Medium to large enterprises facing significant financial losses due to stress, fatigue and burnout among cybersecurity workers, with annual losses averaging more than $626 million in the U.S., according to a report from Hack The Box.
Nine in ten CISOs surveyed expressed concern about the impact of these issues on their team’s well-being, while nearly three-quarters (74%) of business leaders report that staff have taken time off for stress-related reasons.
Despite these challenges, 59% of business leaders admitted that they do not invest in new tools to enhance team efficiency.
Survey results indicated this lack of support exacerbates the problem, with around two-thirds (65%) of cybersecurity professionals surveyed reporting experiencing stress, fatigue or burnout due to skill gaps and excessive performance pressures.
At least 8% of these professionals said they would consider leaving their jobs due to the mental health challenges posed by their roles, as several recent trends have made burnout an especially serious problem in IT security.
Security professionals are under more pressure to perform well due to rising cyberthreat frequency and sophistication, a lack of qualified cybersecurity personnel, and growing attack surfaces brought on by remote work and digital transformation.
Due to the rapid adoption of new technologies like cloud computing and IoT, security teams face even more security challenges.
A recent study by cybersecurity advisory firm IANS Research and Artico Search found CISOs are also unhappy with their compensation packages — likely an additional stress factor.
Saran Gopalakrishnan, vice president at Netenrich, said the main reasons for burnout among IT security workers are due to the unique requirements of the industry. “These include the constant need to protect against continuously evolving threats, long and irregular working hours, and a continuous state of high alertness,” she said.
She added a major source of stress in the field of cybersecurity is its high-stakes nature, as even a minor breach could have severe consequences. “Given the evolving nature of the threat landscape, keeping up with newer security technologies and best practices can also be mentally exhausting,” Gopalakrishnan said.
Gary Brickhouse, CISO of GuidePoint Security added aside from the typical response of “find a hobby”, having solid processes in place can reduce the stress experienced during the day-to-day work and lessen the risk of burnout.
“Introducing automation for these processes and other repetitive tasks can take additional weight off cybersecurity professionals allowing focus on other value-add work, increasing overall job satisfaction,” he explained.
He said engaged leadership within teams is a key component to providing better support. “This can be accomplished through ensuring the respective teams are staffed appropriately, workloads are managed, and individuals have regular communication with leadership,” Brickhouse said.
Randy Watkins, CTO at Critical Start, noted burnout happens across all levels of cybersecurity. “At the analyst level, the burnout is typically related to a seemingly endless flood of false positives generated by overly sensitive security products attempting to identify malicious behavior at its earliest signs,” he explained.
Higher-up, engineers are perpetually tuning those products, while implementing other products in an, often tactical, game of whack-a-mole.
At the CISO level, politics and limited budget often prevent proper risk reduction, with the CISO standing alone to shoulder the blame for a breach. “With cybersecurity already playing catch-up from a headcount and expertise perspective, burnout is nothing new, but is gaining attention as organizations continue to feel pain from a security perspective,” Watkins said.
From his perspective, organizations must do a better job of setting role expectations and building a culture that supports the cybersecurity team.
Clearly articulated roles and a career roadmap with opportunities for additional leadership and responsibilities can help attract young talent. “An organization that includes security as a foundational necessity, and backs security with proper budget and authority, will help retain that talent,” he added.
Gopalakrishnan said she agreed employers should consider taking action to assist in the mental health and well-being of their workforce. “It is important to make counseling services and mental health resources accessible to employees,” she said.
To make up for personnel shortages, organizations should ensure they have enough employees and think about employing temporary workers when needed. “Providing opportunities for upskilling and professional growth will make workers feel more capable of handling their duties,” she added.