Why cybersecurity staff burn out, and what to do about it
The 'cyber skills gap' results from lack of support, career path and understanding risk
Based on Computing's research and interviews with two experts in the field, we look at the causes of burnout among cybersecurity professionals and how more attention paid to this issue at board level could help shore up defences.
Cyber security is one of the most important roles in IT. It's also among the most stressful with a high rate of dropping out. Almost half of 100 senior IT professionals surveyed by Computing said security staff had suffered burnout in the last three years at both senior and junior levels.
But what is burnout? The term covers a wide range of stress-related conditions and symptoms, and that means it is not always taken seriously as it can be hard to identify, according to Amelia Hewitt, a cybersecurity consultant and founder of CybAid, a not for profit offering cyber services to charities and small businesses. Hewitt describes burnout as "an epidemic" in cyber.
Have members of your team responsible for cybersecurity have suffered job-induced burnout in the last three years?+----------------------------------------+ | Embed | +========================================+ | https://datawrapper.dwcdn.net/IK1gC/1/ | +----------------------------------------+Base: 100 UK IT leaders
Organisations don't recognise burnout and individuals may not realise what's happening to them when they start to feel anxious, disinterested or overwhelmed, said Hewitt, speaking from experience.
"I have been burned out and not knowing that that's what I was feeling," she said. "It was just feeling consumed by my work. Work was my life, and that wasn't because I was really enjoying what I'm doing, it was because I just felt so engulfed by the pressure - and that's exhausting."
Source: Computing research
Why cybersecurity professionals burn out
Richard Seiersen is chief risk technology officer at security vendor Qualys. He is also involved with IANS Research where he advises other CISOs on risk management strategy, having been a CISO himself previously.
"I've lived it, and I see it a lot," he said. "And a lot of it is the urgent overwhelming the important."
In part, the problem stems from a lack of proper training for the cyber leadership role, which is still relatively new compared with other leadership positions. CISOs find themselves in the firing line without the wherewithal to prioritise and manage risk.
CISOs are frequently promoted to the role from practical, hands-on positions, said Seiersen, adopting a familiar military metaphor. They used to be a soldier in a foxhole with one job to do: shoot the enemy. Now they are a general who must study maps, quantify risks, consider resources and communicate options clearly to peers and the rest of the organisation.
"So that's a big change, and by the way, no one's saying ‘you are a general now'. There's no training going on for those at the CISO level." Under pressure, instinct tells them to get hands-on, go back to their comfort zones, return to the foxhole, but this can make a bad problem worse, leaving the team rudderless, drifting from crisis to crisis.
The reporting lines in many businesses add to the drift, said Hewitt, who has worked with organisations in critical national infrastructure. Cybersecurity leadership commonly reports to the CTO or COO. "These people are not security professionals, but they are responsible for translating that information to the top-level management, and it can become misconstrued."
This view was echoed by Samantha Hart, Group CISO at professional services firm Davies, who reports to the Chief Risk Officer. "I think a reporting line straight into the board is really important. My line isn't seen as part of tech infrastructure but you have to cultivate that view. It doesn't just happen," she told Computing.
See also 'You have to tell a story that people want to listen to,' says Davies CISO
Poor communication means the pressures of the job may not be well understood by the board, as this respondent exemplified.
"There is virtually no understanding of just how much firefighting is going on even when they are told and evidence submitted. Total lack of trust of the department," IT manager, Education
As a result, understanding of the security role becomes skewed, and cyber professionals find themselves battling to meet unrealistic expectations, said Hewitt. "You don't want to disappoint them, and that can lead to a really bad culture because we feel as if we need to be doing more."
In organisations with such a dysfunctional, top-down security culture, teams find themselves chasing their own tails, abandoning procedure to defend against some nebulous threat that the CEO has just read about in the paper, rather than one that presents a higher risk. Again, burnout beckons.
Burnout is not just a problem at the top. With threats increasing and cyber teams chronically understaffed, the pressure is felt at all levels, as the figure above shows.
Cyber security remains one of the most popular career choices in IT. In a confusing and unstable world, young people feel they have something to offer, where they might actually know more than their seniors. But frequently when they get there they find it's not what they had expected. And pressure can start even before joining, said Hewitt: cyber is a very competitive market: "Even before you get into cybersecurity, you can feel burnt out because job hunting can be very stressful. It can be very difficult and very time consuming."
Once in, on the bottom rung, there may be no clear career path up the ladder. Nevertheless, they are constantly having upskill and learn new things, which in a high-pressure environment can sap energy. "By the time they're at mid to senior levels, they've had enough," Hewitt said.
That's a problem, not least because when the CISO decides that consultancy or running a startup are more attractive options than being woken at 3 am to respond to another emergency, one which might result in their firing, there may be no-one to take their place.
Hewitt sees a dire need for a more structured career path to maintain a health flow of talent. "In order for us to better protect against threats, we need better entry level opportunities, because whilst they may be entry level now, the professionals in five or ten years time are going to be your middle and senior management."
Seiersen, who regularly gives talks on strategy to CISOs, believes generalisable lessons can be adopted from long-established business management practice. "We need to look outside of our domain. [Cyber is] such a nascent domain of management. It's a newborn baby, relatively speaking."
There is a huge desire among senior professionals for answers, a clearer career path, and an appetite for examples of best practice, he went on. "What is it that we're trying to get done? What are the objective goals? What's the strategy?"
"The organisation remains quite old fashioned in that the IT team is the security team. This means that IT comes first and the security team is only put in place when an incident happens," Information security manager, Manufacturing
"I wish I could see a clear strategy, or even good tactics," Professor, Education
The importance of managing risk
To minimise unnecessary, stress-inducing firefighting and to better protect the business, CISOs must take a risk-focussed approach. After all, not all threats are equal.
"It's about knowing what you stand to lose, and then being able to put together a strategy," Seiersen summarised. "It's the people, process and technology all together, focussing on protecting what matters and eliminating those risks that are preventing the business from achieving its goals."
Rather than approaching security as a box-ticking compliance exercise, each organisation needs to assess the impact of different types of scenario on their particular business, attach a score to each, and dedicate appropriate levels of resource to their mitigation.
It's not just about enumerating known risks, it's also communicating it to the final decision makers and other stakeholders, being able to act quickly to block new threats, and reacting to changes in the organisation and its partners, which means it's vital that lines of communication remain clear, added Hewitt. "The job of an effective security leader is to be able to communicate risk at all levels."
"Increasing remote working and increased cloud service usage have both changed the risk profile of the organisation enhancing staff-related risks," Director, Public sector
"The move to home working means we need more training and understanding/knowledge of risks," Systems architect, Technology
"Businesses that are failing to tackle cybersecurity effectively can cause issues for other businesses they interact with," Senior technical specialist, Business services
What organisations need to do to reduce burnout
The first thing is to recognise that burnout is a real problem, and it affects a lot of people, said Hewitt. "There needs to be a conversation and top-level commitment to tackling it. We need to have more of an emphasis on the people and more emphasis on the emotional element."
Unfortunately, in a high-stakes stressful environment, a blame culture can easily arise. Given the near inevitability of some sort of incident it's most unfair to dump on those trying to minimise the damage, and it certainly does nothing for team spirit. But this is exactly what tends to happen. If a blame culture exists, this should be tackled as a matter of priority. IT and security heads need to lead by example, upholding the core values of the organisation, being transparent and accountable, and offering support and training when mistakes are made.
They will also benefit from considering the makeup of the team, said Hewitt. "It's not a secret that diverse teams are more productive teams. There's just better collaboration."
Outsourcing some security duties can help relieve the burden, but businesses should pay close attention to the fit with their culture, said Hewitt. "Outsourcing can be fantastic in terms of you can fill a gap that you have and you can do it quickly, but all too often you see [outsourcing] with no alignment to the actual business itself or its culture or its agenda."
In such cases outsourcing can create more problems than it solves.
The top answer in our recent research, however, was increasing automation of manual processes, an essential measure (if insufficient on its own).
What is your organisation doing to reduce the risk of burnout among security staff? (Answers ranked in order of popularity)
- Increasing automation of manual processes - Ensuring there is no blame culture - Ensure effective support is available - Change in working practices (e.g. 4-day week, more flexible hours, WFH) - Focus on training - Educating all staff to be more proactive, to take the pressure off cyber team - Recruiting more staff - Outsourcing some/all security duties - Adopting managed services - Ensuring better visibility, e.g. by tools consolidation
"We've had to recruit more cybersecurity specialists and offer them flexible working conditions e.g. flexible hours and WFH. We're also investing in new software tools to mitigate and threats," Senior IT, Education
Where tools can help
Tools are of course vital to defensive operations, but most organisations don't have the luxury of being able to start afresh. Instead they must work with what they have. Larger organisations may be supplied by dozens of different vendors, and there is no one size fits all. Moreover, some tools require a high level of skill to operate, increasing the risk of operational silos.
AI-enhanced tools are a particular focus at present, promising to remove some of the drudgery of triaging events, bridge gaps between disparate tools, as well as spotting patterns and being able to act in a way that human teams cannot.
"AI tools will be helpful," said Hewitt. "There are use cases where AI can perform tasks much quicker than then we can."
However, seeing such tools as a panacea would be a mistake. After all, people need to define the requirements for that technology; people need to decide who intervenes when that technology goes wrong, what happens to the data, how to report to the board. "It's still people, so what we probably need to be better at is being able to understand what elements the technology can really take away from people."
Security tools are frequently sold as relieving the burden on people, but there is no guarantee of this. A tool is a tool, despite the marketing around it. Some respondents suspected vendors of "AI-washing" their products.
+----------------------------------------+ | Embed | +========================================+ | https://datawrapper.dwcdn.net/QFPX0/2/ | +----------------------------------------+Another source of confusion are the semantics. AI/ML has been used in defence for decades, at least since the first spam filters, but what most people think of currently is generative AI.
GenAI starting to find its way into tools too, and it's certainly not all smoke and mirrors.
For example a friendly interface can make tools much more accessible to non-expert users, and can make the results of scans easy to digest, and we're seeing more of that summarising capability which is perhaps the greatest strength of GenAI in this context, coming forward. Threat intelligence, finding patterns in data from thousands of organisations, is another clear use case.
"AI is really useful in operational work where you have some amount of what seems to be irreducible uncertainty," said Seiersen. For example, you may need to push an emergency patch to 10,000 machines. "What are the chances of some of those falling over? Can we learn something that would help the operational team reduce the risk of deployment?"
Among the top categories of tooling being adopted are endpoint management and response (EDR) and IAM, reflecting the number of attacks initiated on user devices. Cyber insurance is also popular, in part because policies offer access to rapid expert response.
What cybersecurity solutions have you adopted in the last year, or plan to adopt in the next 12 months? (Ranked in order of popularity)
- Endpoint management / EDR - Identity & access management - Cyber insurance - Security information and event management (SIEM) - Immutable backups - Zero trust networking - Ransomware detection
As the next wave in a continuous process of automation, AI is being built into more and more tools. However, many of the capabilities are novel and therefore unproven over time, most come with a price tag, and the technology brings new concerns.
"Data security is one key issue. With new and evolving treats, there is a heightened fear that private data could be inadequately secured, used in training publicly accessible AI models, or create vulnerabilities in security systems," IT director, Technology
Tools are not enough
Perfect security tools, like perfect security, do not exist. And even the best tools may not fit with an organisations' budgets, legacy infrastructure or operational setup. They can help the team counter the many threats, but are not a substitute for management and training.
"I've seen this first-hand," said Hewitt. "There's a lot of emphasis on what tooling can do. But what about what it can't do? If we know where tooling can't improve things for IT and cyber professionals then we can do more to improve that technology to support people better."
Strategy and communications are more important than tools in minimising risk and ensuring the security team is not overburdened. The role of awareness education, reducing the risk of threats getting through in the first place tends to be underestimated, in part because it is difficult to do successfully, which is where reaching out to external help may be invaluble.
"Engaging with external services and ensuring internal staff have the correct level of training is helping reduce issues," Head of technology, Distribution and transport
"We don't have the budget for big raises, so improved training and getting managed services helps, IT admin," Local government
Related to that is effective training for security staff at all levels, which is something that can get de-prioritised when all the focus is on firefighting and tools.
We hear so much about the skills gap within cyber, but in many organisations there are internal bottlenecks and blocked career paths that are doing them no favours. Attracting people who have the right attitude and aptitude, and finding ways to keep them by reducing the causes of burnout may be the most important factor in defending against the tide of incoming threats.
Author spotlight
John Leonard
More from John Leonard
Ofcom fines TikTok £1.9m for failure to provide child safety information