(Mental) State of the Security Practitioner

By Jonathan Brandt, CISM, CCISO, CFR, CISSP, CSA+, PMP

The Nexus  |  Monday, 12 August 2019

In today’s world, the need to take care of oneself is more important than ever. The “always on” mentality exerted upon many salaried employees—especially those charged with detecting, responding and recovering from incidents—creates an environment ripe for burnout. It is unrealistic to believe we can course correct overnight, but simply opening the conversation may allow subtle changes to take root and boost well-being and effectiveness.

In June 2019, I attended Gartner’s Security & Risk Summit in National Harbor, Maryland, USA. This was my first industry conference as an attendee—no booth duty, no mandatory events required by my employer, no meetings—just a full agenda of sessions I hoped would be intriguing. Overall, the conference was a positive experience, but by week’s end, I found myself more mentally exhausted than usual, which was likely attributable to the robust sessions I attended.

As I considered the topic for this, my inaugural column in The Nexus, part of my new role at ISACA, the issue that kept coming to my mind was how inundated we as security professionals are with information. As the senior information security practice manager at ISACA, part of my job is to shape thoughts on security practitioners’ tradecraft, the direction of our profession, the impact technical risk has across the globe and, ultimately, how ISACA can help its members better fulfill their roles and responsibilities. After some thought, I feel compelled to discuss our well-being because, in an already understaffed field, we need all hands on deck.

On any given day, there is no shortage of news articles, blogs, columns, posts, research papers, threads, tweets, etc., that affect our professional lives. Coupled with the need to remain relevant in an ever-changing landscape, and the administrative and financial burden of certifications borne by those holding credentials (often through multiple sponsor organizations), it is no wonder burnout does not receive as much attention as the widely reported skills shortage.

Over the course of my career, I have had the privilege of leading, training and mentoring many. Of the 3, training someone in technical subjects is the easiest. This might explain today’s sea of training providers in the information security space. But technical skills alone are insufficient and, while soft skills are increasingly identified as predictors of success,1 the always-on world security professionals operate in offers little time to develop or hone those respective soft skills, let alone recharge our batteries.

Technology and derived metadata consume massive amounts of digital resources across the globe. Unlike modern day operating systems which parallel process, the human brain processes in serial, or sequentially. During his keynote, What Is Culture?, at the Gartner conference, Steve Robbins, Ph.D., delivered a powerful message I encourage everyone to watch. He highlighted the area in our brain known as Brodmann area 10 (BA10) that primarily controls what we pay attention to, which is one thing at a time.2 As I reflect on his message, I think far too many of us in today’s hyperconnected world laden with high-tech devices feel emboldened to do more (and faster). Our brains, however, are a single processor, which prevents true multitasking. Dr. Robbins demonstrates this at 41:30 in the video of his presentation.3 Since that keynote, I have looked at my own daily activities differently. Are we actually more productive? Is work error free? Can any of this be attributed to any reported cyberincidents?

Consider active vs. passive listening. How does your perceived ability to multitask at the office impact job performance and personal relationships?

Consider active vs. passive listening. How does your perceived ability to multitask at the office impact job performance and personal relationships? We are charged with protecting enterprise assets, intellectual property (IP) and critical infrastructure, yet we operate in a world bombarded with overstimulation where one user in an organization of thousands can create chaos, taint brands, cause loss of IP and revenue or even loss of life.

With no reason to believe technological advances will decline, the stress on today’s security practitioners will remain steady at best. I know of no starving information security professionals, but I know of too many (myself included) who struggle with work-life balance. It is imperative that we continually evaluate ourselves and explore ways to recharge our batteries and those of practitioners under our charge. I assert that any like program would be a powerful retention tool.

Jonathan Brandt, CISM, CCISO, CFR, CISSP, CSA+, PMP

Is a senior information security practice manager in ISACA’s Knowledge and Research department. In this role, he contributes thought leadership by generating ideas and deliverables relevant to ISACA’s constituents. He serves ISACA departments as a subject matter expert on information security projects and leads teams whenever external resources as necessary. Brandt is a highly accomplished US Navy veteran with more than 25 years of experience spanning multidisciplinary security, cyber operations and technical workforce development. Prior to joining ISACA, Brandt was a project manager for classified critical infrastructure projects across the globe.


1 Wilcox, L.; “Emotional Intelligence Is No Soft Skill,” Harvard Extension School, Professional Development, Cambridge, Massachusetts, USA, 2019
2 Robbins, S. L.; What Is Culture? Gartner Security & Risk Summit, National Harbor, Maryland, USA, 19 June 2019
3 Ibid.