Insight

Cybersecurity frontliners are feeling the burn…

Published

Written by

Read time

Written by Tom Montague.

Burnout is arguably the most pervasive workplace health challenge faced by employers since the arrival of PCs in the office in the 1980s, which sent RSI (repetitive strain injury) cases soaring.

It’s certainly one of the most widely documented occupational health hazards of the post-pandemic era. Study after study has warned of how many overstretched employees are working in a state of personal and professional dysfunction due to the relentless pressure of their job role.

Burnout causes multiple problems, but for a business’s cybersecurity operations, its consequences present specific concerns. It’s liable to introduce potentially new risk types that can harm business operations and corporate integrity.

And burnout has gone global. According to a 2024 survey by Sophos, 30 per cent of respondent businesses in Asia Pacific and Japan polled, reported that feelings of burnout had increased ‘significantly’ and 41 per cent of cybersecurity professionals polled say that it makes them ‘less diligent’ in their jobs.

On average, 17% per cent of businesses polled by Sophos identified that cybersecurity burnout contributed to, or was directly responsible for, a cybersecurity breach. Burnout also slackens response to cybersecurity incidents: 17 per cent of companies experienced slower than average response-to-incident times. These figures likely reflect experiences of enterprises elsewhere in the world.

This predicament is compounded by the fact that, across vertical sectors and industries, the most obvious way to prevent burnout – increased skills resourcing – is simply not an option, and unlikely to become one anytime soon.

Feeling the burn

Once cast as a condition associated with rarefied high-status/high-pressure jobs, burnout has become a mainstream workplace health issue, with somewhere around 40-60 per cent (figures vary either way) of today’s employees experiencing varying degrees of burnout at a given time.

Often conflated with other work-related mental health disorders, burnout was only recognised by the World Health Organisation in 2019. It defines burnout as “a syndrome conceptualised as resulting from chronic workplace stress that has not been successfully managed.”

Burnout is characterised by three main symptoms: feelings of energy depletion or exhaustion; increased mental distance from, or feelings of negativism or cynicism related to, a person’s job role and responsibilities; and reduced professional efficacy. 

People working in technology are particularly vulnerable. As a subdiscipline of that sector, the cybersecurity profession seems to be the sector most exposed to the burnout phenomenon.

Burnout is sparked by several factors but has its source in the increased workload caused by heightened cyber-threat activity, and the expanding scope of cybersecurity teams’ responsibilities.

A decade ago, cybersecurity teams’ roles were more rigidly defined. Their primary concerns were protecting the perimeter of their business’ information and communications systems, and in deploying and managing security solutions designed to detect and stop viruses and malware, denial-of-service, and hack attacks.
In 2024, the remit of cybersecurity practice seems to be  open-ended. The nature of threats has escalated and diversified. On top of the routine perils of viruses and malware, sophisticated attack forms, such as phishing and ransomware, pose existential risks to businesses, from loss of customer data to filched intellectual property.
For businesses of all sizes, the defensive ‘perimeter’ that cybersecurity teams must manage, now extends way beyond the physical premises. With so-called hybrid working, employees are located away from central and branch offices. This shift has been an ongoing pain-point for cybersecurity engineers tasked with reconfiguring systems to ensure remote workers are secure.

On a larger scale, security has to encompass ‘Internet of Things’ devices, and extends into safeguarding industrial control systems in factories, refineries, and utilities infrastructure. On top of this, IT security chiefs must take care of growing governance requirements, as new security regulations must be complied with. That’s all before you get to the question of Artificial Intelligence in cybersecurity.

So much owed to so few

While the scope of cybersecurity operations is increasing, the sum skills available to support them is not. For years now, there has been large numbers of unrecruited cybersecurity positions, leaving the available workforce to fill in and work around as best they can.

ISC2 estimates that in 2023 there were approximately four million cybersecurity professionals needed worldwide. The sector needs to almost double to be at full capacity, ISC2 adds. Clearly, without adequate cybersecurity personnel, businesses are at increased risk of a security breach. 

Recovery time

Burnout among cybersecurity teams is now a critical issue impacting businesses and employees on multiple levels. How can chronically frazzled cybersecurity professionals be supported? There is plenty of valuable guidance available from interested parties, ranging from self-help regimes to employer guidance frameworks.

To a key extent, their effectiveness comes down to how much cyber professionals are willing to engage with them. Security practitioners have a ‘can do’ professional commitment to their jobs that causes them to keep working when they need a rest. Like other frontline incident responders, cybersecurity teams are often driven by a compelling duty to protect users and assets.

With AI-powered cyber threats thought to be growing (cybersecurity vendors have no sure way of telling the extent to which an attack is ‘AI powered’), the burning question for counteracting burnout is: Can AI and associated technology be deployed to help? Can AI and automation ‘fill in’ for cybersecurity skills shortages until the availability situation eases?

Advanced technology has a promising role to play through improved automation and use of AI technology to alleviate many of the causes of burnout, such as repetitive processes. The snag here is that AI systems have to learn before they can function to their full effectiveness – and that takes time.

CAPTCHA
8 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
0330 008 1334