Burnout in the cyber security industry has become one of the most hotly debated topics in recent years, with research from 2023 showing the issue is now rampant among senior practitioners.
It's a problem that's been growing in frequency for some time, and partly due to the 'always on' culture that's traditionally been part and parcel with a career in cyber, with practitioners working long, strenuous hours and contending with an ever-growing array of threats.
At InfoSec Europe 2024, burnout was once again in the spotlight, with a host of sessions exploring the topic, including a talk by Chris Denbigh-White, CSO at NextDLP.
Delving into the issue, Denbigh-White highlighted a pervasive culture of stress in the sector, providing statistics that paint a concerning picture for practitioners and questioning whether enough is being done to tackle burnout and improve mental wellbeing.
“Quite shockingly, 66% of security professionals felt they suffered from significant stress at work, 67% of cyber security respondents reported staff shortages within their team, and 95% of CISOs work beyond their required number of hours, reaching nine plus hours a day.”
Denbigh-White said these factors all contribute to a culture of stress which permeates across the cyber security industry.
“These things compound a lack of staff, the lack of support, and the overarching structure that can lead to a downward spiral, a reciprocal spiral of stress adding to stress, which just makes things feel almost untenable.”
The first area Denbigh-White and his co-presenter Andrew Rose, CSO at SoSafe Security, highlighted as a way to tackle the burnout problem was to improve the availability of support within the workplace.
Although it may appear obvious, Denbigh-White said CISOs need to make sure their staff have the assurance their concerns are being heard and that security leadership figures are there to support them if they are struggling.
“Listen to your staff, I think on paper it’s a no brainer but in the fight-or-flight of stress and time constraints it can sometimes be difficult… Really committing to having that drop-in session, CISO calls, and things that can fall outside 1:1s, making yourself available to your staff to raise concerns and feel understood,” he explained.
Build a more resilient workforce to beat burnout
At its Security & Risk management Summit on 3 June, Gartner identified three areas for CISOs to augment their cyber security approach, and one of these was building a more resilient cyber workforce.
Gartner stated that CISOs need to treat resilience as a true competency and build it in their teams in the same way they would technical proficiencies, and one way of doing this is making it easy for employees to access the support they need.
Another way in which CISOs can build a more resilient cyber workforce is through encouraging sharing of what it describes as ‘failure/learning stories’.
Gartner argued that CISOs need to be setting an example for their staff by being the first to offer examples of instances where they failed to meet security objectives and how they learnt from these experiences.
Speaking to ITPro, Jon France, CISO at ISC2 explained that just like any industry, mistakes happen in cyber security, and the important thing is removing the blame culture so security professionals feel secure enough to admit mistakes and focus on learning from them instead.
In order to do this, firms need to ensure they are investing in taking the time post-incident to look at how their teams dealt with the issue on a human level, rather than only looking at the technical aspect of how the incident occurred.
“I would strongly contest that good [firms] will look at the team dynamic and not just the technical dynamic,” he explained.
France noted there are particular qualities organizations can look for and try to foster in their security staff that will help them perform well in high-pressure incident response scenarios
“In large part it comes down to things like critical and logical thought processing… Those kinds of people do very well in stressy environments… I’m a big fan of tabletop exercises where you can test some of those human elements in a safe way.”
Being able to get things wrong without the risk of being responsible for exposing personally identifiable information or costing your company large amounts of money is vital if security staff are to feel comfortable in their role and most importantly improve, France asserted.
Reducing the workload through harmonized regulations and embracing automation
Another piece of the burnout puzzle is reducing the workloads currently inhibiting cyber professionals. One solution frequently championed as the leading solution for overburdened security teams is automating the mundane and repetitive tasks that frequently clog up their workflow.
Although both Denbigh-White and Rose stressed that although it is no silver bullet, embracing automation will have an important role in reducing burnout.
Gartner stated that businesses need to “leverage automation to free people up to focus their energy on activities that truly demand it” and Denbigh-White built on this point.
“If there’s something that you don’t need to do and you can automate, do it. Frankly it’s time well spent reviewing metrics and understanding, are we making sure that we’re doing the right thing? But also, are we counting the right metrics? Are we spending hours and hours compiling security metrics on something that generally doesn’t matter? Again, review things, cut things down.”
Frances added that regulators have a role to play in reducing the workload on security professionals, stating that if nations align the obligations they put on cyber pros more closely it will reduce the extra work they have to do to satisfy specific agency requirements .
He said ISC2 does a significant amount of work trying to harmonize regulations on behalf of their members to reduce unnecessary work around reporting incidents.
“We do a lot of government outreach and we point out, for example, reporting requirements, if you could harmonize timeline and elements, transnational and international organizations can satisfy you all easily rather than having to do a very jurisdictional approach”.
Recognizing where staff are overburdened for targeted support
Nicholas Jackson, director of cyber operations at Bitdefender, told ITPro that a key to reducing this workload is actually quantifying the volume of work security staff are having to do.
Jackson noted that distilling this into a single number is a difficult task, but there are ways in which firms can go about this, and by doing so leaders can evaluate the practical steps they can take to support their staff.
He suggested firms could undergo holistic posture assessments to establish how many security staff they require to deal with the threats they face, as well as the level of technical proficiency they will need.
“It’s almost like a full skills gap analysis to help understand where the burnout is because more often than not most organizations already know this but it's just not documented in a nice succinct way that they can take with them, they just go, ‘we’re struggling, the workload is too high,” he explained.
“Whereas if you come back and say look, you’ve got a thousand suppliers, that’s impossible for one person to do. If you have no interest in outsourcing it, you’re going to need three or four people.”
