San Francisco — When thinking about burnout, one of the anecdotes that stands out for Brendan Smith, the chief information security officer at FirstBank in Lakewood, Colorado, is the time a customer deposited cash and a little bit of cocaine at one of the bank's ATMs.
"We don't really take those deposits, even though we're in Colorado," Smith told an audience at RSAC Conference in San Francisco this week. The conference is among the most prominent in the cybersecurity space.
The bank contacted the police, who came out and investigated the incident. They quickly made an arrest, based on the information about who made the deposit. However, they left it to FirstBank to dispose of the illicit drugs.
"They insisted it was our problem and not theirs," Smith said.
The bank called a fire department and a trash company, and neither said they could help. Eventually, FirstBank found a company that disposes of cocaine and other illegal substances safely. All Smith had to do was drive the drugs to the disposal site — hopefully without another police department pulling him over and raising an eyebrow at the cocaine.
"We did get it resolved, but that's kind of the thing that contributes to my burnout," he concluded.
FirstBank's CISO deals with fighting off burnout as much as anyone on his team of 16 individual contributors, two and a half managers and the bank's director of security, Emy Dunfee, who spoke at RSAC alongside Smith about how the bank prevents burnout. (Her burnout anecdote, from a previous job, was about a data center that caught on fire after being flooded.)
Despite all the challenges, Smith said he has had zero undesirable resignations from his team since late 2022, and none specifically related to burnout. This feat was achieved despite widespread concern across the cybersecurity industry in recent years about burnout and employee retention — both hot topics at last year's RSAC Conference.
The key strategies Dunfee and Smith highlighted in their talk were flex time, which is different from paid time off, or PTO; enabling the security team to get wins against a continuous red team; offering professional development; fostering a strong team mentality; being transparent in risk acceptance processes; and injecting silliness and appreciation into the regular workday.
Offering (and enforcing) flex time
One of the primary tools FirstBank uses to combat burnout, especially for employees involved in incident response, is flex time. This is similar to PTO but does not deduct from an employee's PTO balance.
"The concept of flex time is not new ... but we really leverage flex time heavily as an anti-burnout option for our employees," Dunfee said. For example, if a team works through the night on an incident, those individuals are cycled off and given flex time for the rest of the day and a portion of the next day to rest.
FirstBank has specific rules for accruing flex time. For every five hours of incident time worked, an employee receives a full day of flex time, and working an incident over a weekend earns an employee two full days of flex time.
Not only do individuals get this time off; the bank ensures that they actually take it, too.
Dunfee stressed the importance of keeping tight boundaries around flex time and ensuring employees truly disconnect.
"I don't want to see you on Slack. I don't want to see an email," she tells her employees. "I want you to go live your best life."
While flex time offers immediate acknowledgment and can be used flexibly, including in increments, it's crucial to encourage employees to use their regular PTO as well to prevent hoarding and ensure they take proper vacations, Dunfee said.
Continuous red team testing enables meaningful "wins"
Asking a security team to constantly review security alerts that ultimately lead to nothing is much like making a dog chase a laser pointer.
It can be funny to watch a dog chase around a little spot of red light, which is something Smith said he used to do with one of his dogs. However, after the game seemingly sent his dog into a constant state of anxiety after a month, he stopped, and he hasn't done it with any of his dogs since.
Security teams — "not saying our teams are dogs," Smith clarified — can face a similar dynamic of chasing leads that end in nothing. Cybersecurity work is full of false positives — security alerts that seem urgent at first but turn out to be nonthreatening. These can leave security teams frustrated, anxious and lacking closure after stressful situations.
In part to counteract this, FirstBank
FirstBank's engagement with a red team has been a long-term, multi-year effort. Unlike traditional short-term tests, a continuous red team operates year-round and is authorized to attack the organization at any time. This approach more realistically emulates persistent adversaries who may take months or years to breach an organization.
As previously reported, FirstBank's team went three years before the red team successfully achieved domain administrator privileges. This success was facilitated by factors including exploiting a zero-day vulnerability in an IoT device and a phishing attack that bypassed internal controls.
The team successfully detecting the red team and improving their abilities has provided invaluable lessons and boosted team morale at FirstBank.
"When your team catches the red team, they get to celebrate that," Smith said. He ensures that successful employees are recognized, even reporting their accomplishments by name to the board of directors.
Continuous red teaming can be expensive and potentially stressful, but pacing the testing based on the team's capacity and having open communication with the red team helps manage the stress. FirstBank also incorporates purple team testing, where defenders know they are working with the attackers, to alleviate stress and allow team members to see behind the curtain.
Enabling professional development
Dunfee highlighted professional development opportunities as another way to acknowledge effort and facilitate employee growth, particularly after high-stress incidents like responding to smishing attempts targeting executives.
These opportunities can range from free webinars and user groups to conferences. They can be directly related to an incident, helping analysts fill knowledge gaps, or cover entirely different areas of interest like AI or coding, allowing employees to "spread their wings."
"It is very easy ... to send someone to a webinar or a training class. Not everything has to be a multi-thousand dollar conference attendance," Dunfee noted.
Offering such opportunities demonstrates an investment in the employee as a long-term asset, not just someone who responds to alerts.
Fostering a strong team mentality
Smith emphasized the importance of leadership having deep insight into the team's mindset, going beyond standard HR exit interviews to understand why employees might consider leaving.
A key aspect of their team mentality is holding the security department to a higher standard within the organization, given their access to sensitive information. This standard builds trust and confidence among team members, knowing they can rely on their colleagues.
Equally important is aggressively advocating for the team. Smith shared an example of intervening when a team member had to interact with a difficult, aggressive colleague in another department. Making it clear that management supports and defends the team is crucial in high-stress roles, he said.
Transparency in risk acceptance
Frustration can arise when the security team identifies risks or vulnerabilities that are not immediately remediated. Smith explained that educating staff about the bank's formal risk acceptance process helps alleviate this frustration.
By explaining that a business line may formally accept a risk after being fully informed, security staff understand that their work is meaningful even if it doesn't result in immediate fixes.
"Being transparent about that is a key step as well in burnout," Smith stated.
Injecting silliness and appreciation
Finally, Smith and Dunfee stressed the importance of lightening the mood and showing genuine appreciation. This includes unconventional methods like ironic, homemade pizza party coupons for managers achieving "impossible" tasks.
Making time for nonwork related group activities, such as book clubs, card games or dedicated Slack channels for memes and hobbies, helps employees connect and relax. Providing food and beverages is a simple, low-cost way to show appreciation for both in-office and remote employees.
The key is to know your employees and their team dynamics, Dunfee said, as a one-size-fits-all approach won't work. Whether it's a pizza party, trivia game or just buying coffee, these small gestures can significantly lighten the mood after challenging periods. Dunfee cautioned against relying solely on these fun activities without also addressing compensation and other forms of recognition.
"Don't get burned with the, 'We only get pizza parties; we never get raises,' conversation," Dunfee said.
