How to Achieve Work-Life Balance in Information Security?

To what extent are information security professionals doomed to work long hours without devoting sufficient time to other aspects of their lives, such as family, friends, hobbies, community service, etc.? In a presentation on making work-life balance work, Nigel Marsh proposed, "Certain job and career choices are fundamentally incompatible with being meaningfully engaged on a day-to-day basis with a young family." Is information security such a career?

Life Outside the Office

This topic came up in the comments to the post where I shared advice to resist the gentle pull of mediocrity at one's job, encouraging people to escape the lull of becoming too comfortable at work.

Flo left a comment, asking how one can be expected to have any free time and interests outside of information security to keep up with the ever-changing industry. Slava Frid also pointed out that:

"People have children, and parents, and spouses, and friends. That is what makes them human. Job definition must either clearly state that it is impossible to perform this job with children—or accept that 'limitation' and use people’s talents to the most of their ability, which might be 'only' 8 or 10 hours a day."

Indeed, can one excel as an information security professional without losing sight of life that outside the office?

Professions That Require Your Undivided Attention

There are jobs where you are expected to work long hours to keep up with the work load. Doctors, lawyers and management consultants are the stereotypical examples of such positions. I suspect these individuals choose their professions with the full expectation that their work-life balance scales will tip heavily towards work. Perhaps they like what they do and enjoy the rewards they derive from engrossing themselves in work.

Also, such professions usually have a clear financial pay off: The individuals can win the prize of becoming a partner of the professional practice if they put in their dues. I don't think information security offer such a prize in most companies. Then why do so many participants of this profession seem to feel like their work has taken over their lives? Why do they let it?

Work Commitments of Information Security Professionals

I observed workload-related stress in information security primarily in 3 situations:

  • Infosec personnel with operational responsibilities are on-call, and are asked to handle scheduled changes or assist with emergencies during off-hours.
  • Infosec personnel that need to travel frequently for work projects, for instance in the context of a consulting job.
  • Infosec personal with a heavy workload that cannot be handled during a standard (40 hour?) work-week.

The individuals who fall into the first two categories (on-call operational support and traveling consultants) shouldn't be surprised by crazy work hours. It takes effort to adjust one’s life to such a work-style, and many seem to succeed at it. If you've been working like this for a while and haven’t adjusted yet, then perhaps this type of a job isn't for you.

If you fall into the last category I outlined (heavy workload) and love it because that’s what drives your as a professional, great! Keep it up. If you're unhappy, you probably face the most significant challenge, because your job might not have explicitly called for working long hours. Consistently working long hours in that manner is not sustainable for most people. If you are in this situation and are't enjoying it, then you may need to make a change.

Change might involve procrastinating less or being more selective about what commitments you take on. Putting effort into such an adjustment works in some cases. However, sometimes change might mean switching jobs. If you decide to switch, be sure to research the new position to make sure it offers the hours that are more acceptable to you and the kind of work-life balance you wish to strike. The grass always seems greener on the other side, as they say.


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more