[00:00] Introduction
Jeff: Did you know that IT workers are 50% more likely than other office workers to report negative effects from working remotely? Well, in a recent survey conducted by Ivanti, IT reported longer working hours and greater tech problems about twice as often as other tech workers, and nearly one in three said they had a colleague quit due to burnout.
It seems like the Everywhere Work revolution, a revolution they helped make possible, is actually pushing IT workers to burn out.
Hi, everyone. I'm Jeff Abbott and you're listening to Executive Summary, a podcast where we explore the latest research in IT, security and the future of work and what it all means for your business strategy.
Today I'm joined by Dmitriy Sokolovskiy. Dmitriy just left a five-year post as CISO at Avid Technology to return to his startup roots. He's currently advising a number of cybersecurity startups, including Audience 1st, where he's the principal CISO advisor and lead instructor. And today, Dmitriy and I are going to break down what is causing this massive burnout problem and more importantly, what we can all do about it.
And let me set this up. In today's discussion, we're going to reference recent research from Ivanti. The study is called Defending IT Talent: How Everywhere Work Impacts IT and What You Can Do About It. And of course, this study is part of Ivanti's ongoing Everywhere Work series. We surveyed 1800 IT professionals and C-level executives across the globe to understand these challenges.
Dmitriy, welcome. A lot to cover today.
Dmitriy: Thank you, Jeff. Thanks for having me. It's going to be a fun conversation for sure.
[01:59] Increased workload, increased burnout
Jeff: Yeah. Let's start with that topic of burnout and mental health. IT experiences more negative effects from hybrid work than office workers. That's evident in the study. In fact, IT workers are 50% more likely to report these negative effects, more than twice as likely to report longer hours and almost twice as likely to report more tech challenges than your average worker. But despite this, again, only 16% say they want to work in the office full time.
So, Dmitriy, as we think about these conditions in the general IT worker professional population, the demands and stresses are higher than ever. Where's this leading? It doesn't take a seismograph expert to see where this is headed.
Dmitriy: Yeah, for sure. I mean, this is just going to continue to expand. In some ways, the way this started was unexpected, with COVID and with some of the additional things that were happening in the world. But at the same time, it should have been expected. This is where technology is moving to. I mean, we're talking about flying cars and we're talking about, you know, robotic kitchens. This is just another step in the evolution.
I really enjoyed the 16% that said that they want to work in the office full time. Right. So the people actually want to stay home. It's actually more … we are more efficient. We're more effective when we're working from home. That isn't the problem. The problem isn't working at home. The problem is that we didn't prepare correctly for working from home as part of the increase in complexity and digitalization and that whole digital transformation that's been happening. All of that is adding work, not working from home.
Jeff: Agreed. And then the other part of the study goes into the workload itself. So not only being, you know, prepared, to your point, but wow, a huge influx in work. And in fact, the study concludes three in four IT and security professionals report increased workload, 75%. Yet only 8% of organizations are prioritizing, you know, automation of repetitive tasks and other tools to help alleviate the burden.
So huge increase in work, not much prioritization on tooling, and hybrid work is massively increasing the IT organization's workload, but the IT senior leadership just isn't prioritizing solutions at the same pace.
So historically IT organizations have managed primarily with more or less resources, people power, right? But these conditions that they're now dealing with and having to manage networks and devices and access and security, it's too complex to do with just people. You've got to have tooling and solutions. So, in your view, what's holding CIOs back from investing in more automation?
[04:56] The irony of digital transformation
Dmitriy: That question kind of ties all of these things together. But it's important to understand some of the theory behind it. Ironically, no one ever thinks about theory when talking about IT. It just has to work, right? There's got to be, it's just, this this better work.
IT, and right after IT, InfoSec did for business something very important. It allowed business to become faster, cheaper, more effective, more efficient. Digital transformation for most companies, it did it. Even those that didn't do it very well, it still was an improvement to how business operated. It introduced technical capabilities to the business that weren't available before. In a way, Excel spreadsheets replaced manual spreadsheet work overnight, right? And it became what it became? That's what IT and information security did for business.
The problem was that IT and InfoSec never did it for themselves. Right? So as they were making things easier and faster and smoother for the business, they have to do that by increasing their own complexity, IT and infosec. And in a common and normal sort of capitalistic approach to things, until that starts breaking, no one is going to look at it.
And that's what's happening, right? Increasing complexity. Increasing complexity means increase in risk, means increase in work. And that's what we're seeing. All of this increase in load because complexity is going up and yet no attention from the upper management at a strategic level.
Jeff: I think you make a great point. It's, you mentioned digital transformation. Here's some of the incredible irony to me. Here you have IT organizations ... Digital transformation, we've been using that expression for, what, ten, 15-plus years, right? And who in each organization is most essential to enabling those digital transformation strategies? IT!
So here we are. You know, this organization that's meant so much over the last 15 or 20 years to change the nature of not just businesses but industries and develop a far more digital-centric experience for how they interact with customers and how they get work done and so on. And yet these organizations are not being invested in properly and to your point, didn't have time. I think senior executives just expected it, to your point, to work. It's always worked. It'll just work.
No, no, no, no, no. You're dealing with almost exponentially more devices on the network. You're dealing with, what? The greatest surge in cyberterrorism the world's ever seen, right? And granted, the IT industry is, what, 50, 60 years old, so we're talking about a steep curve there. But the fact is, and I am scared of the point you made, until it breaks, right? Will it get proper attention?
Dmitriy: Digital transformation made business digital. That was the goal. We have achieved that. Or, you know, in many places are really close to it. What that means is that now you are a digital entity. You are no longer a business for the sake of business. You're now a digital business. What does that mean?
You have to maintain hygiene, add more complex components. There are several ways to approach this, right? You can start working on simply adding people resources. Eventually, that's not enough. You can have a thousand people, but that's incredibly inefficient and businesses will not take it.
We are evolving as a species in many ways into a technological realm that is no longer biological or mechanical, right? It's now getting to the point that we are having a hard time understanding exactly how this thing works. But it is the only way to evolve moving forward. We just have to sort of plan for it.
Now, you asked, you brought up a point about automation. You cannot automate something you don't know well enough. Which means, you know, as more complex things are and the less we know about them, the less actually we are capable of automating them. So we have to go through the process of first we get them to be technologically based. Then we have to simplify it enough to know enough about it to be able to automate some portions of it, eventually automating more and more of them. But again, that's a conscious effort. That's a dedicated resource approach.
And one other thing you said, the executives are part of the problem, but not on purpose. Let's put it like that. Because again, they are also part of the business. They are well suited to manage the business the way it used to be. And because it has happened, it's happening so quickly, they're also suffering from this overload. And it's on us, on IT and IS professionals, who are much closer to the problem and understand that this is an increase in complexity, to educate up and to show them that there are tools, there are processes, there are people, that when put together in combination, can do exactly that: simplify.
And so now the orientation of IT and infosec, more importantly than IT, is not in making sure it runs. We've commoditized uptime. We are now at the point where we are trying to commoditize simplicity. If we can commoditize simplicity, we can commoditize automation. If we can commoditize automation and tie it with AI, we're going to get to the point where this thing is going to manage itself.
[10:31] Why is IT quiet quitting? It’s not what you think
Jeff: No doubt. Let's switch over to another interesting topic and a relevant one today. We've got this expression in the marketplace that's come up in the last two years: quiet quitting. You know, burnout, we know is rampant amongst IT workers. And it's leading to this notion of giving up, right? Or doing the bare minimum to avoid getting catapulted off the island, right? And that's what many are calling quiet quitting, kind of that bare minimum line.
And their reasons are not the same as their colleagues in other departments, when we speak about the IT workers. IT workers are twice as likely to cite the inadequacy of the technology they use, 23% versus 10% of the average worker. And they're, you know...
So we talk about the workload, the stress and now the inadequate resources, leading to this conclusion: "Well, that's fine. I'll drop my productivity and my own personal standards to a level that I just get by." That can be just as damaging when you think about the responsibility they have to the organization, in particular security. They're feeling like the masters of digital transformation have been given slide rules and crayons to get the job done. Right? To your point earlier, that's not sustainable.
Dmitriy: It isn't. If you add to this the psychological factor of protectors, right? People that are doing IT work and InfoSec work in many ways, like first responders, are not doing it for the money. Or maybe that's not their first priority. The first priority is protection, as well as they can do it, right? So as well as I can do something, I'm going to do it, because I'm in fact protecting something or someone.
And when I'm recognizing that, let's say I'm working in an ER, and all I've got is some Band-Aids and Neosporin and that's all I've got. Defense mechanisms in my head will eventually turn off the care component because it's going to drive me personally insane if I know that it's not happening well enough. People are getting hurt, dying. I can't help it, because the resource stack is just too low. I have to force myself to not care.
And when I force myself to not care, the primary driver behind the quality of my work is gone. And now we're down to what's been there as a process, what's been there as a tool. And it's not even like quiet quitting; it's just quiet depression. Maybe that's the way to put it.
Jeff: You put that together with, you know, being isolated, which, let's face it, remote work —
Dmitriy: It's tough.
Jeff: Yeah, it's very difficult. And so now I've lost a little purpose, I've got all these headwinds, and I'm feeling that on my own. It's not a good formula. And this is why, you know, this particular study calls out these issues so boldly because, you know, the destination is not good if you don't address it.
[13:42] The most complex challenge: complexity itself
Let's talk about complexity for a second and some of the data that prompts this topic. Security pros cite the tech stack complexity as the most significant barrier. It outpaces budget and lack of leadership buy-in by a significant margin, and security pros use, on average, six distinct tools to do their job. That's a lot. That's a lot to keep up with. And of course, any one of them goes down or has a problem and you're not able to completely, you know, do your work.
Let's go a little further on this, Dmitriy. You know, visibility, right? Even best-in-class security organizations lag in total asset visibility. So we're talking about complexity and need for tooling. And now we're talking about, you know, just understanding all of the endpoints on the network, so to speak, all of the points with which people come into the network, the tools they use to do their job.
This includes, you know, the best of the best, too. When we look at the graphic here, self-reported level four organizations, those that report the highest level of security maturity and by extension visibility, report that the visibility into the assets on their network only at 83% of the time, meaning 17% of the devices or endpoints on your network, they have no idea. They haven't even discovered and understand, are they up to security standards or not? This is core.
Dmitriy: And these are mature orgs.
Jeff: Exactly. And those are the best. So more generally, on average, only half the organizations believe they have adequate visibility. So you'd think your immediate hurdle would be, you know, the sophistication of the enemy out there, the bad actors. But the reality is your first and biggest challenge is to know the full scope of the attack surface that you're protecting. Can you, as a security professional, say with confidence that you have full visibility into the devices and the network access, etc.?
So again, another headwind here, you know, even with those that consider themselves the best of the best with the best tooling and IT resources and so on, 17% of the total attack surface is missing. And that's gotta weigh on an IT professional's mind as well.
Dmitriy: Because we know this. We know for a fact that there are things we don't know. You know that state. You know for sure there is a gap over there. And we're also trained to look for the worst thing in everything. Right, the risk management mindset. So of course in that 17% black hole over there, all the worst things are happening for sure. So we're continuously driven mad by imagining all the bad things that might be happening in that environment. So that has a toll.
But if you think about why this is happening, these things are interesting. It's that everything is interconnected, right? So we're talking about the complexity that came from this massive shift into a digitally-oriented world over the course of like several years. Not, you know, not 100 years. And so increased complexity, lack of understanding at a high enough level.
You said visibility. Visibility is a technical problem: I don't see something. It's not a strategic issue. If I can't see behind a curtain, I'll go around. You know, there's ways to deal with it. But because it is so complex, the whole thing we are lacking visibility into, and our management at a high enough level has no idea. It doesn't have, you know, even capacity to understand the complexity of what we're dealing with. The basic thing, the most basic thing — what is it that we have? – is an unanswered question by the vast majority of corporations.
And actually, not just on equipment. You mentioned devices, right? Endpoints. That's important. That's technical, but I would go even a step earlier. A lot of companies cannot tell you what business processes they have in place or what components of those business processes exist and how they're tied with each other. We're not talking technology. We're talking simple flows of I do this, you do this after that, if I want to sell a thing. People have it on a napkin, maybe. They'll sort of process it and maybe can tell you it.
We're living in the 21st century, and most corporations do not know how they make money. They know somewhat, but they can't actually put it on paper. So if that's the case about business and now we overlay this over a massively complex technical world that wasn't built for this at all. Remember, the internet was built for nuclear holocaust survival, not for buying of diapers, right? So it's a thing it wasn't designed for, a thing that wasn't done for a thing that wasn't done and is not considered and not understood and now: "Make billions. Today. Now. Go."
Jeff: Yeah, the pressures are huge.
Dmitriy: The pressures are huge, yeah. And it comes back to education, comes back to awareness, and comes back to good application of resources. Good tools, better tools, tools that can understand these gaps.
It's interesting, we're not talking about gaps in adversary capability protection or whatever. We're talking about basic things. Hey, do I have the lights on? Is a light on? Oh, I think it's on. We're not even talking about a guy throwing a, you know, a Molotov cocktail through the window. Is my light on? In the whole building. Can I even tell that or not? Do I need to go outside and look at every window? Like, this is the basics of what we're dealing with. It's pretty, pretty incredible.
[19:28] Strategic simplification – then automation
Jeff: All right, Dmitriy, you've covered a lot of ground. We've certainly described the storm. But let's leave the listeners now with some concrete actions they can take. If you had to advise IT and security leaders on one or two of the most critical actions they can take to address what we've described, what would those be?
Dmitriy: Strategic simplification. I would say that would probably be the really important thing to start wondering about and start rolling this into your strategic planning. What can you do as a company on a strategic level to simplify everything? The more you can simplify, the more you will know. The more you will simplify, the less uncertainty you will have. The more you will simplify, the more automation capabilities you will have, and as a result, the cheaper it will be for you to run your business, the cheaper it is going to be for you to defend your business and the cheaper it's going to be for you to make money.
Jeff: What I would tag onto your advice, and you've said it three times, is solutions, is tools. Right? Look, you think of the evolution of the business leader in a digital sense. In the last 20, 30 years, the CFO has an ERP system, right, with which to do their job. They have a platform. The Chief Revenue Officer has Salesforce automation, a platform, an expert platform to do their job. The head of HR has now a platform just specifically for the job of managing human resources, right, and talent.
We're getting to the point finally, where the CIO and the CISO have a platform, a platform with which to have a full view of the attack surface, all of the endpoints, all of the network access, the service required, the digital experience monitor of the company, vulnerability management, all of that coming together in an integrated platform. So whereas right now there's ten, 12, 15 different solutions stitched together, we're driving for singular platforms that allow them to do their job, finally.
And I think one of the byproducts of that, Dmitriy, is finally CIOs and CISOs are going to come out of the back room into the executive suite. Right, to your point earlier, it ain't just about making sure the laptop gets to the chief on time anymore. It's about leading the company through these storms and being far more strategic than they've ever been.
Dmitriy: Absolutely. Technology is the foundation, the cornerstone of most business today.
[22:09] Outro
Jeff: No question. So, listen, Dmitriy, it's been a pleasure. A ton of great advice, wonderfully diverse advice and different viewpoints from you today. Thank you very much for being with me.
Dmitriy: Thank you, Jeff. Thanks for having me.
Jeff: Hey, if you like what you heard today, be sure to subscribe and even better, share the podcast with a friend. And check out the show notes for the links to the research we talked about throughout the podcast. You can find out more about Ivanti and our solutions at ivanti.com or follow us on social media @GoIvanti. I'm your host, Jeff Abbott, and I hope to see you next time here at Executive Summary.