Op-Ed: How to help our essential cyber security workers avoid burnout

Imagine the stress that you and your team went through as you worked around the clock with next to no sleep to figure out the extent of the problem, do your best to remedy it, and help get the business running again. Imagine the time pressure from the board, the executive team, and the watchdogs, not to add … the media, and social media. If you are one of those professionals, I sincerely hope you have a summer holiday, or are enjoying one now, because you deserve it.

The looming burnout wave

Across our profession, I see a looming and dangerous wave of burnout. It poses some threats: to the health of these essential workers, the security of the organisations they work for, and the customers and individuals they serve.

More than 90 per cent of security professionals report being stressed in their roles and nearly half have thought about quitting the industry altogether, according to a report from Deep Instinct. It’s a warning of what’s at stake if conditions don’t improve.

So, what can we do about it?

There are clear steps technology leaders can take now to alleviate some of the daily stress faced by cyber security professionals.

What makes cyber security professionals tick?

The majority of us who work in cyber security take great pride in what we do. We put in 80-hour weeks and invest our time outside of normal business hours to go above and beyond to ensure our employers and our clients are cyber secure and cyber resilient.

VIEW ALL

We generally get paid well for it and we wear the protective roles we take on like a badge of honour.

But it means we shoulder responsibility for the potentially catastrophic consequences that can follow a cyber attack even when, as is often the case, the cause is all-too-human error by a colleague who doesn’t work in security.

We don’t hear much about these folks when things are going well (e.g. no breaches), but when something goes wrong, we cop a lot of stick for it (and who would enjoy telling a new acquaintance at a barbeque that you work in security for a company that just experienced a breach?).

The threats are rising but the talent is short

We must accept that in 2023, more things will go wrong. Nearly half of security and IT leaders expect a further rise in ransomware attacks, according to a PwC report.

As they navigate this ever-changing threat landscape, experts must understand the dizzying range of legacy tools used by enterprises to ensure they’re able to communicate in harmony.

But there aren’t enough of these experts around. The surge in cyber crime will leave Australia 30,000 cyber professionals short of what is required over the next four years to cover the country’s security needs, according to research by Per Capita for CyberCX.

That means a limited number of experts are doing more and more. And there may be no greater fuel for human error than exhaustion.

Embracing a resilient approach

So, as well as empowering their security people to remain resilient, companies must develop their own “cyber resilience”.

It starts with a proper acknowledgement at the C-suite and in the boardroom that it is a case of not if, but when, your organisation’s security will be threatened or breached.

This means anticipating, protecting against, and being able to recover from threats.

For professionals, this approach allows them to be proactive — to put seatbelts in the car long before anyone starts driving.

Streamlining and simplifying can further address some of the challenges cyber security professionals experience. Chief information security officers (CISOs) must prioritise security integration, embrace cleaning house when it comes to a patchwork of tools that don’t connect, and better understand how to start automating recovery when breaches happen.

And, of course, solving the cyber security burnout crisis will involve building and developing the workforce and embracing diverse candidates who bring a range of problem-solving approaches to the table.

Here’s the good news

Overall, action is trending in the right direction. A recent Gartner survey found the majority of chief information officers (CIOs) plan to increase cyber security investment, making it a top priority. And conversations about burnout are continuing, offering professionals an outlet to share their experiences, and the realisation they’re not alone in managing the stress.

But without a thoughtful approach and a culture that empowers these professionals, the reasons behind burnout may continue to thrive.

The strategy for helping security experts avoid burnout should be the same as our overall approach to security — a team effort with a focus on resilience, so we can get ahead of problems, prepare for challenges, and ultimately keep moving forward.

Collin Penman is the country CISO and security practice lead for Kyndryl A/NZ.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.