Tips for an Information Security Analyst/Pentester career - Ep. 87- Dealing with Burnout

This time around I feel the need to face a taboo topic in the pentesting industry: dealing with burnout.

 

Most guys in this industry don't like to talk about it because they feel it as an admission of their weakness. I never thought I'd be talking about this topic either, because I love what I do and to me it's a lot of fun.

 

However, after you've done this for a while, you start realizing that you deal with recurring vulnerabilities that often never get patched and that you end up working too much, which doesn't necessarily mean being productive.

 

Working from home, at least in my case, you don't have a clear boundary between work and off work hours and sometimes you end up working way more than you should, getting burned out and feeling drained of any energy. Not all the aspects of this problem are personally referred to myself, to be 100% transparent, but I can relate to a lot of them. Over time I developed some ideas that helped me deal with this problem, and I'll share them with you guys.

SLOW DOWN TO GO FASTER 

Putting billable hours in is important, but pentesting is also a matter of quality, other than quantity. If you keep going for hours when you're burned out, this doesn't do any good for you or your client, as you're getting nowhere. Often times, taking a break and getting back to what you were doing with a clear mind later on goes a long way.

Actually, this method often allowed me to have major breakthroughs and pop shells. 

Therefore, allow yourself to take breaks, because you're not a machine, for God's sake.

Get a snack, go outside, walk the dog for 10 minutes and then go back at it refreshed. 

FOCUS ON THE MOST IMPORTANT TASKS AND DECIDE WHEN TO STOP FOR THE DAY

I normally make a list of the most important tasks I need to accomplish over a day and try ticking them off one at a time.

I found I needed to force myself to put my work laptop away at a certain time (unless something major pops up) and call it a day. I actually found out I got more productive that way, because I focused on a certain number of high-priority tasks only and, when I cross them off, I'm done.

FIGHT YOUR INNER DEMONS 

My interactions with my coworkers are virtual, as I'm remote.

Though I don't miss being in an office or I feel any desire to go back to that type of experience, that can often make you feel detached, like you don't matter. We all have that nasty inner voice telling you that you suck, they're gonna find out you're a lie, they're gonna fire you, blah blah…

 

Don't allow that voice to take you down, and fight it back. I find the best way to push it away is to grab my laptop and start working.

You might want to seek help when you're stuck, but also offer help.

I often find helping others distracts me from my worries and makes me feel better.

PURSUE OTHER INTERESTS OUTSIDE WORK

I'm extremely passionate about my work because to me is more than a job, so I mostly deal with hacking for fun, other than work. I still keep going through Vulnhub, HTB, etc. but, after a while, I realized I needed to do something different than information security when I don't work, in order to be a better person and recharge my batteries. When you dealt with a complex pentesting engagement for most of your day, maybe you might feel a little less enthusiastic about playing a CTF. You did it for work, you did the real thing, so it doesn't entice you that much. Of course, that doesn't mean you should stop learning, because you need to be constantly learning for you to be a better hacker, but you also need to talk to people, spend time with your family and do something different. 

For many years I've felt guilty if I spent even one minute doing something other than info sec, because I wanted to be as good as I could get. I still feel that way but, after the pandemic, I also started feeling the need to do something else when I don't work.

 

In my case, I found music was a very good outlet for me and I started picking some instruments. I don't think I'm gonna ever play in a band, but it's a lot of fun. I also surprisingly found out that, by doing so, I could get better at my job. 

SHARPEN YOUR MIND AND FOCUS ON IMPROVEMENT

Passion is important, but a clear mind is yet more important to get a good job done. Getting burned out doesn't do any good for your company, your clients and, above all, yourself.

You can't do quality work when you don't think straight, because you get so swallowed by your inner darkness that you can miss the opportunities in front of you.

My testing relies on automated tools, but it's mostly done manually, on any individual page, input field, search field, wherever I can enter something malicious.

When my mind is clear, things click pretty quickly for me. My mind is my working tool and I need to keep it sharp and clean, like an engine. Take care of it, and it'll work wonders for you. Let it decay, and you'll soon be gone.

FRESHEN YOUR PERSPECTIVES

After a while on the job, you start following a pretty repetitive approach, and this might demotivate you.

I found that using new tools and also learning how to use my tools in ways I hadn't considered or thought about it before fills me with a new enthusiasm. I'm always after ways of improving what I do and get faster, and I think there's always room for improvement. Even if you do a good job, you can always do better and you should always look forward to getting better at what you do.

 

Mentoring and training others can also produce alike beneficial effects. By explaining well-known concepts to junior guys, you get actually forced to relearn them and thinking about them in a new way.

We hackers are innovators, not bureaucrats. The moment you become a bureaucrat, and you settle down on a routine, you can't keep doing this job, the way I see it. That's why it's so  hard, and it's not for everyone.

LOOK FORWARD BUT ALSO REMEMBER WHAT BROUGHT YOU HERE

I tend to look forward and think of what I can do better but sometimes I tend to forget all the struggles and efforts that led me where I am now.

We all have an imposter syndrome in this industry and mine is huge. I often think there's too many people brighter and better than myself and my head starts spinning with a bunch of stuff like that, until I think of how much effort I put to get to where I am right now and how long it took me. I often forget how many baby steps I had to take to get there. I could connect the dots only after so many years, quoting Steve Jobs' famous Stanford commencement speech. 

 

I often thought I was going nowhere, but I never quit. As a matter of fact, every single baby step and every choice I made brought me here: going to community college, working with Dave Kennedy, getting two degrees, multiple certifications, getting back to the info sec industry, with a crappy job first and finally becoming a penetration tester on top of that. And I know I'm a nobody, and I don't want or need fame, but I'm proud of what I did. Every single choice I made had its own function and brought me one step closer to my goal.

When your head starts spinning like that, think back of this and feel proud of your accomplishments, no matter how little. You're the only judge when it comes down to this, don't let anyone belittle your achievements. I'm particularly harsh to myself, and I think I can do way better than this but I'm nonetheless proud. I can only thank myself. I kept going, no matter what, and in the end my dreams came true. I had a great support system, I need to say, but hard work is needed. You don't go anywhere without it, unless you're a genius.

Wrap-up

Even though so many in our industry are into superheroes, we're not Ironmen.

We're human beings with our flaws and weaknesses and, though we love what we do, we also need to learn how to disconnect every now and then and take the time to recharge our batteries.

Burnout is a very serious though little debated problem in information security, but it can lead to severe issues, including mental diseases, if left unchecked.

We all tend to be overworked and we love what we do, so we don't mind that, but we often forget we're human beings, and human beings need time to recharge.

I debated whether to actually publish this post or not, but I ended up doing it because I believe it can help raise awareness and open a conversation about this issue.

I'm not the best person when it comes down to social media conversations (I really hate this term), and not much into social media myself, but sometimes talking about common issues with other people experiencing your same problem can offer you a different perspective and make you think of different ways for you to face it. Changing the way you think of something can often times give you a different solution you hadn't thought about before.

Archimedes famously said: "Give me a lever long enough and a fulcrum on which to place it, and I shall move the world". Our mind can be the lever for us to completely change what we do and improve our world. 

 

We simply need to want it.