Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
New Research on Burnout and Performance in Cyber
155 Plays19 days ago
Dr. Kashyap "Kash" Thimmaraju joins the show to talk about a new study on burnout, wellbeing, and flow state in security operations.
George K and George A talk to Kash about:
- New research using psychologically validated scales to measure burnout in cybersecurity professionals
- How "flow state" might be the key to better performance AND preventing burnout
- The impact of remote work and isolation on security teams
- Practical techniques security leaders can implement TODAY to support their teams
Protecting our human resources is just as important as protecting our digital ones.
Dr. Thimmaraju and his co-authors' research points to a significant gap in how we understand and support the mental wellbeing of security professionals. It's time to start changing that conversation.
Mentioned this episode:
- Human Performance in Cybersecurity Operations Paper: https://flowguard-institute.com/wp-content/uploads/2025/03/Human-Performance-in-Security-Operations.pdf
- Human performance in cybersecurity survey: http://flowguard-institute.com/hpcs
- Flow Guard Institute: http://flowguard-institute.com
Recommended
Transcript
Introduction & Survey Results
00:00:00
Speaker
The survey that we conducted, so we measured, we sort of asked participants on social connectedness, so like close social relationships.
00:00:11
Speaker
And this is actually an aspect where they actually scored quite low on. So in addition to scoring low on physical and mental health and low happiness and life satisfaction, um social relationships were also life aspects that they didn't score well on.
Podcast Introduction
00:00:35
Speaker
Yo, yo, This is the show. It's Bare Knuckles and Brass Tacks, the cybersecurity podcast that looks at the human side of the industry. I'm George Kaye on the vendor side. I'm George Kaye, Chief Information Security Officer.
00:00:47
Speaker
And today our guest is Dr. Kashyap Demiraju, a.k.a. Cash.
Dr. Demiraju's Research on Burnout
00:00:53
Speaker
And speaking of the human side, May is Mental Health Awareness Month. And the reason we have Cash on the show because he is the lead author of a paper that just came out looking...
00:01:05
Speaker
at burnout, wellbeing and flow state among practitioners. And ah we just had to have him on because it's the first study that we've seen that uses scientifically validated instruments instead of vendor surveys to try and not only figure out what are the causes of burnout in the SOC, but also what are some psychological interventions or potential solutions So we get into that research. It's a really, really cool episode. Yeah, I thought um dr Cash was pretty amazing. um i don't think I've seen anyone specifically do this level of research specifically on the security operations analyst.
00:01:45
Speaker
I want to call it. psychological crisis because it's a bit of a crisis. Yes. I think we managed to call out and address a lot of issues that folks working on the the deep practitioner side go through.
00:01:59
Speaker
um i think this is going to be our first of probably many future episodes with Dr. Cash as he continues to upgrade that research.
Psychological Safety in Cybersecurity
00:02:07
Speaker
And I hope that our conversation today just gets people thinking about the problem in a certain way and at least recognizing that there is a problem and we need to fix it. And we're going to lose the bulk of our talent in our industry before they ever even make it to a director level if we don't help create psychologically safe spaces for them.
00:02:29
Speaker
Absolutely. Check out the show notes. If you are a practitioner and you'd like to get in touch ah either with Dr. Cash directly about his research or participate in a new study that they're launching or participate participate in survey, check out those show notes. If you are in a SOC, if you are an MSSP or you are otherwise managing those operations, also feel free to get in touch.
00:02:51
Speaker
All right, let's get into it.
Purpose and Impact of the Study
00:02:54
Speaker
Dr. Kashyap Timuraju, welcome to the show. Hi, George and George. Thanks for having me. It's a pleasure to be here. Yes. Before we get started, I will tell our listeners that ah Cash approached us with a cold email, cold LinkedIn DM, but possibly, and I shared this with George, the best one I have ever gotten because there was so much context. It was clear it was not automated and it was very specific. And so here we are. Cold outreach can work if you're not an asshole about it.
00:03:25
Speaker
But the reason we have you on the show is because your outreach was around a study that you are conducting. um i have the paper in front of me. It's called Human Performance and Security Operations, a Survey on Burnout, Wellbeing and Flow State Among Practitioners.
00:03:42
Speaker
ah Listeners will know that I also work with the nonprofit Mind Over Cyber. So obviously, a lot of overlap there. Why don't we start, Cash, with you just giving us kind of high-level summary of the purpose of the study and and what you were hoping to accomplish with it?
00:04:01
Speaker
Yeah, sure. um Yeah, thanks so much for the kind words initially about my outreach. So um I'm really glad it worked out. And I think what I want to also say is that um you actually have, um you're publicly accessible.
00:04:16
Speaker
So That was cool. It's harder to reach George A. because With good reason. Thanks for that. and It's ah really great to be here to discuss the research that we conducted.
00:04:32
Speaker
um Before I maybe talk about some of the the the the paper, actually I want to give you like a brief intro or context into why we actually went about um carrying out
Burnout in Cybersecurity: Scope and Challenges
00:04:45
Speaker
this research. and This actually happened maybe like 2023 in June, where I was looking at some of the world problems that um that exist today, and I came across burnout.
00:04:58
Speaker
And, you know, like the WHO and ILO have mentioned a lot about burnout and how it impacts our productivity. There's so many millions of people suffering from anxiety and so on, depression and other mental health conditions.
00:05:11
Speaker
And given my background in security or cybersecurity, um I just Googled like burnout and cybersecurity. And what I came across was really astonishing because I saw so many reports and accounts of people reporting high levels of stress and feeling burnt out.
00:05:32
Speaker
And i started to dig into that a little more, given my background in academia and I'm a researcher. I started to look into the scientific literature in this space and I And what I found was that there was very little research conducted in this area. you know There was like one major study done in 2015 by Sundar Murthy and his colleagues where they proposed a theory for burnout in security operation centers.
00:06:03
Speaker
And then there was another study along that time that came across um that was proposed by Dykstra and his colleagues where they came up with a survey to measure stress, ah fatigue,
00:06:16
Speaker
and its impact on cyber operations. And after that, the only other study that I came across that looked at burnout in, let's say, security operations or incident responders was earlier last year, 2024, where Nepal and his colleagues from Microsoft Research looked at burnout among incident responders. And that was really, like I would say, very, very extensive study on incident responders.
00:06:47
Speaker
It was primarily focused on burnout and other things. um And so I was particularly interested in this because I think that burnout is actually a human problem and a lot of the work that's done on the research focuses on the tools.
Methodology: Validated Scales & Vendor Surveys
00:07:08
Speaker
yeah and this study essentially uses psychologically validated scales to measure not only burnout, but well-being and so-called flow state. Flow state is this feeling or the state in which we feel and perform our best. I think we've all experienced this. you know It's like being in the zone, it feels effortless and we lose sense of time and so on.
00:07:36
Speaker
do And what we really wanted to do with this study was to confirm anecdotal evidence of burnout because there's so much market research or recent non-scientific research out there that says there ah there there's stress in burnout, but nobody really used psychologically validated scales to actually measure this. And that was really- i want Yes, I want to pause there just for the audience. Like there's a no shortage of studies, but they tend to be sponsored by vendors.
00:08:07
Speaker
And sample sizes tend to be quite small. And the thing that kind of irks me the most is that those the questions in the studies tend to somehow guide you in the direction of the product that's being sold. Right. So if it's a SIM vendor, they talk about alert fatigue, if they're whatever.
00:08:27
Speaker
And so, a yes, it's very anecdotal, but there has to date, that's why your study stood out to me. There hadn't been anything that used scientifically validated mechanisms. And um yeah, so that was ah that was that was a standout of this. Sorry, I'll let you continue.
00:08:44
Speaker
Yeah, and I think what we were also trying to look at with this study is not just like the negative aspects of mental health, which is, you know, the burnout and feelings of exhaustion and stress, but we also wanted to look at how engaged are, you know, people or the cybersecurity workforce. So are they able to get into the flow state on what aspects of the flow state do they really score high on and what don't they?
00:09:13
Speaker
And to be able to identify what, um leadership management and you know policies we can come up with to be able to help people get into the flow state as well as prevent burnout.
Improving Performance by Addressing Burnout
00:09:27
Speaker
And so this is sort of like our first take on the whole idea of preventing burnout, improving wellbeing will result in better human performance and as a result, improve security outcomes.
00:09:43
Speaker
I find that fascinating, doctor. Really, it's funny. like I started my cyber career in security operations, working in a standard traditional SOC that I like to kind of think of when I think back to those years as a weird, low-grade sitcom, because that's what it felt like.
00:10:01
Speaker
It's like the the the shit that would happen was ridiculous. We had a guy, geez, i had a guy who was, these are shift relief, right? So it's all shift work operations, as as I'm sure you know. And not everyone at the lowest levels. Like now people, I think, because the the expectations to hire are way too high for entry level positions. i mean, like they they put the bar way too high and There's so much pressure just to get in that there's a lack of a human experience in the SOC. When I got my first job, it was like 2016.
00:10:33
Speaker
So 10 years ago, the attitude was more like, oh, hey, like you really want to do this. You're curious. You're cool with computers. like You know, we'll give you a shot and you might get a shot for like six months to a year because really the industry needed people and no one understood the potential of what a career in cyber could be at that point in
Isolation and Social Connectedness
00:10:53
Speaker
time. The industry is a lot less mature. It was in the middle of SAS 2.0.
00:10:57
Speaker
um I found that that human experience was a bit better because I had to, just for example, guy who came in on the shift after ours And my shift may happen to be a sergeant I work with in the Army. So we we had a past relationship and it's kind of a theme in cyber.
00:11:13
Speaker
um And he, one time he ah got so drunk when he came into work, he ended up going into one of the boardrooms and passing out. I needed to find him there.
00:11:25
Speaker
So we to wake him up to get on his shift. Another time he partied so hard, he ended up parking his car, I think somewhere in one of the adjacent parking lots to the building. And like he, whatever, barely made it into work. I'm pretty sure she should have been, should not have been legally driving.
00:11:44
Speaker
And at the end of the shift, he forgot where he parked his car when our director came in. And that turned into a whole incident. And then, you know, there was just all sorts of other it was an eclectic group of about 20 of us that were fairly narrowly typical. And they're all kind of weird their own ways.
00:12:02
Speaker
Most of the folks are really hardworking, but you get these characters. Right. And so it creates this kind of like bonding in the group as you're going through the shift work lifecycle. And we all have to be it in an office.
00:12:12
Speaker
And our office was a traditional CSI looking sock. Now, there is no camaraderie, right? Most of these operations are virtual. If you're lucky, you have an in-person operation, and it's so filled with security and so filled with HR policy, we can't be human beings with each other. We can't joke with each other. We can't connect with each other on a genuine level.
00:12:36
Speaker
And I think loneliness plays a huge factor being experienced right now by software. Yeah. And I think a bigger part of the problem, especially based on some of your research, ah George has given me the paper and I kind of skimmed it over a few days ago. You know, I appreciate where you come from. I haveve i have a psych degree from like at the undergrad level.
00:12:55
Speaker
And so it's a non-traditional cyber educational background. But I found because i had emphasized human connection over anything else in my career, i was able to find success. But then you find the people who just...
00:13:08
Speaker
they're pure tech or they they don't really think on those terms, they're the ones that end up more disposed to burn out because it seems like organizations are more disposed to use them up until they burn out.
00:13:21
Speaker
In your research and in your findings, especially with some of the interviews with the participating analysts, How often did you find socialization, either in their own personal lives or within their work lives, to be a critical factor in whether or not they could stave off and have resilience to burnout, or whether it was just a matter of time before they fell into the pit?
00:13:42
Speaker
Yeah, that's that's a really interesting observation and question. And I like also how you sort of compared with what it was in the past and how it is now. um That's actually really interesting.
00:13:54
Speaker
I also... And you also made a point on you know job descriptions. We're actually doing some research on that as well. um To answer your question, I have i have heard, so that there was a talk by one of the ex-CISOs from Intel.
00:14:13
Speaker
um I forget his name, Malcolm something. And he really mentioned you know isolation is actually a really important um aspect that a lot of CISOs in particular also experience.
00:14:28
Speaker
um From our research, the survey that we conducted, so we measured, we sort of asked participants on social connectedness, so like close social relationships, and This is actually an aspect where they actually scored quite low on. So in addition to scoring low on physical and mental health and low happiness and life satisfaction, um social relationships were also life aspects that they didn't score well on.
00:15:01
Speaker
um These were surveys done. So we haven't yet um interviewed people to collect qualitative data on this, but it would definitely be an interesting aspect ah to consider Because I think, I mean, at least from this research, what we also see is a lot of the ah participants and from this study and also from you know other other literature as well, score really high on meaning and purpose. So a lot of them really find meaning and purpose in what they do.
00:15:34
Speaker
But somehow, I think, like you said, by moving out of the office and being more distributed and virtual, ah the so and the social aspects are lost. And that might also be um one of the triggers for burnout. So there is research. So there is a model for looking at research by Leiter and Maslach, where they talk about the six areas of work life and work.
00:16:03
Speaker
In addition to workload and autonomy um and values, ah comun and ah fairness, recognition, community is also a huge aspect. And so if people feel that lack of community, that can also be a trigger for burnout.
00:16:20
Speaker
So I think based on what you said, um this is definitely something to dig deeper into in the research that we ah want to continue doing.
00:16:31
Speaker
I hope that answers your question in some form. No, it doesn't. I think it'd be interesting to see kind of within demographics how you can segment that because I think I am very much not a supporter of RTO, but I do think it's kind of a a weird place to place this. And I think psychologically, I'd love to see that from a developmental life cycle point of view,
00:16:54
Speaker
If early in our careers, especially early in a cyber career, you had to work together in an on-site location, you had to do it at least for your first three years. And then everything afterwards is remote.
00:17:07
Speaker
I think what is lacking in this generation in tech and probably in industry altogether is we need that phase of time where we're actually stuck together Having to learn to deal with one another, to be correct fits with each other.
00:17:20
Speaker
the The biggest part of our problem, the business is always going to be the business. We're always going to be driven for EBITDA in a capitalist system. That is what we've been born into. I'm not going to say sign up for it But if we don't have the ability to connect as human beings, I think researchers like you, you're going to end up capturing very accurately the consequence of the problem, but it's it's not going to land on the the the source of the problem.
Loneliness and Work-Life Balance
00:17:49
Speaker
And I would love to see your work leading a global conversation to talk about loneliness in our industry, because I think that's that's one of the biggest factors. I didn't really see it within the paper.
00:18:02
Speaker
Yeah, sorry. Let me jump in. Can I turn the tables? for it. Yeah, go for it. So, George, you manage a ah ah largely remote team. So what are...
00:18:14
Speaker
either some triggers that you see or ways that you manage through that loneliness. I know you guys have some get togethers, but like in the day to day living in slack sort of. The biggest thing is is because this is the factor that's tough with some of these surveys.
00:18:28
Speaker
I think how they manage their home lives, how they manage their lives outside of work. has the biggest direct impact. I think it has a big impact when they're working at an office, but when you're at an office, there's a bit of an escape. Like you can separate your home life from your office life. And when you go in the office, you're supposed to leave it all at the door.
00:18:46
Speaker
But for a lot of folks who are going through overly stressful times in their home lives, that gives them an escape. And so they'll often dive into work. Like if you see someone who's like super, super putting overtime hours into a regular work cycle,
00:19:00
Speaker
There are reasonably good odds that they're they might be going through a breakup or a divorce, just as ah a telltale example. I think dealing with things now, I've had to take an approach where if I know my team is always delivering on time or if they can't, like ah they're always very proactive.
Leadership Challenges in Cybersecurity
00:19:17
Speaker
I do not micromanage them. The promise I've always given them is if you have to take time, if you have to deal with something at home, you have to deal with your kids, you have to deal with some government administrative issue,
00:19:29
Speaker
You always have that time available to you. I don't care. My focus is not on someone punching a time card and being on their seat and monitoring the motions of their mouse.
00:19:40
Speaker
My focus is on a delivery centric mindset to management. I don't think there are enough people though that can implement that or know how to implement that. I had the benefit of going through the Military Officers Academy in Canada, which was heavily on leadership training, understanding group dynamics.
00:19:59
Speaker
I think we sorely lack management and leadership training in the industry in general. We elevate technical leaders into positions of leadership and just expect them to succeed. Most of these folks didn't even want to lead people in their careers.
00:20:13
Speaker
Right. So I think I don't know, Doc, what are your thoughts? Like, is there a benefit from having a period where early in your career, especially given the way networks work and given the way careers flourish together, where you have to go to an office site, you have to spend time close with your colleagues versus when you start your career and you're fully remote the whole time.
00:20:35
Speaker
Do you think that impacts socialization? Well, I mean, so firstly, social aspects are key, right? I mean, it's it's in our body, it's in our neurochemistry. We have oxytocin, which is released when we actually make contact with other people. So shaking hands, hugging, um sort of being next to other people, that gives us this feeling of togetherness.
00:21:02
Speaker
um It's also with nature as well. um Right now, I think what you said makes a lot of sense. it's It's hard to say for me right now. um I'm not an expert ah psychologist at this point, but I think that as long as some people have social connectedness, that's what really matters.
00:21:29
Speaker
because for some And and it depends on the personality as well, because different people there there are different personality traits. and As long as people have, so when you say loneliness, people want to feel alone, but they don't want to feel lonely. And so it could be a result from work or it could be a result from their personal life.
00:21:52
Speaker
And I think that for me personally, i have a family, i have i have my partner, I have two children, I have um grandparents around. So I still have the social connectedness feeling,
00:22:05
Speaker
um And then when I come into work, it's primarily I'm like, it's mainly me working with other people. um For so many people, that might not be the case. And yeah, it's it's hard to say at this point.
Pride Month and Support Initiatives
00:22:21
Speaker
um
00:22:25
Speaker
Hey, listeners, this June, we will once again be supporting Pride Month with our T-shirt campaign to raise money for scholarships for LGBTQ plus students in cybersecurity programs, both graduate and undergrad.
00:22:38
Speaker
In the month of June, all profits from any Pride gear purchased from the BKBT swag store will be donated. That's all profits. Last year, we put this together in a hurry and we still managed to donate a thousand dollars.
00:22:50
Speaker
This year, we're looking to do a lot more. Why? Because this year is not like last year. Queer communities are facing backlash and corporations are shrinking back into the shadows.
00:23:02
Speaker
To that we say, that noise. We've never feared a fight for just causes and we believe hiding is just pre-surrender. So we are looking for courageous vendor partners and individuals who will consider matching donations to help us multiply our contribution.
00:23:22
Speaker
If you'd like to remain anonymous, that's cool too. After all, it's about getting resources to those who need it. So if you are interested, reach out, either us on LinkedIn or through the official email, which is in the show notes.
Flow State and Burnout Solutions
00:23:41
Speaker
We've gone over the study and I think its implications are pretty broad because I think it's good. Well, as any person who listens to this show knows, we hate problem admiration, right? So the idea that, yes, let's clinically...
00:23:58
Speaker
establish a burnout problem, but like if flow state is a solution, that's very helpful, right? Instead of just like, oh, look at, look at how bad it is. um Talk a little bit about what are the limitations of this first study? And I know that you're going out for grant funding for another one. And what are your goals for that a longer study?
00:24:17
Speaker
Yeah, thanks. um So what we want to do, so this was just a first take. at this whole um vision that we have of preventing burnout and improving wellbeing, and as a result, improving security outcomes.
00:24:34
Speaker
We think that flow state could be an answer, but I want to also underline the fact that flow state can all like just encouraging people to get in the flow state might also lead them to burnout. So a critical aspect of this, of a,
00:24:54
Speaker
Exploring the flow state um psychology is also recovery. And that's also, so not only we do and do we need recovery to get into the flow state, but we also need it to prevent burnout as well.
00:25:08
Speaker
What we want to do is um we're planning this over multiple years. So this is this is a multi-year project that we intend to um conduct where we want to interview people. We want to really understand What are the critical aspects in their job that result in exhaustion?
00:25:31
Speaker
How does it fluctuate over time? Are there particular parts of the day that seem stressful? How does this sort of play out over the week? um what are What are they saying about their job that they find stressful?
00:25:49
Speaker
um What is it at an organizational level that's actually other there measures in place that prevent burnout? Are there measures in place that actually help them get into the flow state? Are they able to ah be able to focus?
00:26:00
Speaker
Because a lot of research has been done on developer productivity and well-being. And what they've identified over there is that developer well-being is a predictor of developer productivity.
00:26:14
Speaker
And this they they call this a developer experience. And we're sort of inspired by this um paradigm. And can we bring this paradigm to cybersecurity or security operations?
00:26:29
Speaker
The other aspect that we're really interested in with this study is the involvement or the introduction of um AI and agentic AI.
AI's Role and Intervention Design
00:26:38
Speaker
I know George has a lot of opinions. I've been listening to some of the recent episodes where he's really critical on AI and so on. And so what we're,
00:26:47
Speaker
also looking at over here is, what is the impact this has on security operations on the people? Is it actually going to help them get into the flow state or not?
00:26:59
Speaker
Is it actually going to make things worse? Because there is some research, you know, even before AI, there was like machine learning. And there were like tools using machine learning that could help address alert fatigue and so on.
00:27:11
Speaker
But there's still the issues of ah false positives. And Is AI gonna change that? Is it gonna make it worse? We don't know. um And then we also wanna look at how we can actually prevent burnout by designing strategies and interventions for SOC analysts.
00:27:33
Speaker
um Could be incident responders, people working in threat intelligence, forensics, um different roles. What can we do based on the interviews and the observational studies we make?
00:27:47
Speaker
to design targeted and interventions that are actually relevant because a lot of tools out there say, yeah, we're going to reduce alert fatigue, but there might be other aspects because research has shown, you know, there's workload, it's changing priorities.
00:28:01
Speaker
um Communication is a big issue, lack of training. There are so many other factors, sociotechnical factors that are involved that we want to we want to really understand and be able to derive interventions based on those factors. Yeah, that's ah that's a good point. um It's never one thing, you know, that's creating those conditions.
00:28:23
Speaker
um Yeah, over to you, George. Yeah, you know, it's funny with the parallel because George and I, um you know, recently we we started doing some keynotes in person at certain events and been pretty fun.
00:28:33
Speaker
um One thing that we've kind of led into recently and it's kind of based on my experience, George and are both pretty athletic old dudes.
High-Performance Strategies
00:28:42
Speaker
And i i grew up playing high level athletics my entire life. I still compete in combat sports today.
00:28:52
Speaker
And when I was in some university football programs and some rugby programs, we always had a professional sports psychologist. um And even now, like with fighting, if you're going to go into a big training camp, you you can get yourself a psych as well to help you out.
00:29:07
Speaker
I ah really try to parallel that high performance training mindset and and grounding and centering that you know performance psychology gives you into to manage our teams.
00:29:20
Speaker
I think that might be one path. I think it's it's it's a tool. It's not the be all end all. If if we had the budgets for it, honestly would love to have a sports psychologist or or a performance psychologist as part of a security team.
00:29:35
Speaker
It would be the dream of all budgetary dreams. It would never happen. man. Yeah, that's awesome. if you had a counselor there that could actually talk to you about, hey, I'm not feeling my best today. Because the thing about flow state, you bring up a really good point, Doc.
00:29:49
Speaker
You can't be in flow state forever. Flow state is flow state for a reason. There have to be days that are low tempo. There have to be moments where you breathe, right? Even when you're doing any kind of and interval, like physical training, whether it's Tabata whether you're you're prepping for your sport.
00:30:04
Speaker
When I'm doing things in my sport, it's usually in cycles of like 20 to 30 seconds of going hard with a 10 to 20 second recovery period. And then you go hard again, because that isn't in a fight. That's the real nature of the event.
00:30:17
Speaker
We simply expect SOC analysts to be on and active 24-7 and buy their phones and buy their laptop even when they're not at work if an alert comes. that That just can't work. It is not human at all.
00:30:30
Speaker
I would like to understand from your point of view, how based on your research, you would prescribe a program to let's say mid market shop, a team of, you know, five to 15 people running ah just a standard budget, nothing big, nothing special.
00:30:48
Speaker
But what can we do with our own teams, with our own resources internally to create, we'll say a safety net to prevent burnout for our personnel based on your research?
00:31:01
Speaker
Yeah, that's that's a really nice question. um so So there are different aspects to it, right? And I i think what you said is really important. So there there are like these stressful moments and then there's the recovery.
00:31:13
Speaker
And they they the stress, the amount of stress or rather the interval depend ah varies. So if we have long intervals of stress, we need equally long intervals of recovery as well.
00:31:27
Speaker
um So that's key. I think this there is no like one size fits all, but there are definitely measures um you know individuals can take, teams can take, and also organizations can take.
00:31:46
Speaker
One idea that I've been playing around with, um and this is combined, like looking at the chronobiology of people.
00:31:58
Speaker
walk him Because different people have different chronobiologies. I mean, there are morning people and then evening people. that you know You have like the larks, third birds, and then ah the night owls.
00:32:10
Speaker
Can we actually synchronize the chronobiology with the shifts? If you have shift rotations, can we match people into, depending on their chronobiology, to the right shift?
00:32:21
Speaker
This might actually have... um An interesting outcome. I haven't conducted the research on this, but this might actually be something worth looking at.
00:32:33
Speaker
um But to be a little more concrete, I think active recovery is really important. So if you have a stressful moment, um it's really important to have breaks. I mean, this is this is just like standard stuff.
00:32:47
Speaker
Please take a break. But I think what we are trying to understand from our research is can we actually, because we have wearables right now. And if people wear Apple watches and, you know, Fitbits and so on, it sort of gives them these nudges to take a break and so on. So breathing is really crucial.
00:33:07
Speaker
And the reason these kinds of techniques are important is because it's actually regulating our nervous system. And that is sort of like the key concept to keep in mind. So what At whatever level you are in, um regulating the nervous system is key. And so if we are in a stressful moment, we're actually activating our sympathetic nervous system.
00:33:29
Speaker
And what we want to do to recover from that is to engage the parasympathetic nervous system. And how do we do this? So you could do this through breathing. You could do this through some kind of ah sports activities.
00:33:42
Speaker
um You could take like splashing cold water on your face. You know, Josh Waitzkin, one of the ah most famous chess players, um ah wrote about this in his book, Art of Learning, where he would be in the middle of a chess game and he'd just go and splash water cold water on his face and then go like sprint back and forth and then come back and make his chess move.
00:34:06
Speaker
These are like small tricks people can do in their office, you know, um to recover. Taking naps is also super important.
00:34:17
Speaker
You know, there's like brain chemistry, there's neurochemistry um where we have fatigue, not only in our muscles, there's fatigue in our brain. How do we get rid of that fatigue? It's through sleep.
00:34:29
Speaker
And it's not just short naps, but you know, sleep is also super critical. Some of the research um that has been done has shown that people who fall into the burnout groups tend to have poorer sleep quality.
00:34:42
Speaker
And so encouraging, you know, the workforce to actually have good sleep, sleep hygiene, that's also super important. um So these are some of the, I would say, measures people can take to prevent burnout and to be able to get into the flow.
00:35:02
Speaker
um I think if we want to also look at the flow aspect, What we identified from our research is that people at least scored high on the challenge to skill balance. So it seems like people have the skills to ah meet the demands of the tasks that they have.
00:35:23
Speaker
And they get feedback on that. um But where they end, they find this experience really rewarding. um But where they sort of lack is in the sense of autonomy or sense of control, um concentration, and being feeling worried about what others may be thinking of them.
00:35:47
Speaker
And so I think what can help over here is, at least if we want to think about autonomy or control, is ah cognitive reframing. So,
00:36:00
Speaker
If we feel like we don't have agency over what we're doing, can we reframe the situation so that we so that it makes us feel that we actually have control?
Perceptions of Control and Psychological Safety
00:36:11
Speaker
um This is also something we want to look at further because control, there are two aspects to it, right? There's the internal locus of control and external locus of control. And people who fall under score high on external locus of control These are people who think that you know things happen to them and they are not in control of their life.
00:36:32
Speaker
Whereas if we have internal locus of control, we believe we are in control of what the outcomes of our life. And so is this actually quite common in the workforce?
00:36:45
Speaker
And what can we do to change that? I think when it comes when it comes to um self-consciousness or being worried about what others think, um This is where I think um psychological safety is really um important because if we're not if we don't feel safe in voicing our opinions or if we have fear and self-doubt that what we say might not be might be frowned upon or we might have a job insecurity because of it, this might also
00:37:17
Speaker
be a bigger concern. So how can we change the culture around that? Um, and then how do we, and how do we help people actually improve focus, right? Concentration.
00:37:30
Speaker
So that means, uh, not having having, for example, days in the week without meetings or being able to respect other people's calendars and being able to give people the time to focus without interruptions or having, let's say, mechanisms in place that are an understanding that, hey, I'm not going to be available on Slack for the next two hours or ah from this time to this time.
00:38:00
Speaker
um these days of the week because this is my focus time and that's what's actually going to help me get into the flow. um In this day and age where there are so many communication channels and we're expected to be responsive on email, on Slack, on WhatsApp or whatever it is, that's not going to help us ah get into the flow state and that introduces more context switching, which again makes us feel more exhausted.
00:38:25
Speaker
And I mean, if you look at I mean, that's also crazy. Just look at how many tabs people have open on their browser. so And that can already give you ah sense of how much context switching is happening, how they're not able to concentrate.
00:38:44
Speaker
I mean, it's also entered the common parlance. Like people will say, I feel like I have too many tabs open in my brain.
Tool Overload in Security Operations
00:38:49
Speaker
but also i'll tell you, doc, here's the problem, right? from ah From a guy who came up from SecOps.
00:38:57
Speaker
You have a plan for your day. You know what you kind of want to do There's usually projects that we're all involved in that we have to help out with. You get there and depending on the organization, a lot of people will dump whatever problem they have on security. It's either like corporate security, usually the two teams are working together closely, but the amount of, i don't want to say bullshit problems, but we're on we're on our show, so I didn't say bullshit problems, but end up in our inbox.
00:39:25
Speaker
And then it just derails your entire plan. And you still have delivery that you have to make on your projects because, you know, if you're a software development environment, SecDevOps, we have reviews we have to do. We have frameworks we to follow. If you're building applications, OWASP is its own other field of work.
00:39:45
Speaker
I don't know how we push back against this kind of, um I guess, lack of boundary or lack of understanding by our organizations who just throw all this work, all this alert fatigue at our teams. And then the other problem too is that we have so many different security technologies for so many different random things.
00:40:07
Speaker
The single pane of glass is only appealing because you're literally centralizing the source of where you're deriving your direction from. So if I have you know six to 12 tool suites and I'm looking at alerts popping up in at least half of them, and one of them, you know it's the endpoint layer. Another one is an application layer issue. Another one's our perimeter firewall.
00:40:28
Speaker
Another one is, hey, someone's logging in. We're in a wrong environment. Someone's logging in from a location they're authorized to be working from. all these different problems. And you're looking at this going, well, shit, where do I begin?
00:40:41
Speaker
why do we combat that? Because that's that's a whole of business level problem. yeah Yeah. And I think this is this is a really important point you're raising. And we don't have a really good answer. This is where people like you are other people who have the insider knowledge and who have the motivation and, I would say, the the the understanding and the capability to come up with solutions to address these problems.
00:41:14
Speaker
So you might have a solution for this, or you might have a way or a heuristic or a method to be able to deal with this, to be able to prioritize, and to be able to help people say, hey, you know what?
00:41:26
Speaker
For these days, we're not gonna focus on that. We're just gonna focus on this right now because this is what's really important to us right now. um
00:41:37
Speaker
There's two things I wanna say. One is research has shown that exactly the problem that you're describing, i would say I would frame it as, let's say a prioritization problem.
00:41:48
Speaker
And what they what they observed is management or leadership don't help them prioritize the work that they're supposed to do. And that's sort of leading to this increasing workload and confusion on what to work on.
00:42:03
Speaker
The second point is this, what you just described, motivates me and my research team and collaborators to actually look into this and to be able to understand this problem and come up with ways we can actually address this. Because I think based on what you're saying, it's actually a really relevant problem and we don't know how to do it. What can we do to solve this? Not just for like one or two socks, but for the entire industry in a sense.
00:42:35
Speaker
Yeah, was brilliant.
Conclusion & Call to Action
00:42:37
Speaker
um That's a great place to end. ah Cash, thanks so much for coming on the show and sharing the research and the questions. I'm sorry we don't have any nice, neat, clean answers to all of modern workforce problems.
00:42:50
Speaker
But I think this is an important start to the conversation and look forward to following ah the larger research project over time. Thanks so much, George and George.
00:43:02
Speaker
Happy to work with you in the future, Cash. Take care, brother.
00:43:08
Speaker
If you like this conversation, share it with friends and subscribe wherever you get your podcasts for a weekly ballistic payload of snark, insights, and laughs. New episodes of Bare Knuckles and Brass Tacks drop every Monday.
00:43:21
Speaker
If you're already subscribed, thank you for your support and your swagger. Please consider leaving a rating or a review. It helps others find the show. We'll catch you next week, but until then, stay real.