adds Bashnan, who spent 30 years in the public sector before transitioning to private business.
Currently, she is responsible for a small team of security professionals who help the business manage security risk and resiliency across 55 countries. That breadth of responsibility means that team members need to juggle many different tasks and challenges on a regular basis. For high-performance security professionals, their motivation is often the deeper meaning they find in their work.
“To be honest, most of the people that I have worked with throughout my career, their personalities have driven them to this profession, to this field,” Bashnan says. “It’s that sense of purpose, that sense of service that motivates them.”
Percentage of employees who reported experiencing high levels of daily stress at work.
But that works against them when they try to shoulder too much responsibility, remaining mentally on-call at all times. And that sustained stress level leads to burnout, turnover, and even physical health issues.
“The biggest challenge for my team is to encourage them to pull back and take time off, because they feel obligated to support whatever team it is that they’re working with,” she adds. “And that feeling that if they did take personal time, they’re letting down their teammates—that’s the message we need to tweak moving forward.”
High Performers Under High Stress
High-performance employees bring a lot to the table. They have the drive, intellect, and emotional intelligence to succeed and add value to the organization. They also bring some common psychological dynamics.
Star employees often feel the weight of others’ expectations keenly, and their drive to meet or exceed those expectations can push them to work beyond their limits, especially in times of stress or crisis, according to Harvard Business Review.
In small or short-term doses, stress can be motivational, leading to periods of intense concentration, effectiveness, and productivity. But long-term stress conditions—such as when crises pile up and overlap—undercut those benefits.
Industrial and organizational psychologists have found that hinderance stressors that are outside an employee’s control can feel like barriers to achieving good outcomes. These can include red tape, a lack of resources, or conflicting goals within the organization or department. Challenge stressors, though, can be positive. These are tasks that a person feels he or she can overcome while growing and improving, such as learning a new skill that will help the employee tackle a new responsibility at work.
“Research further suggests that people find challenge stressors motivating because they expect that if they put the work in, they can achieve an outcome they value,” wrote Stephanie Pappas for the Monitor on Psychology. “Hindrance stressors, on the other hand, feel insurmountable—no matter how hard you work, a satisfactory result is out of reach.”
Hinderance stressors were in ready supply during the start of the COVID-19 pandemic, when security professionals faced myriad unexpected challenges without the resources or autonomy to address them.
“The challenge that we’ve seen over the past two and a half years with COVID is that we’re seeing layers of crises on top of crises, so they’re overlapping for extended periods of time, and that does put additional stress on the team,” Bashnan says. “There’s a feeling that there’s never downtime.”
“Historically as an industry, we are accustomed to the rollercoaster—the highs when the crisis is most urgent and then it calms, becomes manageable, and we’re ready for the next crisis that comes into play,” she continues. “During this pandemic, we’ve been at this elevated peak of crisis that’s continued with other crises on top. Now we’re in a rollercoaster that’s twirling and spinning on top of everything, and we never get the calm we’re accustomed to.”
Although stress is not uncommon for security professionals, she says each person will need to find his or her own ways to manage and recover from it. Luckily, good managers can be there to help.
Vacations are not just fun—they are necessary, says Avril Eklund, CPP, head of global physical security for GitHub. Time off enables team members to take a step back from workplace stressors and to gain some valuable perspective and mental clarity, she adds.
Unfortunately, a paradox around work stress recovery is working against security departments. A 2018 article in the journal Research in Organizational Behavior found that “recovery processes are impaired when individuals are facing a high level of job stressors.”
In other words, the more stressful a job is at a certain time, the more compelled a high-performing worker is to put in longer hours, take fewer breaks, and even eat less healthily, further depleting the worker’s energy levels to handle the stress. Pushing through the stress simply does not work.
“I’m very fortunate that I hired really high-performing people,” Eklund says. “I meet with them every week to make sure that they’re not getting overwhelmed, because—being high performers—they’re often inclined to take on more and more and more.”
Especially after a two-year stretch of COVID-19 response, she adds that she was seeing early signs of burnout and wanted to head it off at the pass.
“People were starting to be tired coming to work, have less enthusiasm for things they used to be enthusiastic about,” she says. “I don’t think that our interpersonal relationships changed at all—nobody was being mean to each other or dropping balls—but just the lack of enthusiasm. I’d get the feeling when I talked to them that it was the same stuff, different day. The spark was missing from our conversations.”
This year, Eklund has started ensuring that her team members take vacation to address early signs of burnout. GitHub’s security team has an unlimited time off policy, but because of the cycle of crises, no one has been taking advantage of it, she says.
“They need that break from work,” Eklund adds. “And as their leader, I model that and make sure that I take time off. And when I do, I do my best to truly disconnect so that I can help them see that it’s okay for them to totally disconnect as well and refocus their minds for a week on something that’s not COVID, not security, not risk. We’ll be fine—everyone else can pick up the slack for that week, and we’ll be okay.”
This does require some planning, though. Team members heading out of the office are instructed to turn off messaging platforms like Slack and set their status to “away.” The rest of the team uses send times on email and Slack to postpone non-urgent queries from hitting the vacationing team member’s inbox.
The security team also starts a “While You Were Away” digital document, where they keep a running log of essential activities and status updates. When the person returns from time off, he or she can skim through one document to catch up, rather than scrambling to sift through a week’s worth of emails.
Eklund also works to address the rest of the organization’s assumption that security is available 24/7. She is setting expectations with outreach through the company’s Intranet to explain how the security team works and what sort of response time to expect for different queries. This enhances transparency while building in some breathing room for her team.
Taking time away also lets team members recharge their sense of purpose, she says.
“If you get an opportunity to look back at the work you’ve been doing, now you’re coming back with a different perspective,” Eklund adds. “Sometimes you need that break from the work you’re doing to look at it with fresh eyes.”
Even a short break, like taking a walk or using a long lunch break to do some gardening, can lend valuable perspective and uncover potential solutions.
Security leaders can also influence by example. Employees take cues—whether spoken or implied—from their leaders about what behavior is acceptable and expected. For employees to feel comfortable stepping away, asking for professional development opportunities, or sharing when they feel overwhelmed, CSOs must model that behavior themselves, whether by taking disconnected vacations or simply logging out at the end of the day.
While vacations and time off are an effective reboot for security teams, employees and leaders can take steps to disengage before they even leave their desk for the day. Roy Lemons, CPP, CSO for International Paper, says it’s important to develop small rituals to mark the beginning and end of the workday, especially for remote employees who no longer commute to and from a physical office or site.
At the start of every day, Lemons takes a few minutes to consider something that went well and something that went wrong the previous day, and he ponders how he could have improved his response. This reflection builds a sense of accomplishment and a drive for continuous improvement at work, he says. And at the end of the day, Lemons doesn’t just close his laptop or put it in a drawer—he powers it down completely. It would only take an extra five minutes to restart the computer in the event of an after-hours emergency, but that extra step also gives Lemons pause when he considers logging back in to answer a few emails in the evening.
“Humans always try to find the path of least resistance,” he says. “If it’s difficult for me to do it, then I ask the question ‘do I really have to do it?’” This enables him to reprioritize work versus personal activities, rather than reflexively logging back onto the computer.
Time to Stretch
A bored high-performer is a disengaged high-performer. When people are bored, their judgment, goal-directed planning, focus, and control over emotions all suffer, found neurologist Dr. Judy Willis in her paper Neuroscience Reveals That Boredom Hurts. In addition, monotonous work can negatively impact mental health, add to stress, and lead to burnout. A lack of autonomy and the inability to grow make matters worse.
According to the APA’s 2021 Work and Well-being Survey, a lack of development opportunities exacerbates workplace stress—52 percent of employees surveyed in 2021 found that a lack of opportunity to expand had a strong impact on their job satisfaction.
At International Paper, stretch goals are part of the fabric of performance reviews, and Lemons helps his team look for professional development opportunities that fit their needs and interests. Each member of Lemons’ security team must be CPP certified, and International Paper funds their certification journeys and supports them while they pursue educational opportunities.
“If you truly want to get the value out of the training, then what you need to do is make sure to carve out time,” Lemons says. “Do not assign that person any response capability during that period; they need to be in the moment to get the value out of that and come back. We make sure there’s coverage so they can go and not get pulled into something.”
Employees do not necessarily need to look outside the company for opportunities to grow, either. Employees interested in learning more about cybersecurity can partner with International Paper’s IT department to identify key educational areas or the best certifications, and team members focused on learning more about regional risk or specific business areas can go on site visits to different locations and manufacturing facilities to expand their viewpoints, Lemons says.
Within the security department, Bashnan is cross-training her team to cover each other’s roles and responsibilities—including hers. This serves multiple purposes: it adds resiliency and backup coverage for key roles, it lets security employees try new things, and it encourages a growth mind-set, she says.
More Hands On Deck
As well as diversifying skills within the security department, expanding the security team overall can free up high-performing employees’ time to focus on more proactive, strategic functions like threat hunting and building additional organizational value, Bashnan says.
“I try to earnestly include team members in the work that I am doing,” she says. “And in many ways, I am coaching them to do the work so that they can do it themselves. If I can teach them to do what I do, then I can sit back and actually be that strategic thinker and start that threat hunting that needs to be done and look around corners. That’s what the C-suite wants a CSO to do, but they don’t appreciate the amount of firefighting we have to do on a day-to-day basis that takes us away from that strategic thinking.”
“We’re always slightly understaffed, slightly underbudget, and being asked to do more with less, but you can only do so much,” she adds. “So, you’re always in a reactionary position.”
Bashnan started tapping into the 21,000 other Nielsen employees worldwide, deputizing them as de facto security employees and educating them so they can perform some tasks themselves, rather than relying entirely on the security team.
For example, a U.S. facility was broken into, and Bashnan received an email notification that morning about the event. But within that notification, the facilities and operations managers at that location outlined all the steps they had already taken—crossing those tasks off the security team’s list and keeping the response tied into local responders and capabilities.
“For me, that’s a huge win,” Bashnan says.
In crisis response, the more internal teams are involved, the more security teams can excel. For Eklund, GitHub’s COVID-19 response benefitted strongly from HR, legal, and other departments joining the taskforce.
“We are working on rebuilding our crisis management team to spread the load a little bit better across our information security function, our legal function, our HR function,” she says. “We’re the intake portal but training these other teams about what their responsibilities are so it doesn’t fall all on us.”
For a protracted crisis like COVID-19 or the war in Ukraine, one team of seven security professionals cannot carry that load, Eklund adds. “We need to be able to pull in partners.”
The Power of Recognition
Don’t underestimate your influence to motivate the team.
“A leader’s words are more impactful than anybody else in the company,” Lemons says. “No matter what the boss’s boss’s boss says, your boss is the one who has the most impact on you.”
While some employees are fueled by widespread recognition, many security team members would benefit from a simple note from their CSO acknowledging their hard work and effort, even if the project fell short or could be improved.
Lemons also has calendars set up with notifications for employees’ work anniversaries and birthdays, so he can take a few minutes to send out work anniversary notifications to the team or recognize them during meetings. “It sounds silly, but it actually does mean a lot to people,” he says.
Eklund stepped up her regular check-ins with her team to have frank conversations about their hours, workload, how they are managing different time zones or responsibilities, and whether people are contacting them at all hours with queries and requests.
“If I didn’t ask these questions, I wouldn’t know, because we aren’t sitting next to each other like we would if we were in a traditional office,” she says. “It’s about listening and asking a lot of questions so I can figure out what’s going on.”
Along with questions about stressors, Eklund also seeks out sparks of interest—asking whether team members would like to take on different or new responsibilities and seeing if that brings their enthusiasm back to the fore.
In the end, though, finding the right combination of steps to combat stress and burnout is a challenge, but a rewarding one, Eklund says.
“Not everything has worked for every person, but some pieces have worked for each person, so we’re getting there,” she adds.