We live in an age of 24/7 cyber warfare, and security teams are our new front-line workers. The soaring rise in cyber-attacks in recent years has meant that security staff now face a continuous cycle of threat detection and suppression, which has greatly impacted employee stress levels. As a result, senior decision-makers across the UK have reported a 74% rise in cybersecurity staff turnover since last year.
This increase in turnover directly impacts those working in cybersecurity, as knowledge leaves the business and is hard to replace. According to Fortinet’s recent Cybersecurity Skills Gap Global Impact Report, 52% of companies struggle to retain qualified cybersecurity employees. A further 60% struggle to recruit new talent, ultimately increasing the workload for remaining team members. It’s a deepening cycle – competition for hiring security talent will continue to grow as more attacks happen.
Mitigating stress is imperative for staff retention, which in turn is crucial for continued business security and profitability. Given its elevated importance and the fact that cyber fatigue now permeates the workplace, security leaders can no longer turn a blind eye to the impact that burnout can have at an employee and business level.
A Perpetual Threat
The shift to remote work during the pandemic opened up new opportunities for cyber-criminals. For example, no longer wholly tied to the office, the increase in unprotected devices and home networks has provided cyber criminals with a mass of vulnerable individuals to target. Following the pandemic, 81% of global organizations experienced cyber threats, with 79% experiencing disruption caused by a cyber incident.
In 2022, we’ve also seen a rise in what I like to call Hacking as a Service. Today, hackers have made a business out of cybercrime by building tools and infrastructure for the purpose of hacking. They sell these tools and make a living out of it. As the Sophos 2023 Threat Report shows, this trend is a remunerative and growing business model. This opportunity for lucrative gains further drives the frequency and ferocity of cybersecurity breaches. It is very organized compared to the security landscape of 20 years ago.
Put Your People First
While 68% of business leaders fear that cyber breaches are still increasing, cybersecurity teams are yet to be restructured to meet the demands of this new 24/7 threat landscape. As a result, 84% of cybersecurity workers have reported experiencing burnout. To combat this, security leaders should organize their operation teams on eight-hour shifts to ensure employees get enough rest. This is critical to helping them avoid mistakes and create a healthier work-life balance. Leaders must prioritize mental health for their teams, particularly during breaches. It is extremely important to have stable and established teams to care for our people and make the right decisions for the business.
Also key to helping security teams scale to the current volume of threats and preserve them from burnout is streamlining the way they work. Whenever possible, security leaders should prioritize automation and orchestration efforts to minimize the workload of carrying out repetitive tasks and reduce the risk of human error. It is also important to consistently focus on relentless prioritization and ensure that the teams work on key risks and priorities. This can keep employees and teams from getting overwhelmed with tasks that might not deliver the right impact or the best ROI for the business.
Furthermore, businesses should constantly provide their cybersecurity staff with upskilling opportunities. A recent Trellix Survey found that 36% of professionals lacked opportunities to develop further skills and 32% felt unsupported in attaining qualifications and certifications. Businesses should therefore introduce regular upskilling days, where employees can enrol on courses to expand their skill set. As the threat landscape is constantly evolving, it is imperative that cybersecurity professionals can continually develop their skills and adapt to the new threats and attacks being developed.
Go Beyond the Security Organization
More so, security teams cannot work alone. Given that 95% of cybersecurity issues can be traced to human error, employees present a huge gap and security risk for companies. This is particularly true in a hybrid work environment. To combat this, businesses must look to build the ‘security muscle’ of their greater team. This should be done by continuous education through regular cybersecurity awareness programs paired with security testing. Most organizations could do better with simulating live attacks to their wider business, for example, more social engineering exercises in the current climate. By emulating real-world threats, employees can know what to expect. This can help workers recognize potential threats and malicious activities and understand how a security breach may impact the business.
Partnering across technical organizations is also extremely important, and the best way to do this is by building a Partner Security Program. The goal of such a program is to provide knowledge and tools to other technical employees (those who are not part of the security team), who can then act as the security team’s eyes and ears. This not only serves the security business objectives but also helps to build and scale a matrixed security DNA in the most critical and technical areas of the business.
Together, this teamwork can significantly lessen the strain felt by cybersecurity professionals, enabling staff to feel supported and able and maintain a healthy work-life balance. This, along with strategically prioritizing remediation of risks, leveraging automation and orchestration efforts, and educating and upskilling employees, helps support staff well-being. This all contributes to minimizing burnout, which improves staff retention for businesses.