Stress and burnout are regularly highlighted as issues facing cybersecurity professionals today. Beth Maundrill investigates the problems and how mental health is intrinsically linked to the cybersecurity skills shortage.
The COVID-19 pandemic spotlighted the stress that cybersecurity professionals experience in their jobs with the drastic move to work from home. Many in the information security sector found that, at home, they were working more hours than ever before, facing new and complex challenges and being hit with a barrage of alerts, requests and security threats.
Nearly three years on, the industry is now acutely aware that cybersecurity professionals can be afflicted by stress, burnout and mental health challenges. Looking at the bigger picture, stress also leads to poor job satisfaction, which sees people abandon their roles in cybersecurity, fueling the skills gap and talent shortage the industry is facing.
“In the cybersecurity world, the ‘Great Burnout’ has been well underway for quite some time. Although it can sometimes seem unspoken, burnout in the cybersecurity industry is a well-documented issue that is impacting employees everywhere,” comments Adam Marrè, CISO of Arctic Wolf.
There are statistics galore surrounding the topic. Email security company Tessian has noted in a report that CISOs on average work 11 more hours than they’re contracted to each week, more than half of CISOs (59%) say they struggle to switch off once work is over and shockingly, 44% have missed a doctor’s appointment in the last 12 months due to work.
“If you look at a threat map of any company’s perimeter security, you will see a constant barrage of incoming attacks. It’s scary stuff to watch, especially when you acknowledge the fact that in present times, it is typically not if you are breached, it’s when,” notes Martin Cannard, VP of product strategy at Netwrix, a California-based IT security software company.
“Is it any wonder then that today’s cybersecurity professionals are stressed, waiting for that 3.00am phone call that will potentially kick off days of working around the clock,” he says.
Other statistics worth highlighting come from the UK’s Chartered Institute of Information Security (CIISec), which polled over 300 industry professionals to compile its 2021/22 State of the Profession report.
The study revealed that a third (32%) of respondents are kept awake by job stress, and a quarter (25%) by lack of opportunity, but only a fifth (22%) by their organization suffering a cyber-attack.
Amanda Finch, CEO at CIISec, tells Infosecurity she finds it “pretty frightening” that so many people were kept awake by job stress.
“[Mental health is] always something that’s probably been put to one side in previous years, but we are now more aware of mental health issues and COVID-19 probably brought that forward. It is important that we discuss the issues, address them and understand how people are feeling out there,” she says, noting that while mental health is indeed a topic more people are talking about now, the stresses of the job are increasing at the same time.
CIISec’s findings show that 12% of people who took the survey were working 50-70 hours a week. Whatever statistics you reference there is a common theme to the issues that people in the sector are facing.
Barriers to career progression were also highlighted, including a lack of confidence in their own ability (38%), lack of support or mentoring (38%), an assumption they lack skills for roles (36%), a feeling of being unwelcome or unaccepted (28%) and a lack of training opportunities (28%).
Arguably, this report found that cybersecurity professionals are more concerned about lack of career opportunities than they are about their organization suffering a cyber-attack.
All of this provides fuel to the fire of the cybersecurity skills gap crisis that the industry is facing. Mental health and retention are intrinsically linked.
One piece of research from Bridgewell Consulting warned that UK critical national infrastructure (CNI) organizations could face an exodus of cybersecurity leaders over the next 12 months due to stress and burnout. The survey of 521 UK cybersecurity decision-makers in communications, utilities, finance, government, transport and aviation found that 95% of respondents are experiencing factors that would make them likely to leave their role in the next 12 months.
All this at a time when it is estimated that 3.4 million more cybersecurity workers are needed to secure assets effectively, according to (ISC)2’s Cybersecurity Workforce Study 2022.
Taking Action
We are all fully aware of the issues that organizations face when it comes to the health and wellbeing of their staff, including of course cybersecurity professionals, and now is the time to do something about it.
Curtis Simpson, CISO at Armis, comments on how he provides support to his team: “With over 20 years in information security and technology, and more than half of this time being spent in leadership roles, there’s one very important lesson that I’ve learned over the years. It’s all about creating a safe space for growth and mentorship.”
He says, “Every one-on-one with my team involves listening first and where appropriate, coaching and mentoring on both a tactical and strategic level. Just knowing that there is someone who has been through a situation before and that they will not only help you navigate through the situation if you need the help, but also help you learn from it, alleviates so much of the pain.”
As the CIISec report shows, mentorship and career progression are things that many are striving for and not having them is leading to added stress.
Speaking about businesses as an entity, Finch says that they must provide a more supportive structure.
“One of the things that came out of our findings is that the [cybersecurity] industry had been slow to adopt industry standards; where people know what they are doing and what they are working towards really helps a lot,” she says.
“I think the management structure within organizations needs to be more supportive. If people are in roles where they feel supported, have the right processes in place and can see where their career paths are going then they are going to be calmer and more relaxed in their environment. Having mechanisms where people can put their hands up and say, ‘look I’m struggling’ and making it a lot more of a supportive environment.”
With this support, Finch points out people are much more likely to stay in their jobs rather than seek alternative roles outside of their current organization.
Ensuring people are in the correct position and “not trying to be a round peg in a square hole” is also vital to employee stress and satisfaction.
“A lot of this is about working with HR department and those departments need to be really cognizant about the problems that are there,” she says. “It’s not just technical skills that are highly regarded, if you look at the data we have, communications and analytical skills are in high demand so it’s important to upskill people in the softer skills that are not directly the security skills.”
Finch notes that ensuring employees are not stressed and have room to develop ultimately links to how security itself is viewed, and its role in the business.
“We’re going through something of an evolution, where security’s recognized more and more not just as a technical field (i.e. keeping the lights on/keeping the data safe), but as a strategic asset that’s intertwined with areas of the business such as finance, risk, compliance and HR – meaning there needs to be more appreciation for the different skills needed, and more opportunity for security personnel with strategic and interpersonal skills to go far.”
Be Prepared
For a long time, cybersecurity has been focused on the technology, but we are beginning to see this mindset shift with the understanding that people are at the heart of everything that is achieved.
One way to help people prepare for crisis response in the event of a cyber-attack is the development of cognitive agility.
Bec McKeown, director of human science at Immersive Labs and Chartered Psychologist, tells Infosecurity how adaptive problem solving is a key skill for cybersecurity professionals and how cognitive agility can have a positive effect on resilience. She describes cybersecurity as a “wicked problem” where there isn’t a clear-cut resolution, meaning people need to be more adaptive in the ways they think.
With the sheer volume of information that cybersecurity professionals can be faced with during a crisis the brain is susceptible to becoming overwhelmed.
CISOs should be asking whether they are ready to cope when it comes to the next cyber-incident.
McKeown suggests that organizations wishing to embark on this kind of learning and development first conduct exercises in order to find out the current status of the workforce. From there, upskilling can be implemented where needed and leaders can identify what gaps there are in the team.
This is not a one-time thing either, it needs to be reinforced and McKeown notes that these kinds of capabilities can fade if they are not exercised on a regular basis. Exercises cannot be an occasional luxury; regular exercising will enable crisis response teams to make connections between previous decisions and apply them during an incident.
“Being proactive is better than being reactive,” McKeown adds.
Being prepared and having the right tools in order to be resilient can be key to relieving some, not necessarily all, of the stress and uncertainty that security professionals face when met with a crisis incident.
CISOs at the Ready
As leaders, CISOs face the pressures outlined in earlier this article but also bare a lot of the responsibility to make sure that their teams are resilient and are not suffering from mental health issues.
“The CISO needs to work with everybody at a higher level,” Finch notes. “It’s about how you communicate. The CISO needs to be able to communicate with the HR department using a language they understand and hitting their buttons. HR want to have an effective workforce, they want to avoid [employment] tribunals, they don’t want to have large recruitment bills.”
McKeown concurred that collaboration is key, and it is important, in general, to have relationships with people who speak a different business language to those in the security realm.
A lot of initiatives, training and resources relating to supporting teams with their mental health and resilience of course cost money. Finch says, “In terms of getting budgets and getting more effective security controls you need to be able to talk to the C-suite about why you need these things, why it’s financially good sense to have these things.
“For the CISOs, they need to look inside themselves to see where they need the support to help them to manage their teams. It’s taking things out of the security environment and more into the management environment.”
Arctic Wolf’s Marrè reflects on his management approach when it comes to stress and burnout: “I have made it a priority to set work-life boundaries my entire career, whether it’s been at the FBI, Qualtrics or Arctic Wolf. Now as a cybersecurity leader I can use this experience to help my team enjoy satisfying work-life boundaries.”
He adds, “Managing stress and maintaining a workload that challenges, but does not cause burnout, should be a frequent topic in weekly one-on-one meetings and during touchpoints between leaders and team members. Scheduling additional open conversations with teams that center on healthy habits and boundary maintenance can create a positive culture around work-life balance, empowering teams to define their own strategies to deal with the at times crushing workload. Normalizing discussions about mental health in the workplace and removing the stigma around asking for help requires a cultural shift that starts with the C-suite.”
It is likely that we will continue to see saddening statistics highlighting mental health issues that cybersecurity professionals face because of their jobs but it is encouraging that today, in 2022, the spotlight is truly being shone on the problem and there are individuals and organizations alike who are tackling it head-on.