Email Security

    How to Combat Cybersecurity Burnout — and Keep Your Company Secure
     

    Threats of attacks, staff shortages, and distracted employees are contributing to burnout among cybersecurity pros. Learn how to better support them.
     

    by Thom Bailey
    29BLOG_1.jpg

    Key Points

    • About 84% of cybersecurity professionals are experiencing burnout, and it’s impeding their motivation.
    • Three factors are contributing to this burnout: more threats, a talent shortage, and other employees’ mistakes that result from their own burnout.
    • Companies can combat cybersecurity burnout by promoting work-life balance and better use of technical tools.

     

    Americans have been quitting their jobs at a rate of about 4 million per month since May 2021.[1] Globally, about 20% of workers said they plan to quit their jobs in 2022.[2] While salary has been the primary motivation for the so-called Great Resignation, burnout — caused by a lack of on-the-job support and inadequate work-life balance — is not far behind.[3],[4]

    This trend is hitting the cybersecurity industry especially hard. As many as 84% of cybersecurity professionals in North America said they are experiencing burnout, which is having a negative impact on their motivation to get their jobs done.[5]

    Three intersecting factors contribute to burnout among cybersecurity professionals. 

    More threats. According to Mimecast’s State of Email Security 2022(SOES) report, 72% of companies have seen a significant increase in the volume of email threats in the past year. Thirty-eight percent also said they have seen a significant increase in ransomware attacks, compared to 19% in 2018. Additional research has shown that the number of overall cyberattacks increased 50% from 2020 to 2021, due largely to the emergence of the Log4j vulnerability last December.[6] Suffice to say, all of this, and more, makes it hard for cybersecurity staff to stop working. In fact, 87% said their employers expect them to work extra hours. Those in leadership roles work an average of 10 extra hours per week – and yet corporate executives still said security teams could be delivering more value for the budgets they receive.[7]

    Smaller staffs. The Great Resignation has contributed to a cybersecurity skills shortage. More than 60% of companies report having unfilled cybersecurity positions and understaffed teams.[8] This makes it difficult for cybersecurity teams to complete critical tasks, such as system configurations, risk assessments, and software patches, because they are busy responding to an ever-increasing number of incident reports. One in three companies said insufficient security staff is one of their biggest email security challenges, the Mimecast SOES report noted.

    Burnout among other employees. Companies face significant security risks due to a range of employee mistakes, such as clicking on phishing links, sharing data in insecure ways, or using weak passwords, according to the Mimecast report. Naturally, the likelihood of such mistakes increases when employees are stressed out or tired. Attackers are taking advantage of these feelings of burnout. For example, they are making their spear phishing campaigns more sophisticated and sending them in the afternoon, when employees are most likely to be distracted.[9]

    Human and Technical Support 

    To effectively respond to cybersecurity burnout, companies need to examine their culture and determine how to better support their cybersecurity professionals. Such support comes in two forms:

    Human support: It’s often difficult for cybersecurity professionals to separate themselves from the job, noted Shamla Naidoo, CSO and head of cloud strategy at Netskope, in a published article.[10] Sometimes they’re thinking about the many threats their companies face, and sometimes they’re thinking about how to stop those threats. Unfortunately, this doesn’t leave a lot of room for self-care, which can all too easily contribute to stress and burnout in the cybersecurity department.

    At the leadership level, executives and managers need to promote a work environment where employees feel supported. This support can come in many forms: wellness programs that encourage self-care, project management strategies that de-emphasize working at a breakneck pace, or flexible policies for taking time off. 

    Of course, monetary support also helps. According to the Information Systems Security Association (ISSA), low pay is the biggest factor contributing to the cybersecurity staffing shortage and is the main reason that information security executives leave their roles. Money is also a factor for the 48% of cybersecurity employees who are unable to complete 40 hours of professional training each year due to the expense[11] (training opportunities such as CISSP and CISA boot camps can come with a price tag of $3,000 or more). Companies that increase compensation and offer stipends and paid time off for training can show cybersecurity professionals that they’re invested in their future.

    Technical support: Today’s cybersecurity teams can receive thousands of alerts each day. This poses three core problems: 

    The sheer number of potential incidents being detected, coupled with the high number of false positives, can contribute to alert fatigue. No one wants to ignore an alert that turns out to be significant, but paying attention to every alert can be all-consuming.

    Alerts from different security tools are likely to contradict each other because they report incidents in their own ways. For example, a product monitoring an endpoint may say something different about an incident than a product monitoring a network.

    The average company uses 29 different security monitoring tools, with enterprises using nearly four dozen — and in most cases, these tools aren’t integrated. This means cybersecurity staff must move from one application to another to cross-reference the validity of incidents and severity of threats.[12]

    All told, cybersecurity teams face a lot of manual reporting, monitoring, and detection work, all tedious tasks that contribute to burnout. It also prevents them from focusing on higher-level work, such as creating more advanced detection and alert rules to reduce false positives in the first place. 

    Automation technology can play a valuable role. Artificial intelligence (AI) and machine learning (ML) are able to detect and act on threats far more quickly than human security analysts, alleviating their stress of needing to review every alert. This is especially valuable for email-based attacks that may be triggered automatically when, for example, an employee clicks on a link or downloads a file. Such tools have the added benefit of reducing the number of successful attacks that result from employees’ honest mistakes.

    Coupling integration with automation takes protection one step further and puts previously disparate threat monitoring systems in one place. Not only will cybersecurity professionals have a single view of incident reports, but it allows the security solution to automatically access incidents and provide alerts when they are only truly necessary.

    The Bottom Line

    Burnout among cybersecurity professionals is a serious problem that extends far beyond the IT and security business units. After all, when the team that’s tasked with keeping a company safe from cyberattacks isn’t operating at the top of its game, the entire organization is vulnerable. One important step in combating cybersecurity burnout is changing corporate culture to encourage self-care and time off. Another is investing in integrated best-of-breed cybersecurity solutions, such as the Mimecast-Netskope-CrowdStrike Triple Play. This combined approach leverages AI to automate repetitive tasks and allows cybersecurity professionals to better apply their expertise.


     

    [1]The Great Resignation has changed the workplace for good. ‘We’re not going back,’ says the expert who coined the term,” CNBC

    [2]What 52,000 people think about work today,” PwC

    [3]SHRM Research Highlights Lasting Impact of the ‘Great Resignation’ on Workers Who Choose to Stay,” Society for Human Resource Management

    [4]From the Great Resignation to the Great Reskilling: Insight on What’s Next for the “Great Resigners,” Cengage Group

    [5]State of Access Report 2021,” 1Password

    [6]Cybersecurity: Last year was a record year for attacks, and Log4j made it worse,” ZDNet

    [7]Nominet CISO Stress Report: businesses get £23k ($30k) ‘free’ CISO time while impact of stress on mental health doubles in 2020,” Nominet

    [8]State of Cybersecurity 2022,” ISACA

    [9]Cybersecurity burnout is real. And it's going to be a problem for all of us,” ZDNet

    [10]Leadership and recruitment changes needed to address burnout in cybersecurity,” Help Net Security

    [11]The Life and Times of Cybersecurity Professionals 2021,” Information Systems Security Association

    [12]Cybersecurity tool sprawl leading to burnout, false positives: report,” Cybersecurity Dive

     

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top