Burnout: The Biggest Threat in Cybersecurity (And How to Beat It)

Welcome everyone. Thank you all for coming to this one. I'm really excited for this. Derek is awesome. He's a He's a real friend. Um and so I get the privilege of introducing him. Um they told me to read off his like sp his like page right here, but unfortunately it really doesn't have a whole lot. His favorite things are uh well not favorite things, but he really enjoys spamming websites with weird user agent like requests. It's It's kind of funny. He asks LLM's pretty pleased when they say no. And he act well, I'll get into this. He's an appseek um application security developer by day, a DJ by night. A pretty epic one if you've been up to the

CTF. He runs that. He's he's up there doing tunes all day. Um I guess yesterday he he also enjoys Does anyone play Deadlock? >> Yeah. Let's go. Yeah. All right. If you want to join him, he will give out his handle. No, I'm later on. If you want to play with Deadlock, he does enjoy that. Um, he also plays Frost Punk. Pretty sweet. He's really into that. But overall, I'm really excited for this uh this speech, Burnout, the Ever uh the greatest head advanced persistence and threat and how to fight back by Derek. Thank you. That timer's running. >> Yeah. >> Okay. >> All right. >> It's about five minutes fast. >> I don't need to introduce the session.

Seth did a wonderful job. So, we're going to get started right here. If my thing can flip to the next page. All right. Before we get into the talk and we get into the weeds of things, I need to make sure that I lay out a disclaimer. All right. It's kind of long. Bear with me. I am a cyber security professional. I am not a mental health professional. I am not qualified to give medical advice and this talk is not intended for that. It is intended for educational purposes and peer support purposes only. I also want to mention that this talk is appropriate for all audiences, but it does cover some very serious topics that

are prevalent in our industry. Okay, now that we've straightened out which industry I work in, let's begin. I'm going to briefly introduce myself with a fancy little head shot there. So, I'm an application security penetration tester. I love hacking all things web, AI, mobile, you name it. Uh, I also moonlight as a DJ and I also direct the B-side CTF with my absolutely incredible team. If you haven't had a chance to play some challenges, I really encourage you to do so. It is super duper fun. Okay, now before we really dive into the weeds here, I want to make sure that we properly define the word burnout. The word burnout is not just a buzzword.

who defines it as the syndrome conceptualized as resulting from intense chronic workplace stress and fatigue that has not been successfully managed. Now, now that we've defined it, we're going to start looking into the threat of burnout and how it affects us in this industry because it is, I would argue, the most advanced persistent threat. The effects of burnout are many. And I imagine that a lot of us in this room are feeling the symptoms of it, maybe even without realizing. When you're burned out, there are, and I pulled this from many studies, and they're included in my bibliography, and you can check out the slides for them. They include things like trouble sleeping. They include carelessness,

being forgetful. I had a really good friend of mine. He came up to me at the conference yesterday and he told me about a woman he talked to at St.Con who had been living a really really healthy life, super active whole thing and she was an awesome threat hunter. And one day while she was working in her office, she collapsed. Turns out she had a brain tumor. And the specific conditions at which the brain tumor had been induced were ones that would normally be seen in first responders like firefighters and medics. And yet she, a cyber security incident responder, had those exact symptoms. If I have not driven home, how serious burnout can be. I didn't even know that

story until yesterday. But that's a really good reminder. I also do want to mention it makes us feel very insecure about our place in the industry and our confidence in our skills. Now let's talk about burnout and how it affects our industry. It is very prevalent in cyber security. The reports I pulled were from the engineering uh state of engineering report from 2024. It had some incredible data on this that I want to really pick apart and go over. It said that 65% of respondents had suffered from burnout in some kind. And that was in this last year. 65% out of a 100 people in this room, that's 65 of our friends and colleagues who are dealing with this.

Cyber security professionals, to make it even worse, were found particularly vulnerable to this. We have stressful jobs. We have hard jobs, right? And here was an alarming statistic. I think we're all really passionate about cyber security. We wouldn't head out to bides and compete and celebrate all we do if we weren't passionate about what we do. And yet in this report they found that only 33% of cyber security professionals would recommend their career to others. I want that to sink in for a second. Something that we so dearly love. Only 33% of us would recommend it. That's really interesting. So, a couple more statistics to go over, especially because of the cited reasons. Some of

them were increased workload. They were alert fatigue. That's a really big one where we're getting too many attacks all at once. And some of them are long hours. But one that's really interesting to me is AI being cited as a source of burnout. Isn't AI supposed to make us better at our jobs? Isn't it supposed to automate things and make things easier? Well, it's a complicated question. Some of those have been because there have been folks who feel that their workload is drastically increased by the expectations set by AI. Some of us feel like we're barely keeping up in the learning process. Some of us are dealing with crazy AIcentric threats that form in deep fakes

that come in fishing emails of increasing complexity and we have to figure out how to deal with it. So I've established that cyber security and burnout seem to coexist a little too nicely. Now let's talk about some numbers. Let's talk about breaches. This is the slide you want to photograph to send to your boss. Let's talk about MGM Resorts in 2023. One of the cited symptoms I mentioned was carelessness and forgetfulness. MGM Resorts, the famous chain of casinos over in Las Vegas, had a massive hundred million dollar breach. And if you were staying at the strip at the time, I had family members staying at the strip at the time, you couldn't even open your door to your

hotel. It was so bad. And you want to know what the source was when investigators got a hold of it? It was because an employee was getting spammed for MFA requests and eventually hit yes because he was tired. He was careless. I can imagine that employees day wasn't a frolic in the park, but rather it was a day of getting yelled at by customers, dealing with all the stress that comes with Vegas, and he was done. And that simple mistake costed so much money. Another one that's really interesting is 3CX. They had over 600,000 users that were drastically impacted and it was caused by a supply chain attack. Now the funny thing about this when we work in a

sock we will see alerts come up and they'll say hey the CVE is existent in this version of our software. Well that happened actually and they were so fatigued from their work and dealing with false positives. false positives are the worst that they clicked through it without thinking too much of it and then heaven forbid 600,000 users had their important data leaked out that sounds like burnout to me and then another one to cry very famous piece of malware and the NHS a very important institution had a 92 million pound impact when They found out that staff were inadequately prepared and they were fatigued and w to cry, that nasty little worm that embeds itself and spreads.

It went wild. And when you're tired, I'll tell you, it is really hard to contain malware when you're burnt out. So while burnout is not the direct cause of these, it's very hard to establish that their symptoms we can see definitely are. Okay, I brought a lot of doom and gloom and I've had some really big scary red slides. Now, you didn't just hear come here to hear my talk and hear me say the industry's over. We're all stressed. Let's go home. No, we adapt. We're cyber security professionals. We're better than that. We're seeing an advanced persistent threat to our minds and we need to figure out how to fight back. I don't have all the

answers, but according to my research included in the bibliography, I do have some suggestions. How many have by a raise of hands have seen this risk matrix? Okay, pretty good chunk of us, right? You might have seen it when you took the CompTIA Security Plus or maybe the CISSP. It's a way of categorizing risk into quadrants. And because we all speak security here, this is a language we can understand. So I want to think about the ways that we can avoid, mitigate, transfer, and accept the risk of burnout like we handle the risk of vulnerabilities and threats to our businesses. Going to take a brief swig of water. It's going to keep my voice from burning

out. Excuse that little cheeky joke. Okay, let's talk about risk avoidance first. I'm going to put this in the context of a technical vulnerability and then we're going to extrapolate it to something in burnout. So a technical vulnerability where we would avoid the risk would be for example a vulnerable plugin on your cool new WordPress site. Now if you've done any WordPress hacking you know that WordPress is full of vulnerable plugins. Now one of the best ways we can avoid a vulnerable plug-in causing remote code execution on our systems is we don't install it. It's a pretty simple strategy but it does work. It mitigates the vulnerability entirely. It mitigates the risk or not mitigate that's for the

next slide. It avoids, let me use that term instead. It avoids the risk of the vulnerability. Now, how do we avoid the risk of burnout? If you're like me, you have a huge backlog of projects. You've got things to hack, things to defend, and stuff to do. And I'm going to encourage you to do like we do in the sock and triage them by criticality and importance and interest. Prioritize the projects that are the most important. And you know, it's okay to let go of some of the ones that are maybe like your Git repo that hasn't been touched in 3 years. That's okay. We need to make sure that we set boundaries with ourselves, the companies

that we're working with, our friends, family, and colleagues, healthy ones, ones that say, "Hey, I would love to help you out. I just need a little bit of a break so I can get some food." Or, "Hey, getting eight hours of sleep is really important to me, so let's make sure we don't overdo ourselves." We are avoiding the risk by not introducing it. And the other thing I want to mention, if you're like me and you run your engine hot, as my mom says, you want to pace yourself so you don't burn out right in front of you. Let's talk about risk mitigation. Now, the next step this is, let's say with that WordPress site,

we have to install that plugin. We have to introduce that risk. Well, perhaps in in an appsac perspective, can we patch the vulnerability so it no longer is prevalent? There's an idea for you. We are directly dealing with the vulnerability itself. We're dealing with the risk. Now, how do we deal with directly? What actions can we directly take to mitigate the risk of burnout? So, if you're like me, I love to run. I know it's kind of a weird hobby. Uh, I don't know why people enjoy it. I don't know why I enjoy it, but I love to run and I make sure that I try and see the outdoors and that I exercise as much as

I can. I We can all be basement dwellers. We're in cyber security. That's that's kind of how we work. But a good amount of sun and a good amount of exercise and regular eight hours of sleep. I know that's hard. Has been proven repeatedly, you can check my sources, to absolutely provide incredible benefits to keep you passionate about living life and doing what you do. Now, sometimes the risk gets a lot and we need a little extra help. That's where we enter risk transference. Risk transference is the concept of and this is the one when I talk to students who are getting into cyber security and they're taking the sack plus this is the one I see usually being the most

confusing but it's where we move the risk from being our responsibility to being someone else's. So, in a vulnerability context, what if we have a vendor such as Stripe handle our payment card processing rather than have us do it? That way, we aren't liable if our website gets hacked through that system. We'll still be responsible to making sure our users are safe, but the risk transfer will be on Stripe, not us. Now, when I put this in the context of burnout, we do need to be careful about this. This is not me saying that go overload your family and friends, but use this appropriately. There's a couple ways to do it. Now, one thing I found is if I have a repetitive

task at work, it's always a wonderful exercise to try and automate it. With AI, getting automation underway is even easier than ever. you can go to Gemini, ask it to produce something that helps you make a report and you can automate that task. So that way you're spending less time on that and more time on the interesting things and the things that matter. Kind of refer back to my triage point on that. The other thing I want to mention is you need to make sure you establish a strong support network. Cyber security is a collective journey. We're not going it alone. We've got all these awesome people in this room here and Bides is an incredible start. I have

made so many friends through this community and they have become lifelong companions in helping me keep my eye on the prize, keep my head sane and deal with all the upcoming threats. This also means maintaining incredible relationships with the people around you. I want to shout out that I have my support network here today. My parents came down to see this talk. And you know, my best friend, who I haven't seen since I was a teenager. We were best friends since we were three, traveled down today to see me for the first time in over 6 years just to come to my talk. I'm sure that if I'm having a rough day, I can talk to him.

So, I encourage you to develop that strong support network and maintain those relationships. You're not going it alone. And the last thing I want to mention throughout this whole talk, if I haven't stressed this enough, is that mental health professionals, they are awesome because they devote their entire lives to studying burnout and helping people out. There is no shame in seeking one out if you ever need it. Now, finally, cyber security is a stressful job and at some point we are going to have to accept that we have the risk of burnout on our hands. That is our vulnerability. And for a company, well, they can't patch all of the vulnerabilities that they get in the latest pentest. It's

just there's too many things going on. So, there's a point we have to accept the risk. But there's a lot of ways to do it. We can build up our stress resiliency and become stronger, better engineers that are more resistant to burnout. There's a there's a lot of ways to go about this. One of which is to be a forever student. We never ever want to stop learning in this industry. This industry is so full of wonderful topics that you can go over and dive into. And learning more makes you better at what you do. And when you're better at what you do, it becomes easier to handle all of the crazy threats we deal with.

You also need to set boundaries with yourself and define what a healthy healthy working stress relationship looks like for you. There are lots of roles in cyber security and not all of them are for everyone and that's okay. Pick the one that you think you can handle. And if you find you can handle more and you're getting stronger and you're training your stress muscles, see what you can do. And the last thing I want to mention, this is one I struggle with a lot. It's okay to make mistakes. That's part of the industry. There's a reason there's a lessons learned in every incident response plan. You're not going to be perfect, so don't beat yourself up over it.

Now, let's say I want to devote these last five minutes of my talk really to talking about recovery because if my statistics are accurate, a lot of us in this room are actively fighting burnout right now. Now, in first things first, I'm going to put this in terms of incident response. If you find out that you are burnt out in whatever way, maybe a professional tells you, maybe you self assess, then the first thing you need to do is you need to prioritize keeping your systems from having an outage by prioritizing your self-care, making sure you're getting sleep and exercising and touching grass. You also, there's no shame in seeking professional help. And you combine these with all of the

previous tips and they can be part of your strong incident response plan. I personally have an incident response plan if I ever find myself burning out of things I will immediately do the moment that I feel like that's going on. I encourage everyone to maybe try experimenting with that. The other thing I want to talk about too is that sometimes when we're burnt out, we can think, man, cyber security, it's really hard. Do I even like this? I'm encouraging you that maybe you need a break, notice, touch grass. But at the same time, there are ways to work around it as well and rekindle your love for the industry. I love cyber security so much, but some

days it's hard. Sometimes I in order to get myself through a workday, I have to say, you know what, that little indie rogike on Steam that's $3 on sale right now. If I can just get this pentest report done and I can get it in time and I can make sure it's a good job, I'm going to I'm going to let myself spend $3 on an Steam indie game. I'll gify it a little bit. That's a really good short-term strategy to that I found that works for me that can push me through a rough day. where I'm not feeling the passion of cyber security. And the other thing is you want to try learning new things that are outside of

your niche. I love web security so much, but sometimes it's really hard. And so, you know what? I'm not very good at lockpicking, but I have lots of friends I met at Bites who are and they're passionate about lockpicking. And maybe I can rediscover some of my passion for cyber security by discovering a new talent. And that is a great way to go as well. Now, if you've been noticing throughout all my slides, I have been depicting the area of Chernobyl. If you're not familiar, Chernobyl, the Chernobyl nuclear disaster was the greatest nuclear meltdown in history, and it's still heavily irradiated today. I had some really big red scary pictures and they were showing the flames and the

radiation and the smoke billowing out. But then as we're recovering, I think of Chernobyl and how it's become a new nature preserve of sorts where nature has overgrown and taken over the area. And I look at the animals and I start thinking man even if I'm burnt out, maybe nature can find its course. I can touch some grass and then I can recover too from burnout and keep the life and the passion that I have for this industry that got me here in the first place alive. Thank you.

I'll make sure to post my slides. Uh they'll be available through Bsides's portal. And then if you want to talk to me and you have questions, you can come up to the CTF and I'd be thrilled to chat and say hi. Thank you so much for coming today. This really means a lot.