Blue teams on the edge: cyber pros seem to hate their jobs
If you’re interested in cybersecurity and looking for information online, chances are you’ll end up in the Reddit community of cyber pros. Users in the forums are known to openly share frustrations about their jobs, companies, and colleagues – highlighting the fact that “blue” teams have many common problems.
When cyber pros are on the edge, they vent on Reddit, revealing the troubling reality of such a job.
They have to “do more” with an “optimized” budget, and when a cyberattack does occur, it’s “entirely their fault.” They probably look busy even when they’re not. And when they actually are busy, you’d better not disturb them!
Defenders of company networks against cyber threats, known as blue teams, seem to be high on tension recently. And they’re absolutely steaming online.
Here are five common complaints and what we can make of them.
1. Colleagues are divas, ignoring your “dumb questions”
Many newcomers to cybersecurity share their frustration about colleagues who “seem to hate their job” and are neither helpful nor supportive.
“I don't get it,” one soul complained. “Everyone seems to hate their job. Working with other people, you have to recognize they’re going to ask "dumb questions," and it's your job to help them parse that question into something that makes sense. Not everyone has the same background as you do. I don't understand why everyone gets so mad over it.”
He was wondering whether it is a constant to have such ignorant coworkers.
The blame went both ways.
“Some people in security are just divas. I'd rather have someone asking me "dumb" questions and thinking about security at all than not,” one community member encouraged.
Others countered that “stupid questions” can induce rage after a while if they come from someone who is in the same position.
“How dare these normies ask for my help, don't they know how smart I am?” One community member jokingly noticed a pattern.
Rahul Vij, CEO of WebSpero Solutions, describes cybersecurity as “a field characterized by high pressure, ever-evolving threats, and an immense workload, which contributes to a prevailing sense of frustration and burnout among specialists.”
2. Bureaucracy is stifling, while cybercrooks “are living the life”
What an exciting endeavor: identify company assets and value, then identify threats, then document them, later, perform likelihood assessment, conduct business impact analysis, and only then can you respond to an actual threat.
“F*ck Cybersecurity. Let me reiterate. F*ck the bureaucratic process of cybersecurity jobs. I had so much fun learning how networking works. How packets are sent across the networks. Different types of protocols. Different types of tools to detect attackers. Different methods to attack systems. But now, I am at a point where I am just questioning myself,” one keyboard warrior burst out.
He was angry that “threat actors are living the life,” actually using the skills for their “own monetary benefits,” as opposed to us cybersecurity professionals, who just beg for a paycheck and constantly need to show they are worthy.
“You know what? Let the breaches occur. I don't care anymore.”
Some responded that this was the reason they left leadership roles and went back to penetration testing.
However, many felt the need to explain that the blue team’s mission is not to safeguard assets but to bring cyber risks in line with the company’s policy.
“I’m just here to checkmark a cybersecurity insurance box. Now I work 3 hours a week,” one Redditor responded.
And actually, the crook's life may not be that sweet
“Threat actors are not ‘living the life,’ they're Russian military or 20-year-olds that get arrested after selling databases for a couple of thousand dollars. You have a skill that someone decided was valuable enough to pay you for, buy yourself something nice,” one community member responded.
Christoph C. Cemper, founder and CEO of AI platform AIPRM, sees mental fatigue and disillusionment within the cybersecurity profession reaching alarming proportions, affecting organizations.
“Cutting through bureaucratic red tape can make a world of difference. Simplifying job requirements and focusing on the vital skills necessary for the role, rather than an exhaustive list of unrealistic expectations, can revitalize job satisfaction and thereby, performance,” he said.
3. Burnout is a constant
Imagine you’re a firefighter, fighting fires for eight or ten hours every single day. And everyone around you does absolutely nothing to prevent them, with some actively pouring gasoline wherever they go. This is the experience in cybersecurity, as described by one Redditor. Being an arsonist seems a very lucrative low-risk job when each day brings 100 new ways to start fires.
At the same time, you must “do more with less,” as management only cares about cutting resources such as budget, people, or tools. Any failure is your failure, and days without accidents pass unnoticed.
The eternal need to stay on top means that burnout is an absolute constant in the industry, according to another response. And try to have a normal life when most cyberattacks happen on a Friday night or during your long-awaited holiday.
Some are worried about their mental health being affected.
“What? You mean expecting a team of 8-12 analysts to tackle 1000+ tickets in a 12-hour shift at an MSSP (Managed security services provider) with a 15-minute SLA (service level agreement) per ticket is bad for mental health? That’s crazy,“ one community member said.
One more thing. Cybersecurity experts hate being interrupted by trivialities.
“I feel burnt out because I'll get projects I need to work on and then get hit up constantly by tickets and people interrupting me that I can never focus on one thing for too long it’s so annoying,” the most upvoted answer reads.
Joshua Spencer, founder of FortaTech Security, believes that the main contributors to professional dissatisfaction are systemic issues, such as resource constraints and inadequate support from organizations.
“I've had firsthand experience with how these issues can significantly impact an organization's cybersecurity posture, potentially leading to decreased vigilance and an increased vulnerability to threats. These challenges are not unique to any one individual but are prevalent within the industry,” he said.
Harman Singh, Director at cybersecurity services company Cyphere, warns that burnout can have a negative impact on the whole organization, potentially leaving it more vulnerable.
4. Sometimes you have nothing to do, leading to more burnout
The firefighting role sometimes may become the total opposite. Maybe your company was under the black hats’ radar for some time or by some luck, everything just works fine, all audits have passed, all policies are in place, and the event management system just shows nothing. You can hear the clock ticking.
One young padawan was shocked to find out he had nothing to do in a new job. For several days he tried to get some actual work from his boss, only receiving some reading material about the software. He felt guilty for doing nothing.
Some pros responded that this is a normal experience: if there is no fire, you clean the firetruck and goof around the fire station.
“Either you work 20 hours per week or 45 hours per day,” one Redditor responded.
Many related. It's a difficult balance between being not busy at all or being too busy.
“My days have been reduced to answering maybe 5 support tickets and some emails. Budgeting season is coming up, so I'll be busy for about an hour copy/pasting my budget from last year. The best advice is to just look busy,” one suggested.
Simon Ryan, CTO at security company FirstWave, explains that the cybersecurity field is usually known for its high-stress nature, with professionals facing constant pressure to protect organizations from evolving cyber threats, often leading to long hours and burnout. Situations without formidable challenges may arise with highly effective security measures that leave little room for specialists to use their skills.
“Underpaid or undervalued specialists are likely to be dissatisfied, while those in organizations investing in their teams tend to be more content,” Ryan added.
5. Unprepared ungrateful grads: hard to find a helping hand
One cyber master, wanting to move forward with her career, was disappointed when her apprentices were unimpressed by the prospects of working in a blue team. She heard them saying they didn't graduate from the university with a cybersecurity certificate to close alerts or monitor the network.
“They were expecting something from a movie,” she wondered.
Others even claimed that the “majority of undergraduate cyber majors in the US are a cash grab” and overhyped, leaving students “woefully unprepared for an entry-level position, and students are better off just studying computer science, engineering, and information systems.
“Which is why I'm hesitant to hire new cyber grads or people from a cybersecurity bootcamp. I know there is a shortage of cyber people, but the shortage is about qualified cyber people,” Redditor shared.
According to Isla Sibanda, an ethical hacker and cybersecurity specialist from Privacy Australia, shortages lead to shortages, and this is a systemic issue.
“A lot of cybersecurity professionals are leaving the industry majorly due to the consistent staffing shortages. Organizations are unable to retain employees, and this only adds to the pressure cybersecurity teams face,” Sibanda said.
The circle closes and leads back to the “stupid questions.”
Cybersecurity isn’t only about IT systems
According to Nir Kshetri, professor at the University of North Carolina-Greensboro and a research fellow at Kobe University, the main factor contributing to the feelings of dissatisfaction is that in many companies, cybersecurity is still viewed as a siloed staff function that is managed by IT specialists, and cybersecurity is treated as a secondary business activity to support the line functions that help businesses achieve their objectives.
“While some organizations are realizing that it’s time to replace this outdated thinking and make cybersecurity a mainstream function in organizational and business activities, this has not been the case in many. There are cases of Chief Information Security Officers (CISOs) and top cybersecurity professionals quitting their jobs because they’re not valued by the top management,” he said.
One example is Yahoo’s first CISO Justin Somaini, who was hired in 2011, was reported to be unhappy and left the company in 2013. Somaini alleged that cybersecurity employees were not valued by its CEO.
Kshetri believes that Chief Information Security Officers (CISOs) must be able to articulate the value of cybersecurity in order to address this issue.
“A common complaint is that most CISOs often fail to link cybersecurity posture with broader goals, objectives, policies, or strategies. CISOs are thus partly to blame. For instance, if CISOs provide reviews of threat detection software updates or systems patched in a meeting, the board members may not understand the relevance in the context of broader goals,” he said.
“It requires going beyond the IT systems and their vulnerabilities.”
More from Cybernews:
Subscribe to our newsletter