#CybersecurityAwarenessMonth: Cybersecurity Burnout: Cause, Impact and Resolution

A burnt-out sector is an underperforming sector. For Cybersecurity Awareness Month, Assured Intelligence paired up with isms.online to shine a light on a less obvious facet of cyber awareness: industry professional burnout

Burnout isn’t selective when it comes to which industry to infiltrate, spreading like a cancer among hardworking professionals. Burnout doesn’t discriminate, but it does spread faster and hit harder in some sectors.

Earlier this year, a Gartner study predicted that nearly half of cybersecurity leaders will change jobs by 2025, and 25% will pursue different careers and industries entirely due to workplace stress. There’s no denying that cybersecurity is one of the industries most vulnerable to burnout, and immediate indicators for that are high accountability, blame culture, and workload.

With cybersecurity awareness month as a catalyst, Assured Intelligence has partnered with isms.online to dig deeper into why cybersecurity professionals are prone to burnout and are leaving (or planning on leaving) their jobs in droves.

To ensure we tell the whole story, we carefully selected interviewees in varying roles across the industry to answer some big questions. We talked to a CISO, a CEO, a senior manager, an industry association representative, a developer, a recruiter and a cyber insurance broker. Our mission was to represent the full spectrum of cybersecurity professionals (or as much of it as possible, given we’re not writing a novel!), look for themes and consensus, and detect any differences in perspective. We’ll collate those findings in our conclusion at the end.

Our interviewees:

• Dan Conn, senior platform security engineer, Trustpilot
• Amanda Finch, CEO, CiiSec
• Natasha Harley, owner, Cyber Talent Partners
• Stephen Khan, chief business information security officer, Cognizant
• Michelle McCarthy, Head of APAC, ISMS.online
• Nigel Phair, chair of the Australasian chapter of CREST and a professor at Monash University, Australia
• Ed Ventham, co-founder and head of cybersecurity broking, Assured

Why are we seeing a burnout crisis in the cybersecurity sector?

Michelle McCarthy: The demanding nature of the field, coupled with the rapidly evolving landscape of cyber threats, has led to an alarming increase in burnout. The pressure to stay up-to-date with emerging technologies, evolving attack methods, and compliance regulations can be overwhelming. Coupled with the need to mitigate risks, respond to incidents, and maintain the security posture of organisations, cybersecurity professionals often find themselves in a perpetual state of high stress.

Natasha Harley: Individuals are juggling multiple roles and responsibilities, often outside of their remit, in addition to working unsociable hours. The shift to remote working has, in some ways, increased burnout due to a lack of balance between when the day begins and ends, meaning individuals often feel they must always be ‘available’.

Ed Ventham: Increased risk puts increased pressure on individuals protecting against it. When a cyber incident occurs, it’s unlikely that a non-technical person will appreciate what’s gone on, and there will be an (often incorrect) assumption that the CISO or CTO has just failed at their job.

Amanda Finch: Stress and burnout in the cybersecurity industry have been exacerbated in recent years by COVID-19 and the impending economic crisis. Research highlighted that 77% of cybersecurity professionals work 31-50 hours a week, while 12% work 51-70 hours. Moreover, a third (32%) of professionals revealed that job stress keeps them awake. This is unsustainable, and organisations will suffer unless the industry learns to do more with less.

“A third (32%) of professionals revealed that job stress keeps them awake”
Amanda Finch

Nigel Phair: Since this is too often seen as a technical issue, not a business issue, the person stuck holding the can is the CISO (or similar role). They get stressed due to various issues, including insufficient management or board-level buy-in, insufficient funding for BAU and future projects, difficulty attracting and retaining staff, and if a cyber incident occurs, they get blamed.

Dan Conn: I’m not sure this is a burnout crisis, as a crisis suggests that this has a peak and an end. Burnout has been a constant in my career, both in tech and cyber. I have countered it by choosing companies that try and do things to reduce it, but for others, it has been constant. The main difference recently is compounded by higher investor ROI demands, mass layoffs due to a misunderstanding of the usefulness of AI, and a higher level of accountability for cybersecurity through recent and forthcoming legislation.

Does the cyber skills gap exacerbate the problem?

Michelle McCarthy: Yes. The demand for talented professionals in this field is consistently high, leading to heavier workloads and longer hours for existing staff. With limited resources and an ever-growing list of responsibilities, burnout becomes an all-too-common phenomenon.

Ed Ventham: There’s often talk of a lack of talent in the sector – meaning there aren’t enough people to fill the seats, putting pressure on the people in them. But I think that narrative is out of date now. Most businesses we speak to are well-funded in their IT security, and they do have the resources. The pressure seems to come more from the fact that the role has been critical to a business’s functioning ability, meaning it’s a high-pressure, high-accountability role.

What’s the real-world impact of burnout on the individual?

Stephen Khan: You have an emotional energy bank that gets used up quickly if you’re in crisis or ‘always on’. Consequently, you don’t have any energy for your family, health or downtime. You end up not having a life; you’re just working. People need to decide their manageable cadence and feed their emotional bucket best. Ask yourself at the end of each day – am I living my best life?

Natasha Harley: Burnout causes mental and physical health issues, from poor health, headaches and insomnia to depression, anxiety, and mental fatigue. These issues affect individuals’ cognitive functions, from memory to concentration and decision-making abilities in both a professional and personal capacity. The challenge the industry faces is the loss of skilled professionals who seek alternative careers or leave the industry altogether.

Nigel Phair: Impact includes excessive drinking and eating, lack of exercise, problems with personal relationships and poor work performance.

Michelle McCarthy: High stress, exhaustion, and emotional strain levels can harm individuals’ mental and physical health. Burnout can lead to symptoms such as chronic fatigue, anxiety, depression, and decreased motivation. It can also affect personal relationships, work-life balance, and overall quality of life. Unaddressed, burnout can escalate into serious health issues and long-term career dissatisfaction.

What about the consequence of burnout on the employer?

Natasha Harley: Increased responsibilities and workloads result in decreased productivity and motivation of individuals, leading to talent retention challenges within organisations, which will likely lead to increased security breaches and compromised cybersecurity defences. Additionally, this creates negative organisational cultures, often resulting in talent attraction challenges or higher recruitment and training costs when investing in recruiting and training new talent. 

“Exhausted employees are more prone to errors, resulting in vulnerabilities and security breaches”Michelle McCarthy

Michelle McCarthy: Exhausted employees are more prone to errors, resulting in vulnerabilities and security breaches. The quality of work and attention to detail may suffer, leading to potential lapses in protecting sensitive information and systems.

Stephen Khan: Burnt-out people lose their competitive edge and are unable to give their best work. 

What are the ramifications of burnout on an industry level?

Michelle McCarthy: The scarcity of skilled cybersecurity professionals ultimately weakens the sector’s ability to address the growing challenges and threats. Moreover, the burnout crisis negatively impacts the sector’s reputation and attractiveness.

Ed Ventham: The burnout crisis is certainly a deterrent for new talent entering the cyber industry. They see a constant fight against fires and a blame culture that evokes stress and unhappiness.

Natasha Harley: The knock-on effect of the perception of cybersecurity being an industry with burnout causes a negative impact on attracting newcomers, and therefore those already in the industry experience increased pressure and workloads. This leads to higher turnover rates and individuals seeking alternative careers or leaving the industry altogether.

Stephen Khan: The sector, in general, masks the issue. There is a lot of talk and awareness, but there’s a question mark over whether there’s enough action.

What can leadership do to help burnt-out teams?

Stephen Khan: Leaders need to be strong and set the barometer. I’ve seen leaders throw work down the pipe, and the person who picks it up is left trying to determine what is wanted. The better leader explains what they want you to achieve and sets clear expectations, allowing their team to be successful. Leaders should empower their team to effectively manage their time and demonstrate the behaviours they want their team to be empowered to follow. Small things like ensuring team members who start early don’t finish late make a big difference.

Natasha Harley: Discourage excessive overtime, set realistic workloads, encourage holidays and time off, and implement resources, including awareness initiatives and counselling services. Check-in regularly with colleagues to alleviate excessive work pressure, too.

What actions can be taken to prevent the burnout crisis from escalating?

Stephen Khan: Organisations have a responsibility to actively encourage mental health. It’s more than policies and standards. It’s about practical tools, too. Here are some things I do with my team:

• Insist they ramp down their workload a week before they go on holiday. They will crash and burn if they arrive on their well-earnt holiday with a full mental bucket.
• Encourage five minutes of meditation daily – it can be more powerful than you think.
• Endorse sleep, nutrition and exercise. Even a half-hour walk with no headphones can make a huge difference.

Amanda Finch: Organisations that understand what causes and reduces stress and how to reward team members stand a better chance of cultivating a security team that can operate effectively despite pressures.

Michelle McCarthy: It requires a multi-faceted approach. Of course, organisations should prioritise employee well-being by implementing supportive policies and practices to prevent burnout. Creating a culture that values open communication, collaboration, and employee recognition can also create a healthier work environment. But they must also invest financially in training programmes; ensuring cyber employees have the right tools for the job will go a long way to preventing burnout. Employees must set clear boundaries between work and personal life, practising self-care routines and seeking support from colleagues, mentors, or mental health professionals when needed.

What advice would you give around coping mechanisms for somebody already suffering from burnout?

Dan Conn: Set boundaries. Remember that you’re contracted to work X hours a week. Everyone is entitled to a life outside of work, and while extra hours might sometimes be needed, ask questions if an employee or colleague regularly puts in a lot of extra hours.

“Remember, ultimately, it’s all on you. You are the master of your destiny” Stephen Khan

Stephen Khan: Understand what recharges and energises you. Remember, ultimately, it’s all on you. You are the master of your destiny. Mental health is not your employer’s responsibility; it’s yours.

Natasha Harley: Don’t be afraid to say no. Push back on the less important things, which is essential in setting clear boundaries. Re-evaluate your priorities and goals and consider whether your current workload and career path align with your values and overall well-being.

Michelle McCarthy: Seek professional help, take time off to rest and recharge, establish healthy boundaries and practice stress management techniques like mindfulness.

Conclusion

So, what can we deduce from the considered and informed thoughts our cybersecurity professionals have shared with us?

There’s no doubt that there is a burnout crisis across many industries, but the data suggests it’s hitting cyber hard. Tackling the issue requires a collaborative effort between employer and employee.

Organisations must prioritise staff wellbeing and create cultures whereby it’s OK not to be OK. Leading by example, mandating time off, setting clear and achievable objectives and advocating for a healthy work-life balance are helpful mechanisms.

Individuals, however, are ultimately responsible for their own mental health and in charge of their own happiness, health and destiny. The buck stops with the employee, and it’s on them to practice stress management, seek professional help if and when needed, and set clear boundaries.

Consensus suggests that a burnt-out sector will be an underperforming sector, and with cyber threats greater than ever, the industry can’t afford to not be on top of its game. A collective effort, a mindful and open approach and a big helping of common sense should pave the way for a resilient workforce and a healthier cybersecurity sector. Here’s to that!

---

Assured Intelligence partnered with isms.online to conduct the interviews for this report. To learn more about ISMS.Online, visit https://www.isms.online/blog/