Main image of article Cybersecurity Burnout: Costing Enterprises More Than Money

The stress associated with cybersecurity is everywhere: alerts from the security operations center, patching updates, the latest ransomware attack, zero-day exploits, the growing demands of governance and regulatory oversights from government agencies.

The pressure on CISOs and their security teams can be intense, given how they are held responsible following a data breach or a successful ransomware attack that can trigger a law enforcement investigation. In some extreme cases, security leaders have been held criminally liable.

The burnout associated with cybersecurity and stress on tech pros costs U.S. businesses about $626 million in lost productivity annually, according to a survey published by Hack the Box, a performance center platform provider. The results are based on two sets of interviews each involving more than 1,000 security leaders and practitioners in the U.S. and U.K.

Beyond illustrating the stress CISOs and their teams are under, the results underscore why recruiting and retaining cybersecurity talent is a challenge for many companies, especially as security becomes even more critical to the day-to-day workings of enterprises.

“This poor mental well-being at work is costing the industry millions at a time when there is a rising skills shortage,” according to a report summary. “74 percent of cybersecurity professionals globally say that they have taken time off due to work-related mental well-being problems, with staff reporting taking an average of 3.4 sick days per year due to work-related mental well-being problems.”

The Hack the Box survey matches similar findings published by Gartner in January when the research firm interviewed 178 cybersecurity leaders, which found:
 

  • 62 percent reported pressure to work late at night and on weekends
  • 36 percent reported feelings of isolation
  • 32 percent reported low morale among their security teams

For many cybersecurity leaders and insiders, the cure for burnout is to catch it sooner rather than later and address the issues head-on.

“The goal is to catch burnout early before it becomes chronic, where recovery can take more time and have more life impact,” Omri Weinberg, co-founder and chief revenue officer at security firm DoControl, told Dice. “People leaders can monitor workloads carefully, but also should keep an eye on morale and esprit de corps, especially among the key members of the team and those likely to be more vocal about their challenges.”

By understanding the causes of cybersecurity burnout, organizations can work with their CISOs and security teams to help address these issues, which also helps retain and recruit talent. At the same time, tech professionals can rely on their skills and knowledge to help address their stress while on the job.

Addressing Cybersecurity Stress and Burnout

The Hack the Box survey noted that 65 percent of cybersecurity and infosecurity pros have reported experiencing stress, fatigue or burnout due to skill gaps and pressure to perform beyond their capabilities. In turn, about 8 percent told researchers they are considering quitting their jobs due to overtime, stress, burnout or mental health challenges.

CISOs are witnessing these challenges: Nine in 10 security leaders reporting stress, fatigue or burnout affects their team’s well-being.

Much of this relates to the nature of the cybersecurity profession, where alerts and warnings are constant and where a single data breach can cost organizations significant amounts of money ($4.45 million on average, according to IBM) plus reputational consequences.

“The main reasons for burnout among IT security workers are because of the unique requirements of the industry, which include the constant need to protect against continuously evolving threats, long and irregular working hours, and a continuous state of high alertness,” Saran Gopalakrishnan, vice president of Netenrich, told Dice.

“A major source of stress in the field of cybersecurity is its high-stakes nature, as even a minor breach could have severe consequences,” Gopalakrishnan added. “Given the evolving nature of the threat landscape, keeping up with newer security technologies and best practices can also be mentally exhausting.”

These issues happen at all levels. 

Tech pros starting in the cybersecurity field at the analyst level must respond to an endless flood of false positives. Those further along in their careers, such as cybersecurity engineers, are constantly adjusting products and services to detect the latest threats creating a “whack-a-mole” mindset. At the senior CISO level, politics and a limited budget often prevent proper risk reduction, with the leaders standing alone to shoulder the blame for a breach, said Randy Watkins, CTO at Critical Start.

“Media coverage of breaches and data leaks are leading to board concern, which trickles down to additional scrutiny on the security team. Ever-evolving threats and tactics, techniques, and procedures (TTPs) require constant adaptation by security teams,” Watkins told Dice. “Hamstrung budget amidst these endless streams of threats make solving issues near impossible, and that’s without considering the typical pushback from other factions of IT that see security as a hindrance or inconvenience.”

While the attack surface has increased over the years, the adoption of new technologies such as the Internet of Things (IoT), cloud computing and now artificial intelligence also add to the stress security pros feel.

“Security professionals are under more pressure to perform well due to rising cyberthreat frequency and sophistication, a lack of qualified cybersecurity personnel, and growing attack surfaces brought on by remote work and digital transformation,” Gopalakrishnan added. “Due to the quick adoption of new technologies like cloud computing and IoT, security teams are faced with even more security challenges.”

Building a Skilled Security Workforce to Counter Burnout

The stress and burnout associated with cybersecurity are occurring at a time when finding enough talented tech pros remains a significant concern. The ongoing, persistent cybersecurity skills shortage has already stretched IT departments thin, meaning team members are taking on tasks beyond their capacity and expertise, said Piyush Pandey, CEO at Pathlock.

“The growing complexity of IT environments, particularly with the adoption of complex multi-app business processes, adds to the burden,” Pandey told Dice. “Again, this creates a prime opportunity for organizations to embrace automation, especially in the area of identity security, where the complexities of users, roles and applications can create a significant amount of management overhead.”

Enterprises can offer more to bolster the security team, including creating alternative paths for those interested in cyber to enter the field. “Building career paths inside the organization is another great way to retain talent and increase job satisfaction among employees,” Watkins added. “This also creates a much broader recruiting field and makes it easier to fill more seasoned and unique roles with an existing employee who already knows the organization.”

It’s also about building a security-conscious culture to support the cybersecurity team’s mission.

“Clearly articulated roles and a career roadmap with opportunities for additional leadership and responsibilities can help attract young talent,” Watkins said. “An organization that includes security as a foundational necessity, and backs security with proper budget and authority, will help retain that talent.”

Businesses also need to get creative. This includes offering mental health services to employees who are stressed or providing upskilling opportunities for tech pros who want to explore new approaches to their jobs and careers.

“Employers can take some actions to assist in the mental health and well-being of their workforce. It is important to make counseling services and mental health resources accessible to employees,” Gopalakrishnan said. “To make up for personnel shortages, organizations should ensure they have enough employees and think about employing temporary workers when needed. Providing opportunities for upskilling and professional growth will make workers feel more capable of handling their duties.”