Everywhere you look the phrase “burnout” seems to be mentioned with increasing, and worrying, regularity. Google searches for the term jumped by 81% last year, and the latest nationwide survey found that 35% of us are struggling to balance our workloads with mental and physical wellbeing.
If anything, within the microcosm of the cyber security industry, this trend is magnified. A recent Sophos report on the security profession in the APAC region found that 83% of respondents across the continent felt affected by burnout, with 93% reporting increased feelings of stress over the last year. This isn’t just an APAC problem either, in the UK 66% of industry professionals experience daily stress at work, and 21% are considering leaving the profession because of it.
So, with these alarming statistics clearly on the rise, the question needs to be asked: what is causing all this burnout in the cyber security industry, and what can employers do to stop it?
Luckily, there are some steps you can take to safeguard the wellbeing of your team and employees, and simple measures to break the burnout cycle! Read on to find out.
The big picture: what is happening in the industry?
It does seem that although burnout is a worldwide pandemic, our sector is disproportionately affected. According to research by Gartner, there reason behind this can be grouped into a few common causes:
Source: Cybersecurity Leaders Are Burned Out. Here's Why, Gartner, 2023
Unrealistic expectations: the lack of specialist knowledge outside of IT and security teams means professionals are often put under overwhelming pressure. An ex-CISO at Microsoft famously reported her annual performance metrics to be “no hack, no leaks”, creating a highly stressful target in an industry known for unpredictability.
Threat fatigue: in most jobs, if you mess up there will be consequences, but it’s usually possible to recover. In cyber defence, the consequences for poor judgement or a missed alert could be catastrophic, resulting in a constant, highly aware mindset.
Isolation: with specialized and technical expertise, it’s not unheard of for your security team to feel detached from other teams in the workplace who don’t understand their role or the importance of what they do. Social isolation and high expectations lead to low morale.
Evolving nature of threats: we can’t control the actions of hackers or activists, meaning security professionals need to be constantly on alert for any unusual activity and keep up to date with all the latest developments in the sector. This means balancing long hours and a high-demand work culture with complete uncertainty about where risks are coming from.
Overwork: there is a workforce gap of 4million people across the global cybersecurity industry, so teams are having to take on more work to keep up with the increasing volume of threats. According to a report conducted by Tessian, 100% of CISOs work extra hours every week, on average clocking 11 additional hours per day just to keep up.
What can you do about it?
As an employer, you’ve got to protect your security teams; with 95% of breaches still occurring as a result of human error, you just can’t afford for the people on the front line of your cyber defences to be overstimulated and exhausted.
Fortunately, there are a few simple steps you can take to prevent the situation occurring:
1. Create open dialogue
Gartner suggest that only 46% of cybersecurity leaders who experienced burnout told their manager about it. Creating an environment where people feel they can talk about stress and not face negative repercussions is so important. Just giving your team or employees the space to be listened to has been shown to help immensely.
2. Review workloads and responsibilities
We still see plenty of HR teams trying to fill a vacancy without first consulting with security leads to see if it will plug resource gaps in the existing team. Ensure your department is staffed with the right people at the right skill level to protect the other team members. You could consider role rotation as well so that those on the frontline of threat monitoring and analysis are offered downtime from their continuous vigilance, reducing the mental strain.
3. Automate, automate, automate!
Outsourcing less critical or more monotonous tasks to software can free up time and resources. For example, if you can use AI to take over the triage role of Level 1 Analysts, those employees can be upskilled to Level 2 and 3, providing more valuable returns for your business. Utilizing AI to increase the efficiency of defensive teams will address the skills shortage, streamline the operations of your existing team and reduce the mental burden.
4. Educate the business
The burden of cyber protection shouldn’t just fall on your security team; it is everyone’s responsibility. Educating your other employees on how to spot and avoid social engineering attacks like phishing and business email compromise (BEC) means they aren’t constantly fighting fires and can focus on strategic priorities and more pressing threats.
In reality, it is entirely possible to reduce burnout in our industry, and employers should be making this a priority for their workforce. Implementing these solutions, simple as they seem, will go a long way in reducing the strain on your security team and improving morale and retention. Ultimately, a more motivated team is a better team, and a better team means a more protected and secure business, so perhaps it is time we started heading the mantra of “unplug and unwind” and giving our cyber security departments some well-deserved breathing space.
