Why burnout is becoming a cybersecurity risk

Defending businesses from potentially crippling attacks is a vital task. So, why are firms allowing their cybersecurity specialists to burn themselves out?

There can be little doubt that, in defending businesses from external attacks, cybersecurity teams play an essential role. It’s quite the responsibility for anyone to take on, and that’s bound to take its toll – both in terms of the resources consumed and the strain it puts on cybersecurity professionals themselves. And as a new survey from the Chartered Institute of Information Security demonstrates, the strain is beginning to show.

Stress, burnout and high employee turnover are issues in many different industries and functions, of course, but if maintaining consistently high levels of cybersecurity is business-critical, it makes little sense for firms to allow those individuals tasked with keeping the defences up to struggle under an unsustainable workload and in difficult working conditions.

So, where do cybersecurity professionals feel they are under pressure? And what extra resources and support might they need to keep working effectively over the long term?

One of the major pain points for cybersecurity professionals is the long hours they often end up working. This partly comes with the territory, of course, but it can hardly be sustainable for 10% of the workforce to be routinely clocking up more than 50 hours per week. That is considerably above the UK average, too.

Unsurprisingly, the long working hours, the constant vigilance (in multiple directions) required by the job and various other workplace factors are contributing to raise cybersecurity professionals’ stress levels.

It is interesting to note, however, that job insecurity is now less of an issue for cybersecurity specialists than it was just a couple of years ago. This perhaps reflects the fact that more and more businesses are learning to appreciate the importance of cybersecurity as a function, even at a time when budgets are being squeezed and the temptation may be to scale back a cost centre such as the cybersecurity team.

When it comes to judging what is the biggest source of issues in the profession, cybersecurity specialists are clear: it’s all about people. And that’s despite the rise of AI potentially increasing the number of threats cyber teams will have to face.

However, analysing what these people issues mean in practice is proving far harder. Do cyber teams simply need more resources, perhaps in the form of extra team members? Or is it more a question of bolstering their skills and hanging on to experienced team members?

All of these issues combined, then – plus the lack of a straightforward solution to the staffing headache – will undoubtedly make it difficult for business leaders to take some of the burden off their cybersecurity teams.

The result, unfortunately, is that cyber specialists rarely stay in a role very long.

The cybersecurity profession’s tenure trouble is not only indicative of the pressure these individuals are often under, but it also raises a difficult question for the business world generally. Are business leaders perhaps undermining their firms’ efforts to bolster their cybersecurity by failing to support the individuals in question?

Get these kinds of people-centric decisions wrong, after all, and you could well find yourself exposed to a whole host of unpleasant cyber threats.