A relentless pace and lack of autonomy are fueling an underreported psychological crisis

A new report has revealed that burnout is a growing problem for the cybersecurity industry

A new report has highlighted the problem of burnout in the cybersecurity industry, concluding that 30% of security team members experience “tremendous” stress at work.

Cybersecurity accreditation non-profit CREST, which produced the report (PDF), says it’s a growing problem in the industry.

“It was an issue that was being raised in a number of CREST’s technical workshops, and it was becoming apparent that it was an increasingly important issue for members and the wider industry,” psychotherapist David Slade, who authored the report, tells The Daily Swig.

“CREST wanted to not just identify that there was a problem and how bad it was, but to recommend some actions to improve the current situation.”

Fundamental needs

Security staff face a relentless pace at work, he says, and often struggle to integrate with the rest of an organization, with cybersecurity often not seen as a strategic function.

“These factors, when combined, make it very difficult for people to get their fundamental emotional needs met in balance and work optimally,” says Slade.

The CREST mental health report urges employers to create a culture of openness, with the psychological needs of staff built into the decision-making process. Staff should also have more control over their work schedule.

“People at the coalface must have the capacity to make these decisions, and that is done by creating a learning and performance culture, which naturally pushes control down,” says Slade.

“Conversely, a command and control culture pushes control up the hierarchy, where it gets replaced by red tape.”

Infosec burnout and stress is bad for both the individual and the organizations they help protectInfosec burnout and stress are bad for both the individual and the organizations they help protect

Knock-on effects

The report suggests that more automation can help reduce stress, as can attempting to move from a reactive to a strategic approach. Security functions should be integrated into software development and IT operations teams, it says, so that problems can be solved before they arise.

There are good business reasons for organizations to take burnout among security staff seriously, says Jake Olcott, vice president of government affairs at security ratings firm BitSight.

A former legal advisor to the Senate Commerce Committee and counsel to the House of Representatives Homeland Security Committee, he says that stress and burnout are “perhaps the biggest threats to corporate security”.

Read more of the latest cybersecurity industry news

“Long hours, alert overload, and a lack of visibility into their business’ IT infrastructure have many security professionals reconsidering their chosen careers. This is contributing to a massive cybersecurity skills shortage that is creating real security threats at companies across the globe,” he tells The Daily Swig.

“Burnout and a compulsion to quit due to stress are serious problems that threaten the entire organization’s security posture, and need to be managed at the leadership level.”

CISOs must play their part by strengthening relationships within an organization, says Rick McElroy, principal security strategist at VMware Carbon Black.

“CISOs need a helping hand from other business leaders and functions. CISOs are known to support every department, but the reality is, it’s not always returned,” he said.

“Look to leaders in finance, marketing, customer service or HR, who often take priority when allocating budgets, for support, not only financially but for sound business advice based on what they’re seeing across the organization.”

CREST says it plans to carry out more research on cybersecurity burnout, and will look at holding workshops and creating self-help videos. It’s also working on a report on gender balance in the industry.

YOU MIGHT ALSO LIKE Will California’s AB5 labor law cause havoc for cybersecurity consultants?