<ac:structured-macro ac:name="anchor" ac:schema-version="1" ac:macro-id="5ceb41a4-8b7c-439e-b2d8-cfd949a239db"><ac:parameter ac:name="">Analyst_Burnout_</ac:parameter></ac:structured-macro>Some organizations may have a small enough flow of incoming vulnerability reports that all the CVD-related roles can be fulfilled by a single team, or even a single person. Other organizations might choose to split the technical analysis roles apart from the more human-oriented communication and coordination roles. No matter the arrangements, it is important that vendors and coordinators establishing a CVD capability mitigate the potential for analyst burnout.
Burnout of security analysts is well-documented phenomenon \[141\] \[142\] \[143\]. Analysts working full-time in a CVD process are at risk of this too. A vendor's CVD capability may receive a large amount of incoming reports each week, especially at larger vendors. This can result in CVD staff becoming stressed and having low job satisfaction, leading to lower quality of work and ultimately employee attrition. The costs of lower quality work (e.g., missing an important report), employee turnover (e.g., hiring and training a new analyst), and associated damage to the vendor's reputation suggest that this problem should be addressed ahead of time with reasonable precautions.
At the CERT/CC, we have attempted to mitigate this issue with reasonable success by implementing the suggestions below. Research has shown that many of these are effective responses to commonly-held morale problems \[143\].