Overcoming burnout in cybersecurity and VMware’s XDR announcement

Karen Worstell is a 25-year veteran of the tech, IT and security space; she’s a senior cybersecurity strategist at VMware and a chaplain. This episode goes to many fascinating places, from her days learning coding on a TRS-80 computer, how her extremely visual and right-brained approach to learning has influenced her security journey, her experiences as a woman in the industry and how her work as a chaplain brought her back from a security industry hiatus to help people suffering chronically from burnout. There’s also a bit about XDR — and its a big deal!

0:00 - Burnout in cybersecurity

3:06 - Karen Worstell's start in cybersecurity

6:11 - A family of inventors

9:35 - Physical sciences and computer sciences

16:00 - Work as a senior cybersecurity strategist

18:18: - Working as a woman in cybersecurity

23:15 - Changes to make cybersecurity equitable

31:40 - Strategies for hiring equity in cybersecurity

34:00 - Burnout in cybersecurity

48:35 - Helpful cybersecurity organizations

51:37 - Why is XDR so important?

56:10 - Learn more about Worstell

56:44 - Outro

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free

– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast 

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

[00:00:00] Chris Sienko: Is Cinderella a social engineer? That terrifying monster trying to break into the office? Or did he just forget his badge again? Find out with Work Bytes, a new Security Awareness Training series from InfoSec.

This series features a colorful array of fantastical characters including vampires, pirates, aliens, and zombies as they interact in the workplace and encounter today's most common cybersecurity threats. InfoSec created Work Bytes to help organizations empower employees by delivering short, entertaining and impactful training to teach them how to recognize and keep the company secure from cyber threats.

Compelling stories and likeable characters mean that the lessons will stick. So, go to infosecinstitute.com/free to learn more about the series and explore a number of other free cybersecurity training resources we assembled for Cyber Work listeners just like you. Again, go to infosecinstitute.com/free and grab all of your free cybersecurity training and resources today.

Today on cyber work, my guest is Karen Worstell. Karen is a 25-year veteran of the tech IT and security space. She's a senior cybersecurity strategist at VMware, and she's also a chaplain. This episode goes to many fascinating places from her days learning coding on a very loud TRS-80 computer. Our extremely visual and right brained approach to learning has influenced her security journey. Her experiences as a woman in the industry of 25 years. And how her work as a chaplain brought her back from a security industry hiatus to help people suffering chronically from burnout.

This is a great and must not miss episode, and stick around to the end because there's also a little bit about XDR, and what a big deal it is. That's all today on Cyber Work.

[00:01:51] CS: Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry.

Our guest today, Karen Worstell, is a senior cybersecurity strategist at VMware, where she serves as a key resource and trusted advisor for VMware customers, partners, and the security industry at large. Pooling for more than 25 years of technology thought leadership, Worstell’s deep cybersecurity knowledge, connections, and passion for evangelizing will help frame VMware’s approach to industry trends and new technologies.

So, for Women's History Month, which, this will be appearing on the show the last Monday of March, I believe. I wanted to talk to Karen for a number of reasons that will become clear as the episode goes on. Both her experiences as a woman in the cybersecurity industry for a very long time. But also, something else very interesting that she's involved with that I'm looking to learn more about. So, Karen, thank you so much for joining me today and welcome to Cyber Work.

[00:02:59] Karen Worstell: Hey, Chris, thank you so much for having me on your show.

[00:03:01] CS: It's my pleasure. So, I always like to get a sense of our guests by learning their sort of superhero origin story. How did you first get interested in computers in tech? How far back does this enthusiasm go in your life? Is there an initial spark or a pivotal moment? Are you just always tinkering with things like computers?

[00:03:21] KW: Well, I'm a 98% right brained person. So, my orientation has always been more towards the arts and music, and that's visual arts, and that sort of thing. But I definitely had a very clear moment that got me engaged here. I was fortunate to have techies in my family, inventors kind of run in my family, and my dad, and my brother, and my grandfather, even. So, that was not like foreign to me. It just wasn't my calling. I didn't think. But when I really needed to retool my career path, I had been in biochemistry, and I had taken basically five years away from the industry because I had two small children. I knew I needed to find something to do for a new job.

I was thinking more of a job, right? And my brother Michael, came over with a TRS-80 Model One. He spread it out across the kitchen table. It took out an enormous footprint, as you probably know.

[00:04:32] CS: I remember.

[00:04:33] KW: He looked at me and said, “Sister, you need to learn to code.” I was like, I mean, my thought process was as I looked at this keyboard and I looked at this thing with these two external disk drives, and it was very noisy. I just felt like if I did something wrong, it was probably going to go up in flames. So, I was pretty confused, right? He really helped me.

So, I learned, I taught myself, with his help, programming at that time in Visual Basic, and then my favorite programming language, which was Forth, and I found out that I was really – that the thought process of programming for me was intuitive and I loved it. It was very creative. So, yeah, I was pretty hooked. That's the moment.

[00:05:27] CS: I was going to say, when you said, you're primarily right brained, and that you like visual arts and music and all that kind of stuff. I was like, “That doesn't seem completely incompatible with the sort of visual spatial and sort of abstract thinking that you need to do when you're doing heavy coding. You're sort of imagining.” I imagine it's kind of like composing sheet music. You have to imagine what it's going to sound like when someone plays it.

[00:05:52] KW: Yeah, here's – I'm not really good with linear formulas. So, if someone has something that they need me to code, and if they can show it to me in pictures, I can code it.

[00:06:03] CS: Yes. There you go. I like that you have that clear knowledge of your learning style. Now, before I move on, you blew my mind here. Can you tell me about your family of inventors? You have a grandfather, father, and brother who – what do they do in the way of inventions?

[00:06:25] KW: Well, my grandfather, back in the early, I would say late 1920s. He actually was a chemist for the Anaconda Mining Company, in between Montana and Tacoma, Washington. Something that I found quite interesting that commute was really something back in the 1920s. Anyway, he left Anaconda mining company when – he did their patent for smelting copper. And when they paid him one penny for the rights to his patent, he left the company and he bought a fishing boat. He found himself in the middle – he found himself in a pretty serious predicament.

Long story, which we probably didn't have time for here, but he ended up inventing the autopilot for fishing boats. So yeah, he started a business and for years, the family business was this autopilot, called Metal Marine Automatic Pilot, and it was known as the Metal Mike, and it was used all over the world as the autopilot for most of the fishing fleet in the United States and in Europe, and Australia, I have to say.

So, that was kind of like normalized in my family. My father was originally an engineer and he did a lot of the development work for the autopilot and had several patents to his name. But before that, when he was in the Navy, he invented the tools for Navy intelligence and for the Navy fighter jets that masks the tracers off of the Jets. He was a night fighter squadron.

[00:08:14] CS: Yes, I love that. Those are such a wide range of different types of inventions too. It's not like, a family business or something. Everyone's kind of got a sort of an interesting insight into something that the others don't.

[00:08:30] KW: Yes. I think it kind of normalized that sort of exploratory behavior. I'll link things apart to see how they work and trying to put them back together again. And my sister actually continued it. I didn't do it as much. I'm not an inventor. But she got her engineering degree from Cal Tech. So, she was doing antenna arrays for satellites for Hughes Aircraft for a while.

[00:09:00] CS: Wow. Yes. That's so completely out of my brain space. I'm just fascinated. I didn't mean to tangent. Perfect. I love it.

[00:09:09] KW: Me too.

[00:09:12] CS: But I also love that, like you said, your initial concern with the TRS-80 is that if I do the wrong thing, it's going to explode or whatever. But you persisted, maybe perhaps because you were living in this sort of culture of like, “Well, if it breaks, we'll figure it out. We'll try something new. We'll break it intentionally and then to put it back together.” I mean, that can only give you a head start in a job like this.

So, you partially answered my next question, but I still want to talk about a little bit about it. But you said you have very interesting and very educational career. You did molecular biology, biochemistry, music, Master’s in Computer Science. And from your graduation with your computer science master’s, you started a nine-year run at Boeing and you’re a program manager distributed computing and research and technology. And from there, the hits just keep on coming. You were asset management for Bank of America VP, IT risk management and CISO so for AT&T Wireless. General Manager, CISO at Microsoft. It's great.

So, it’s very interesting and noteworthy step in the timeline from 2015 and 2016, and we'll definitely be addressing that later. But I want to drill in a little bit more about the – if you have any thoughts about your parallel tracks in the physical sciences, versus the computer sciences, as their society sort of angles itself, ever more towards turning higher education into this sort of vocational school. Can you talk about ways that your non-computer science studies made you a better cybersecurity professional?

[00:10:40] KW: Oh, yeah. I think, first of all, the natural sciences, and the physical sciences. I had to do a lot of chemistry, a lot of physics, which are not my natural tendency. And when –

[00:10:58] CS: Well, in fact, I was a chemistry major, until I hit calculus-based physics, and then it just – it was a brick wall, that I've never hit anything harder in my life and that's why I'm here. So, I understand.

[00:11:10] KW: That wall pulverized me as well. Quantum physics and advanced calculus, were just probably the hardest semesters of my life.

[00:11:21] CS: Wow. Props to you for pushing through, though. I couldn’t.

[00:11:27] KW: Quit, I guess that's not – I'm not – I am pretty persistent. I think that's maybe one of my attributes. My husband calls it stubborn. I call it determined.

[00:11:37] CS: Yes. I’m with you. So, the thing is, is that because I'm a 98% right brain person, and I think in pictures, I am such a huge fan of Temple Grandin, because of the way she describes the way [inaudible 00:11:54]. So, I am that person who sees music and pictures, sees chords visually, not in a mathematical kind of way. I have to see math in pictures. So, that was a barrier and an attribute. Because what it meant was that I had to find a way to navigate very linear subjects, using the way that I could think. When I talk about things, now, I can communicate kind of both sides of the fence. I do better talking about things from a holistic picture. I'm painting a picture for people about how things fit together and where that really came in, in the cybersecurity arena was. I could map out an entire cybersecurity strategy, because holistically in my head, I see it all. It's like a big diagram. It's like a big photograph.

[00:13:06] CS: Yes. You’re just sort of transcribing it out into the world.

[00:13:10] KW: Right, translate that back. So, the fact that it was 98% right brain made the work that I had to do in school, extraordinarily difficult for me. But by persisting and sticking through that, what I ended up with was developing kind of both sides of my brain, in a way, training the side that was otherwise under – I don't want to say underutilized, because it was still utilized.

[00:13:35] CS: Underdeveloped?

[00:13:38] KW: Maybe just under practiced. And then practicing both sides, and finding out how to make them work together. I think that ended up serving me really well when I got into the cybersecurity field, because I saw things other people couldn't see.

[00:13:57] CS: Yes. I mean, that might be the best answer that I've ever gotten to what is otherwise a very stock question. But I'm blown away by that. I love – not to editorialize, but certainly, the educational system tends to sort of push everyone through the same square slot and if you learn differently, then no one cares. But once you get out into the work world, and you can kind of customize your work to your skill set, theoretically, boy does that ever make a difference, I imagine.

[00:14:30] KW: It did. I think it really did make a big difference. It was part of the reason that I was able to be successful, sort of on the cutting edge of a lot of things. I just want to give a shout out to my fifth-grade teacher because his name was Mr. Higgins and he saw it. He saw that I couldn't think like other kids. Number one, I couldn't sit still. Number two, I couldn't listen. I couldn't sit in my chair and listen. So, he was the one who said, “You are permitted to have pencils and paper out when I'm speaking, and you can draw what I say.” I don't know what I would have done in school if that hadn't been made possible for me.

[00:15:22] CS: Yeah. I love that.

[00:15:24] KW: Yes. It was huge. Huge, huge breakthrough for me.

[00:15:27] CS: A friend of mine does what they call graphic facilitation, where she goes to meetings and draws what the planning meeting is, and that sounds exactly like that, because she can just see the arrows and the clouds pointing from here to here and here, and if they keep repeating themselves, she'll just keep drawing a circle and a circle like you're repeating yourself. I'm in awe of people like you and brainy with your visual spatial mastery like that.

So, I want to turn from training to your current job. Can you tell me about your work as senior cybersecurity strategist and media spokesperson at VMware? Because I see there's quite a bit of thought leadership and customer interfacing. But can you give me an idea what like some of your primary lanes you work in during an average work week?

[00:16:17] KW: Sure. I love the variety. I am super fortunate to have the opportunity to speak to outside groups. I speak to media and outside groups quite a bit about cybersecurity in general. I talk about strategy. So, if I were in this situation of having to face a very VUCA world, with, I call it zero-day real world and have future ready security. What does that look like? Where would I take limited resources and invest them?

So, I can talk to customers, and potential customers of VMware, people who are in – people at conferences, about this is how I would approach it in the past. This is how I've approached it that's worked for me. But here's today what I've see that's different. Here's that changing threat landscape that's affecting everyone in the world right now. How do we list everyone who's online? And here's how we would approach that.

Talking about those aspects. And then there's the technical aspect of working internally to understand, we have an amazing cadre of talent in the cybersecurity space, in cybersecurity research and engineering. Of course, they're doing things that I like used to do. I really enjoy hearing, this is where our products and solutions are headed. This is the kind of thing that we're doing and translating some of that into material that I can share externally.

[00:17:55] CS: Yeah, that sounds very satisfying to you. Because you're really seeing the instant feedback loop of someone who has a problem, and then you're able to sort of carry them through it. I imagine hearing from them, when they say, “Yes, it all works beautifully. Thank you.”

[00:18:14] KW: Yes. That's the best possible outcome, isn't it?

[00:18:16] CS: Yes, I guess so. Absolutely. So, we have a bunch of kind of interlinked topics to discuss today and I'm excited about all of them. But I want to start by talking about your experience as a woman in the cybersecurity industry. So, you've had a very impressive career, and we just talked about some of it, and you've moved through some amazing organizations and have brought them your value and insight. But having talked to many women, friends and colleagues, in cybersecurity, especially those with decades of experience, I know that there were probably a lot of barriers to entry, both implicit and explicit. So, can you talk about what it was like to work as a woman in a very male centered and mono cultural environment when you started? And maybe contrast that with what if anything, has changed, gotten better or gotten worse now?

[00:19:02] KW: Yes. Well, it has been a journey in so many ways, certainly one of personal growth. I'm not the same person that I was when I started in her field. I was in my 30s and I had two small children. So, I had it, perhaps a drive, a why. People would call it, what's your why? My why when I started might be different than what some other people experienced, because I had two small children and my job was to make sure they got launched someday. And how I did my work was critical to that goal.

So, there were a lot of things that I probably put up with, that women might feel like they have more choices today. I didn't feel like I necessarily had a lot of options. By the way, in the 1980s, cybersecurity was not like the field that is now. So, doing a job as a security analyst for government classified projects, which is where I started was not something that you could like put on your resume and then go find go find another one. There were a limited number of employers who did that work.

I think at the very early days, yes, we didn't have EEO. We didn't have family medical leave. We didn't have a lot of the protections that are put in place to help make workplaces a little more friendly for everyone. But here's the thing, I grew up with a Navy fighter pilot father and two older brothers, and a super, super smart, younger sister. So, part of mine was like, “Well, whatever.” I wasn't offended or insulted. I didn't take things personally. I might get angry. I might have gotten angry. But then, that was for me to go deal with on my own. There was in point time, I remember, a lot of things frustrated me and made me mad in that whole process, and I would kind of like go pound pillows or something at home.

But the truth of it was for me, I got to the point where I realized this, like, “Look, you know what, you can be way more effective in the workplace if you're not angry about things.” People really don't want to be around angry energy. They need to be around somebody who says, “We can make this work. We can get this done. This is how we're going to do it.” That was a lightbulb moment for me. And I made a decision in like a day, that I was going to shift my energy and not let the stuff that came at me that I felt was unfair or even detrimental. I wasn't going to let it get to me and I just had to make that shift. I couldn't make it go away. So, I can either choose to be bothered by it or choose to not be bothered by it. I chose a path that said, what is it going to take for me to be effective working with other people, and to be able to have the influence that I want in order to accomplish things. That's the person I need to show up as every day and I made that shift. It did make – it made all the difference.

So, I think it was a journey of personal growth. Adversity is a great teacher and sometimes I find myself in a place today, and I'll say, not so much now, but in years past, where I find myself in a situation that says, “Yes, this kind of sucks. What am I going to learn?” Because I'm in this place, because there's something for me to learn.

[00:23:01] CS: Yes, that's an amazing point of view, and, yes, that's really, really good advice. So, Karen, can you talk about some changes that can and should be made in order to attract, promote, and retain more women in the cybersecurity industry? You said you had to really push up mountains, push boulders up mountains, and so forth. And that there's maybe less of that, and there's more legal protections and so forth. I think there's still a lot of places where it's not terribly welcoming. Are there some main deficiencies that you can see the industry fix around this kind of initiative? I mean, anything from job listings, to, in-office support to career development initiatives, et cetera?

[00:23:52] KW: At the end of the day, it's culture and people. I think, first, I would like to just say, be really clear about what the advantage of having a diverse workforce. I mean, there's diversity in how people think. I'm a thinker. That's not going to be true for everybody, right? There's other people who are more linear. We need both. We need people who have a life experience that maybe comes from the worldview of a different gender, or different orientation, or a different culture, language, everything. All of those pieces. The question people should be asking is, what value does this bring to me to have a variety of perspectives? The answer is already being proven.

First of all, it's the right thing to do. But secondly, it's being proven that the companies who do embrace that, it impacts the bottom line in a positive way. So, there's clearly a business benefit to it. So, why doesn't everybody do it well? I think that we have – Emily Chang wrote a book about breaking up the boy’s club of Silicon Valley called Brotopia, I highly recommend reading it.

[00:25:18] CS: I'm writing that down, right now. It's amazing.

[00:25:20] KW: Yeah, well it talks about how we got here. So, the thing is, is that we culturally got here in the tech industry, through a very – I mean, understandable, legitimate, legitimate or not legitimate, depending on how you want to look at it, but we got here, honestly. Now, we have to kind of look at it and say, “Wow, that's kind of a culture we've inherited. I'm not sure that it's really all healthy and here's the impact of it. It affects us at every stage of the employment cycle for people who are different than the majority population in the industry.”

I would just – I mean, I'm not trying to call out anybody at all, but the majority population is typically white men. Now, that's shifting some, definitely. And the question is, where's that needle going to be enough. But there are different factors that affect us at the recruiting, at the hiring, onboarding, and the retention stage, development and retention stage, where internal biases that we all have, affect how we make decisions in the workplace that affects people who are different than us.

I think one of the things I had to learn, in fact, myself, was I'm a very persistent person. I can let things roll off my back. I have a tendency to kind of look at things in life and say, “I'm going to power through that over under or around it or through it. But if I need to get to the other side, I will.” Not everybody's like that.

So, when I talk to groups who say, “But the workplace shouldn't make me be that way.” I say, “Yes, you're right. I was successful, because I was, but you shouldn't have to.” Somehow, I think we just need to collectively, have a group moment where we say, what speed? Speed to the goal is not the highest value, although Silicon Valley certainly promotes that, competition and speed is huge. And what competition and speed both do is, it causes us to try to work with people who think just like we do, because we can go faster.

There's just so many – it has to do with how we look at things. It has to do with our internal values and beliefs about the way the world should work. It has to do with the way we set goals and objectives for the business, and how we choose to show up and show up as a human being. There's just so much work there. We can't mandate it. We can't set goals and metrics for it. I think we have to recognize that the world needs some change, and it will be a better place when we are able to make sure that everyone who has got something to share has an opportunity and a voice to make that happen, and that we look at whatever it is that's a barrier and say what can we do to make this better. That’s not a very concise answer.

[00:29:01] CS: No. It’s not a very concise or easy question, either. So, we're really boiling the ocean by trying to make a change on this size. I'm glad you mentioned that too. Because I've met so many people of diverse background who aren't necessarily, don't feel comfortable or don't have the wherewithal to feel like they can be the sort of alpha dog in meetings and fear for their and so forth. Like you said, it shouldn't have, or just to shy, or feel weird on Zoom cameras or whatever. But might have a lot still to contribute. So, it’s definitely worth –

The thing that past guests have also said is just like, even though you’re hemorrhaging money, the longer that a position is open, slow down, and really look at every, conceivable candidate, and really think about what they could provide to you rather than whether they check the boxes of the things that you need, the certification, or that background or whatever, and I think that's going to allow for a sort of a wider pool of experiences and backgrounds, and also, it's been good to see some companies anyway, embrace more flexible work for people who, might have small children or might have physical disability or can't do this or that.

It's going to be a slow process, but I would it if it went a little faster sometimes. So, can you – do you have any – sorry.

[00:30:38] KW: I was going to say, faster would be better. I mean, I think we're still on trajectory for 270 years, before we get to equity in terms of pay. That's discouraging. That's discouraging. As I get older, one of the things I really realize is how that compounds, and how that affects women in life. If they don't have the equity during their working years, it's a problem. People who've just got so much on their plate, it's hard to get enough attention to say, here's why you should care.

[00:31:20] CS: Yes, absolutely. And I think there are also certain other, sort of brain types that are less elastic, and who, all they hear is like, this is going to be so much harder. I don't want to do hard things. Just let me stop thinking about it. And we just hire the person I already know from whatever.

So, do you have any examples of any strategies that you've seen or used to bring a greater diversity of cybersecurity professionals into jobs and up the promotion ladders? Are there things that you could say if someone said that they tried to hire diversity, but didn't get any diverse candidates, things like that?

[00:31:58] KW: I think the simplest answer that I've heard for that, that I really like, and I've embraced is if you can't find the candidates that you think you need, you're fishing in the wrong pond. The truth is, is that, and there are studies that show this, that we tend to hire, it's like the country club mentality. You go to the club, you say, “Hey, I've got an opening coming up, who do you know that would be a good fit?” And you find out from your colleagues who are very much like you who belong to the same club as you, in the same social economic status as you, who would be a good candidate. That's the pond you're fishing in.

There are so many organizations now and I think of the work that is being done by WiCyS as an example. So, Lynn Dohm is the executive director. She's a friend of mine. She does incredible work, to create opportunity, at every level, from students, to interns, to advanced practitioners, but creates that ecosystem where someone can go and find diverse candidates, neuro diverse, gender diverse, everything. So, we have a number of places where people are putting the effort in to create ecosystems that are supportive, that give people opportunity and training and visibility to find those jobs. That's where we should be fishing.

[00:33:35] CS: Was that WiCyS? Is that an acronym? For our listeners, could you –

[00:33:40] KW: Yes. Women in CyberSecurity is the long. WiCyS.

[00:33:45] CS: Okay. That's the one. Okay. I couldn't quite see it in my head, not visual thinker. Well, good. Thank you very much. So, yes, Women in CyberSecurity. Definitely, you can find them on LinkedIn and elsewhere. Definitely consider doing so, listeners.

So, as I tease before, in your list of experiences, you took a sabbatical from cybersecurity;s constant grind and you completed a Master's in Theology, as well as 2,000 hours in chaplaincy. As you said in the description, and I like this, “I returned to the tech sector in 2016, out of a desire to help address the levels of distress I observed among professionals in the space.” So, one of the things you said in your introduction was that excited me most about this talk is that you wanted to discuss your experience, about not just burnout, but speaking up during times of burnout.

I'll say luckily, that our company has really stepped up during the pandemic in understanding the very real risk of burnout as our jobs get busier, and as many cases our work from home worlds get smaller. But I also know that this isn't even remotely industry wide. So, tell me about speaking up about burnout, and especially with regards to women in the industry, whether overwhelmed by the volume of work, or even taking on caregiving roles or other burdens, and how to make your employers understand that it's just not acceptable to expect your employees to make their work their whole life while ignoring their own mental and physical health?

[00:35:06] KW: Okay, there's a lot to unpack in there. So, what I would say is that, yeah, one of the things that the reasons that people don't speak up, the number one reason that people don't speak up, is because they're afraid of the stigma of being declared unfit for service. So, unfit for duty. It kind of gets back to the origins of the cybersecurity community, in the intelligence sector, in the military. But if you basically don't suck it up, buttercup, , somebody's going to say, “Well, you're obviously not cut out for this work and there you are marginalized, sidelined, or even demoted or managed out.”

First of all, the first thing we have to do is recognize that it has to be okay. People are not going to speak up if it's not okay to not be okay. It's first and foremost, a leadership issue that says, “Hey, the thing we're trying to do here is a slog. This is not going to be easy. We're demanding a lot from our people. At the same time, there's no honor, in essentially expiring on, expiring in the line of duty, because you didn't say, “Help, I need help.”

We have a lot of internal biases and fears to overcome to help people be able to say, “I got to take a break.” By the way, a break is not the only thing to help you with burnout. We talk a lot about that in other seminars, and I do seminars on burnout. But first and foremost, in the workplace, it has to be okay for somebody. They don't have to say why they've got to take a break. They don't have to give the details of what they're going through. They just need to say, “I need a moment.”

Everybody gets the signal that says, “This is a person who practices a healthy form of self-care, and I'm going to respect that and honor that, not stigmatize that.” So, that's a huge piece of it. But the truth is, unless the culture has made it okay to do so, people will go past the tipping point. They'll go to the place to where their health is harmed, or they may feel like you have no other choice. That's a big part of it. Maybe need to speak up and then help people learn how to do that.

[00:38:05] CS: Can you talk a little bit, you said, taking a break isn't the only way to curb burnout. Can you talk about some of the other topics around burnout that you've covered in the seminars and other sort of coping strategies?

[00:38:17] KW: Yeah. So, one of the things that really happens with burnout that I see over and over and over again, is people are very – especially people who are very work oriented. A lot of people have an incredible work ethic, right? And they define a lot about their life, their livelihood, the where they live, how they take vacation. Everything they do can revolve around their work. So, if I gave somebody a list of 12 things of 12 life factors that are very important for their overall wellbeing, like, their physical health, their mental health, their emotional health, their relationships, their finances, and so on. What does their contribution to society look like? What is their spiritual connection look like? I asked him to rate each one of those things on a scale of one to 10, and we create little diagrams to help make this visual, because that's what I do. I make visual things.

But what you'll see is people rate like a seven to 10 on work, on career. They've spent a great deal of time there and effort there, and they, well, in many cases, rate themselves quite highly, especially if you're talking to people who are accomplished. And then you'll look at relationships, and it'll be a two. Spiritual connection might be a one or three, and you'll see this very unbalanced diagram results.

One of the things that I try to help people understand, and I had to do this for myself, which is learn how to create a goal that is compelling for you. Your work goal may be very compelling, you have very clear ideas of what it is you want to accomplish, what you want to do, what you want to earn, blah, blah, blah, tons of goals around work. What's your goal around your family? And how is it a compelling?

So, for me, I had to –some of the goals, I'll just share, like some of the goals that I had to make to change my behavior, because goals will change your behavior, if you believe in them is I had a family goal that said, “I create memorable experiences and lasting memories, for my loved ones.” Well, now when I take time off from work, I'm not taking time off from my goal. I am spending time on one of my other important goals. It's that shift. It's a way to shift the way we think about things. I had to make another goal that said, I'm going to be in the best possible shape of my life, health – physical, mental, emotional health. And in order to be able to have these great experiences with my grandchildren, I had to create something that was compelling enough to shift my behavior.

The reason why this is important in burnout is that when we are focused only on the work goal, we get out of balance, because we're human beings, not human doings. We have to go back and be able to say, “Well, work isn't maybe going as well as I wanted or it's not as effective. I'm not being as effective there as that could be, because of whatever potential barriers there are. But I am putting in the time and the energy into other goals that matter to my life.” We can get people to kind of look at this, the whole picture. It's another whole picture issue. We don't want to get just so hyper focused on work, that we lose sight of the fact that our entire wellbeing is a balance of things, and that's where we've got to put some time and energy.

So, that's one of the more effective tools that work works for me, and the people that I've worked with, I think they've had a big aha moment, and then it's a choice about how they want to make that change happen.

[00:42:59] CS: Yeah. Boy, lots sort of came at me all at once there. But I feel like just the way that, especially Americans are, it's almost as hard for a lot of achiever-oriented people to even consider taking the job thing from seven down to five in the interest of bringing anything else up from two to four. So yes, the idea of actually saying, like, “Well, maybe work has to suffer a little bit so that I can spend more time with my family.” Or, “Maybe this has to suffer so that I can get my mental health.” The other thing that I thought of that I think you really pointed out, is that if you only have – if your only goal is your job, and then you're burned out, then it's just an on/off switch. You're either at work accomplishing, or when you're burned out, you're just like, all you're doing for rest is not at work, which isn't the same as like curbing burnout, right?

[00:44:00] KW: Well, you’re not present at work, but you're still working, which is also another thing.

[00:44:04] CS: Which is also, I think, goes to that sort of notion of like, everybody's working for the weekend. It's like, well, yes, I hate my life five days of the week, but soon I'll have two days where I can feel like myself or whatever. It's just such an epidemic, amongst, way, way beyond cybersecurity, obviously. But just all over the place. Yes, there's a lot that has to change, I think, to even consider moving the needle on stuff like this.

[00:44:35] KW: Yes. It's really deep seated. I would say, I was just looking up, we're recording this on St. Patrick's Day, so I was looking up some family links back to my family and in my ancestors in Scotland and Ireland. One of the things that I noticed in there was a family crest and a family motto that said, “Rest earned through hard work.”

So, this is deeply, deeply, deeply ingrained in us, and that you earn the rest by working hard. And the harder you work, the more you've earned your rest. Well, you might be dead, but go ahead and – there's all kinds of memes around this. So, one of the things, and you mentioned it, too, is like, well, I'm going to take care of myself, but work has to suffer. The other thing that I talk to people a lot about is, how do you use your language to talk about the situation?

So rather than say, I'm going to pick on you for just a sec, but rather than say, work has to suffer. I would say, I'm going to figure out how to make work, work, and take care of these other goals that are very important because of the things contribute to my effectiveness at work. There's a lot of diminishing returns, and we don't pay a lot of attention to it. But the language that we use to describe what we're doing is really, really important and putting it into the positive, putting it into the positive outcome is part of that.

[00:46:14] CS: Yes, I agree.

[00:46:15] KW: Don’t put yourself to that [inaudible 00:46:18].

[00:46:18] CS: No, and also, I think there is, especially in places, like the financial sector, I think there's this sort of perception that you're not really working unless you're there for 15 hours. But when you really break down what's going on, there's not 15 hours of work going on. You’re just, like you said, and I said, work has to suffer, but I didn't literally mean like, I'm going to do worse work. You can figure out strategies that allow you to not be at your desk every night, 7:30 still, even though your end of your workday was at 5:30.

[00:47:00] KW: Yes. But what's so interesting about the word thing, though, is, I knew what you meant. It's an idiom. It's an idiom, and it has different meaning than its literal meaning. But our body kind of believes every word that we say. Our brain believes everything that we say. So, we just have to be mindful of it. It's a practice that once we start being aware of it, is like, how many things do I say in the negative? As another example is, what if I asked somebody, what do you want? What most people answer with because it's what they can easily grasp is all the things they don't want. Try it sometime. What do you want?

What you'll hear is, “Well, I don't want this and I don't want that.” And I say, “No, no, no, no. I need you to think and say, the thing you want.” It has a way of programming our brain, because the thing that we focus our energy on, is the thing that we get more of. That's how we're wired. Anyway, enough about that. But that's a whole conversation around how we use words.

[00:48:14] CS: Yes. Well, to reverse the old garbage in, garbage out, it's nutrition in, nutrition out or something like that. If you bring in things that satisfy you, then you can't help but glow a little bit more as you're exerting energy.

So, as we wrap up today, Karen, there's a number of organizations that you're a part of that I'm sure, normally we would just say, tell us about the company you work for. But your LinkedIn has so many great organizations that you're part of. I'll just mention that you’re a cybersecurity strategist, but also entrepreneurship education, women in tech advocate, podcast host for W Risk Group, LLC. You're also a board member for Humanitarian Aid to Ukraine and Chevra USA. And of course, your work at VMware. So, if you'd like to, as we wrap up today, tell our listeners about any and all of these organizations, what they're about and how to get involved if they're so inclined.

[00:49:17] KW: Wow. Well, I never miss an opportunity to encourage people to be involved in a humanitarian aid to Ukraine. It's hard. Here's the thing, it's really hard for people to pay attention to all of the things in the world that are happening that are – there's just so beyond our imagination how horrible they really are.

[00:49:44] CS: We can't conceive of a way to see the horror and not really know how to directly help.

[00:49:51] KW: Right. But what I will say is, it's important to all of us that Ukraine be successful. I won't say any more about that, than that. There are so many people there that are unable to leave, or who choose to stay for the principle of not abandoning Ukraine, and that are in desperate need of food and supplies. There is a group of people that we support and assist, that are taking convoys of supplies, humanitarian aid. If we need to, we are distributing it by hand to people who are living in conditions that no one should have to live in.

But just so that they have a propane, a tiny propane stove, to heat a meal, and get meals. So, if anybody wants to find out more about what we're doing there, they can go to our website, which is mychevra.org. So, that's on the humanitarian side. And the other thing I would just say is, I'm super excited about the new announcements that came out from VMware yesterday. We went general availability on XDR and I'm geeking out over that after 20 years of being in the cybersecurity industry and doing – specializing in the area of intrusion detection and response, to see the breakthrough that has now happened in the technology space. Cyber defenders is significant. So, I encourage people to take a look at that.

[00:51:36] CS: Since a lot of our listeners are literally like ground floor or even just considering cybersecurity, can you tease out a little bit in layman's terms about like, what XDR – why this is such a big tech jump?

[00:51:51] KW: Yes. Just a tiny bit of a story. When I was at Stanford Research Institute, and I was in the consulting arm on security there, my specialty area of specialty was intrusion detection. It was very, very early in the industry. This was in the early 2000s. One of the things that was always so difficult was that we had the ability to see bits and pieces of the environment, and we had to infer the rest.

Fortunately, at that time, the cyber-attacks that were coming against companies were nothing like they are today. So, being able to see bits and pieces was almost good enough. It was certainly an improvement. Where we are now is that the cyber-attacks that are coming against our country, our infrastructure, our companies around the world, really, are so sophisticated, that we have to have a level of visibility and context. In other words, I have to know, these are workloads. This is servers. This is endpoints. This is network. All of these little bits and pieces of information, trillions and trillions of pieces of information have to somehow be correlated, in the big picture with artificial intelligence and machine learning to say, you should take a look over here. There's an attack underway, like right now. Focus that.

XDR, until today, until yesterday, basically. What we were confined to was having a console that let us look at the endpoints, and to some extent, workloads, and containers in the environment, in a cloud environment. Now, what we can see is the network, and we can pull in – we can start to pull in way more different domains of the entire computing environment, and pull them in, and see them on a single pane of glass, where the artificial intelligence behind the scenes is going. “Yeah, this thing, all these pieces, they all go together. Here’s how you stop this.”

The reason that's so incredibly important is in a – today, it takes about an average of about – at least last year, this is last year’s statistics, 250 days to be able to identify an attack in progress, and respond to it, 250 days. We know from our advanced telemetry, that the damage is done by the attackers, where they've established persistence in an environment is done in the first 24 to 72 hours.

So, instead of having this luxury of time, time is of the absolute essence, best practice the numbers that we can – six seconds is more like the response time of what we're hoping for. And by pulling more and more information together, and putting them together on a console, where the system is using automation and so forth, and even to some extent, orchestrating a response, an automatic response, and saying, “Yes, this is happening right here. We got that one covered. You need to take action over here. Boom. And get it done.” That's what's super exciting about this. It feels like a quantum leap forward to me, and I couldn't be more excited. If you can’t tell.

[00:55:39] CS: Yes. Oh, no, what I was going to say too, is, as you specifically said, you can see on the screen that it's originating here, it's going out here as like, we're going to wrap it up and we're going to talk about, again, about visual thinking. You're literally able to sort of visualize the entire attack as it's happening. You've said something about not being in the dark anymore. So, I love that there's that through line through everything, and that that's the thing that excites you the most. Congratulations and yay, XDR. Before we go, one final question. If our listeners want to know more about Karen Worstell, and her various activities and insights, where should they go online to find you?

[00:56:20] KW: Well, I'm on LinkedIn, and I'd love to hear from people on LinkedIn. So, that's probably the best place. I also am on Twitter, @KarenWorstell is my easy to find name. So, those are the probably the two best ways. If somebody wants to reach out to me on LinkedIn, that's a great way to do it.

[00:56:41] CS: Right. I know from past experience, and past guests that you will probably get some requests from our listeners. They’re very, very excited to interact with our expert guest. So, thank you again.

Karen, thanks for joining me today and just reminding me and get me excited about all the great things that can be done in the present and future professionals in cybersecurity, appreciate it.

[00:57:03] KW: I appreciate the time. It's been really fun talking with you today.

[00:57:06] CS: Thank you.

[00:57:07] CS: Thank of you who have been listening to and watching the Cyber Work podcast on a massive and even unprecedented scale. We're so glad to have you all on for the ride and we hope you're enjoying yourself.

So, before you go, I just wanted to invite you to visit infosecinstitute.com/free to get a whole bunch of free stuff for Cyber Work listeners, including our new series Work Bytes, features a host of fantastical employees, including a zombie, a vampire, a princess and a pirate, making security mistakes and hopefully learning from them. I watched a couple episodes already.

Also, visit infosecinstitute.com/free and get your free cybersecurity talent development eBook. Now, this has in depth training plans for the 12 most common roles including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. So, lots to see, lots to do. Just get yourself to infosecinstitute.com/free and play around to your heart's content.

Thank you once again to Karen Worstell and VMware, and thank you all so much for watching and listening. Until then, we'll see you next week. Take care.

Join the cybersecurity workforce

Are you a cybersecurity beginner looking to transform your career? With our new Cybersecurity Foundations Immersive Boot Camp, you can be prepared for your first cybersecurity job in as little as 26 weeks.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.