Dear cybersecurity professionals: you're not Emergency Room Doctors (and that's OK!)
As we approach the Christmas holidays, I’ve been thinking a lot about the unique pressures faced by cybersecurity professionals. While scrolling through various security forums and social media, I keep seeing the same pattern: dedicated professionals canceling family plans, working through Christmas dinner, or spending New Year’s Eve monitoring security alerts instead of celebrating.
And you know what? This needs to stop.
Don’t get me wrong – cybersecurity is crucial, but somewhere along the way, we’ve developed this mindset that we need to be available 24/7, ready to jump into action at a moment’s notice, as if we’re emergency room doctors waiting for the next critical patient to arrive.
Here’s the thing: We’re not ER doctors. We’re not firefighters. We’re not air traffic controllers. And that’s perfectly okay.
The False Emergency mindset
Let’s be honest for a moment. How many of those “urgent” holiday incidents were genuinely catastrophic? How many couldn’t have waited until the next business day? I’m willing to bet that for most of you, the answer is “very few.”
Yes, a ransomware attacks can be devastating. Data breaches are serious. Network outages are frustrating. But in the vast majority of cases, these incidents don’t put human lives at immediate risk. This isn’t to minimize the importance of our work – it’s to put it in perspective.
When a doctor steps away from Christmas dinner, it might be because someone is literally dying. When we step away, it’s usually because:
- An executive forgot their password
- A security alert needs investigation
- A critical patch needs to be applied
Important? Yes. Life-threatening? Rarely.
The real cost of constant vigilance
This always-on mentality is taking a toll on our industry. We’re seeing:
- Burnout rates skyrocketing
- Mental health issues becoming increasingly common
- Family relationships strained
- High turnover in security teams
- Decreased effectiveness due to stress and exhaustion
The irony is that by trying to be available all the time, we actually make ourselves less effective when we’re truly needed. Sleep-deprived, stressed-out security professionals are more likely to make mistakes, miss important details, or make poor decisions under pressure.
A message to management
If you’re in a leadership position, this section is particularly for you. Your role isn’t just to protect your organization’s digital assets – it’s also to protect your team’s wellbeing. Here’s what you need to understand:
-
Your Security Team Needs Real Downtime Creating a culture where team members feel they need to be constantly available isn’t just unhealthy – it’s counterproductive. Well-rested, happy employees make better decisions and spot threats more effectively.
-
Not Everything Is an Emergency Develop clear guidelines about what constitutes a genuine emergency requiring immediate response versus what can wait until the next business day. Be ruthless about enforcing these boundaries.
-
Adequate Staffing Is Crucial If your security team needs to be on call 24/7, ensure you have enough staff to rotate shifts without burning people out. This might mean hiring more people or partnering with managed security service providers for holiday coverage.
-
Lead by Example If you tell your team to take time off but then send them work-related messages throughout their vacation, you’re sending mixed signals. Respect their time off, and take your own time off too.
Practical Steps for a Healthier Approach
So how do we fix this? Here are some practical suggestions for both security professionals and their managers:
For Security Professionals:
- Set Clear Boundaries
- Establish specific on-call hours
- Define what constitutes a true emergency
- Communicate these boundaries to stakeholders
- Develop Robust Documentation
- Create clear incident response playbooks
- Document common issues and their solutions
- Enable other team members to handle routine issues
- Build Redundancy
- Cross-train team members
- Establish clear escalation procedures
- Create backup plans for critical systems
- Take Care of Yourself
- Use your vacation days
- Maintain interests outside of cybersecurity
- Practice stress-management techniques
- Remember that your family needs you more than your SOC does
For Managers:
- Create Sustainable On-Call Rotations
- Ensure fair distribution of holiday coverage
- Provide compensation for holiday work
- Build in recovery time after on-call shifts
- Implement Proper Tooling
- Invest in automation where possible
- Use AI and machine learning to reduce false positives
- Ensure proper alert prioritization
- Develop Clear Escalation Procedures
- Define what constitutes different severity levels
- Create clear decision-making frameworks
- Establish who needs to be notified for different types of incidents
The holida ahead
As we approach this Christmas holidays, I challenge every security professional and manager to reflect on their approach to work-life balance. Ask yourself:
- Would any of your systems literally kill someone if they went down for 24 hours?
- Could most issues wait until the next business day?
- Is the stress you’re putting on yourself and your team truly necessary?
- What would happen if you actually unplugged for a few days?
Remember: You’re not an ER doctor. You’re not a firefighter. You’re a cybersecurity professional, and that’s more than enough. Your family will remember the holidays you missed long after everyone else has forgotten about that “urgent” patch deployment you handled instead.
Take care of your systems, but more importantly, take care of yourself. Happy holidays!