Professional burnout is defined as a work-related condition of stress causing exhaustion, a sense of reduced accomplishment and loss of personal identity. Extensive literature exists about this phenomenon in relations to healthcare professionals, who need to make important decisions day to day, work under great pressure and with significant resource constraints. Recently, however, professional burnout has come to be associated with the cybersecurity industry.
New technologies equate to new challenges from a security perspective, which fall on the shoulders of cybersecurity teams. It doesn’t help that digital transformation has significantly widened the attack surface that security practitioners need to protect, that new compliance rules are coming into effect globally, and that threats continue to evolve to evade detection. To add to the problem, these teams are chronically understaffed, overworked and operate with constrained budgets they need to fight very hard to obtain.
Therefore, perhaps unsurprisingly, security professionals have started reporting high stress levels and symptoms compatible with burnout.
The Price of Stress
A survey conducted by Exabeam found that sixty-two percent of cybersecurity professionals cite that they are stressed or very stressed at their jobs, and 44% don’t feel like they are achieving a work/life balance.
Certainly, the links between stress and physical health, as well as stress and performance, have been widely documented. One study that looked specifically at the effects of repetition, fatigue and work environment on human error in manufacturing industries found that as much as 48.8% of variance in human error can be explained by these four factors.
While no specific statistics exist to describe which proportion of human errors in cybersecurity teams is due to burnout symptoms, we can expect at least some of the 90% of security breaches due to human error to be associated with the high level of stress that experienced by IT security professionals.
This translates to high employee turnover: CISOs only have an average tenure of 26 months, and a report from the Ponemon institute found that the problem extends far beyond the C-suite. In fact, 65% of IT and security professionals consider quitting their job due to burnout, a worrying statistic that could place further burden on an already resource constrained industry.
Offer Specific Mental Health Resources
Employees should feel comfortable talking about their mental wellbeing. The culture of your organization should allow professionals to be vocal about their level of stress, and there should be a commitment to offer counselling and psychological resources to help them cope with the demands of their mission-critical day job.
Identifying the problem is the first step to build a meaningful conversation around mental health in IT security functions. Managers should educate themselves on how to best offer their teams support, building a frank and honest like of communication to encourage individuals to discuss their concerns and symptoms, and refer them to the appropriate resources.
In an insightful talk at Black Hat 2018, Rhett Greenhagen, Senior Security Researcher for McAfee’s Advanced Programs Group, who was diagnosed with Asperger syndrome at the age of 12, stressed the importance of tailoring the workplace to the needs of all employees. From encouraging employees to seek professional attention to help them understand their symptoms to remaining attuned to everyone’s requirement – being that having a quiet area where to take a break, or taking some time off their day to walk and unwind – there are several small changes that can make a dramatic difference in security practitioners’ everyday wellbeing.
Boost the Recruitment Drive
It’s easier said than done, but recruiting more security personnel is the first step to ensure that professionals aren’t overworked and have the chance to set up jobs on a rotation basis (when appropriate).
Appointing more security leaders can also help relieve the pressure and share the burden of responsibility, so that everyone knows what they need to do to tackle specific problems and won’t have to deal with the confusion of picking up the pieces when one individual leaves.
Consider a Backup Team
Recruiting and retaining talent is difficult, and perhaps bringing in an external team could be more cost effective for your business. Nowadays, there are managed service providers to suit the specific needs of virtually any organization, with packages that suit businesses of all sizes.
You can choose to outsource all or just some of your security operations, allowing your internal team to focus on what you consider to be higher security tasks, while a dedicated team takes care of anything that you may struggle to manage internally.
Automate Mundane Tasks
According to a recent survey DomainTools conducted with the Ponemon Institute, one of the main reasons why automation is introduced by enterprises is to reduce security practitioners’ workload and the time they need to spend on mundane and repetitive tasks.
While it needs to be carefully planned to make sure it will integrate with other security solutions, and that training will be provided to ensure that the workforce has the necessary skills to operate it, an automation tool can greatly improve the efficiency of the IT Security Function, allowing humans to focus where they are most needed.
Provide Training and Recognition
Keeping up with the evolving threat landscape is demanding and time consuming and can leave employees feeling overwhelmed by the challenge of juggling the tasks of their day-to-day role and the need to continuously upskill. For this reason, offering employees training courses, seminars and educational activities will boost morale and release some of the pressure that weighs on IT security professionals. Provide your team with up-to-date, on-hand playbooks and material on recent training experiences that they can refer to in case of an incident.
It’s important for staff to feel valued and investing in their professional development and training is one of the ways to show them that you recognize the efforts they put in keeping your organization safe.
Create Space for Employees to Take a Break
Without having to go to the lengths of Google, where $5,000 sleep-pods were installed for employees to take naps during their breaks, organizations can reorganize their space to make sure there are areas allocated for security teams to relax and wave the stress away.
Implementing policies such as required breaks and off-time is ultimately beneficial to efficiency, as workers will get back to work refreshed and will perform better, as well as feel their health and wellbeing is valued by their employer.
Ultimately, cybersecurity may be in some ways an inherently high-stress profession, but by turning our attention to the problem there is no reason why the situation shouldn’t be alleviated. Prevention is always better than the cure, and communication and education remain the key to create a supportive, positive culture, where employees feel they can speak up and where managers are able to recognise the signs of burnout and have the knowledge and the resources to address them.
Originally published on IT Security Guru