Stress, burn-out and indifference: the faces of cybersecurity

Cybersecurity is notorious for being, to put it mildly, a demanding profession.

With all the attacks, breaches, policy changes and growing dependency on digital processes, the work can be frustrating even at the best of times. The growing expectations on perpetually under-resourced cyber teams to be on top of everything at all times only adds to the burnout problem we’re seeing across IT professionals of all stripes.

A lot of the blame can be traced back to a lack of understanding and awareness among non-technical folks about what cybersecurity people actually do in their day-to-day. For those outside of cyber circles, it’s worth diving a little deeper into why the faces of your company’s cyber team always seem to be scrunched up in a strange mix of worry, annoyance and quietly-seething anger.

1. Dealing with an intense and unrelenting workload
It seems like the to-do list of cyber professionals just keeps on getting longer and longer. Zero tolerance for any security failures and constant under-resourcing means they’re usually burning the candle at both ends. Like high-tech doctors in a digital ER, they are pressured to be on call day and night and always be accessible. But they’re not just dealing with external threats, they also have to handle their organisation’s internal IT issues: everything from user identification to managing employee access to apps falls on their shoulders.

Since every company is going digital, the demand for cyber professionals is growing rapidly but the talent pool is still comparatively small. That makes it difficult to find and retain appropriate talent. There are still options, however: technology integration, process automation and managed services can all help manage manpower requirements. But shrinking budgets and lack of buy-in by senior leaders often halts progress on these fronts, leaving the cyber team to pick up the slack. Cue late nights, weekend work and irritable employees.

One way to deal with issue is to set clear and realistic expectations at the outset. This is a two-way street, as both CISOs and the C-suite need to sit together to decide what’s feasible and the specific remit of the cyber team. Priorities need to be aligned, and accountabilities and resources assigned accordingly.

2. Navigating ill-planned IT projects
One of the most stressful aspects of a cybersecurity career is keeping up with the security needs of new, often unexpected, IT initiatives. The cyber team gets swamped with moving key systems to the cloud, deploying IoT devices, or implementing new mobile apps. Unfortunately, these are highly specialised technologies which the team is typically not trained for, and they end up spending valuable time playing catch-up on the security risks involved. Keeping legacy technology running is another nightmare. Having to deal with IT projects that were started by other teams with no prior security planning is a big source of stress.

The best way to manage this situation is for the C-suite to involve the CISO in the early discussion stages of any new IT initiative. The CISO or CIO will be able to guide the scope and practical aspects of the project and save the company a lot of time, money and frustration by helping develop an action plan beforehand. For ongoing IT projects, consulting the CISO can help the C-suite find a way to accomplish the project’s goals more efficiently. 

3.  Getting human error under control
This is a big one. Trying to get end-users to understand cybersecurity risks and getting them to change their behaviour is a major source of frustration for IT pros. Even though many large companies do have awareness training programmes in place, most employees see them as a check-box exercise and tend not to take them seriously. Which is a shame, given how human error is involved in more than 90% of security breaches.

4. Getting stakeholders on board
A lot of the struggles we talked about circle back to a lack of support from the traditional C-suite Many cyber workers struggle with an unsupportive company culture where old-school leaders still view cybersecurity as an inconvenience and aren’t interested in getting a better understanding of cyber risk. Even with so many organisations undergoing digital transformation, this dismissive attitude towards cyber resilience is widely prevalent and dangerously irresponsible. Attackers and bad actors are upskilling every day; having poor defences is just asking for trouble.

Earlier this year at Mimecast Connect 2020, we talked about the ransomware attack on DLA Piper LLP, one of the largest law firms in the world. The attack infected hundreds of thousands of computers across the firm’s global platform costing them 15,000 hours in IT overtime, according to DLA Piper’s Melbourne-based regional IT manager Dylan James.

When attacks or breaches do happen, guess who’s held responsible? The same cyber team who had been raising alarm bells since day one. It’s no wonder the turnover rate for the industry is so high.

For companies like this, CISOs need to build a strong business case for cyber resilience. They’ll need to demonstrate the risk in business terms and the costs of failing to take appropriate cybersecurity measures. That also means speaking with non-technical leaders in their language, and helping them understand the danger to the company’s bottom line.

The silver lining
Though there are very real challenges around working in the cybersecurity sector, cyber professionals by and large are quite satisfied with their profession. The work tends to attract curious, tech-savvy workers who are excited by the pace and constant new challenges the industry provides.    To get the best cybersecurity outcomes, companies need to support cyber-policies at every level and make cybersecurity an integral part of their culture.

As for cyber professionals, taking care of your health and well-being are essential. Trying to keep some semblance of a work-life balance, looking after your mental well-being and advocating for change within your organisation is key. Together we have the opportunity to shape the future of the industry, so let’s set the benchmark for how cyber work can and should be done.