January 12, 2021 By George Platsis 4 min read

There is one risk cybersecurity experts often overlook: burnout. We can build on threat detection and incident response capabilities and use cybersecurity risk management frameworks, such as NIST CSF, to improve our overall risk posture all we want without ever looking inward. Because burnout is internal, we may not always see it. But left unmanaged, it can be a serious problem for workers.

Walking The Peaks and Valleys of Stress In Cybersecurity Risk Management

The Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) report, The Life and Times of Cybersecurity Professionals 2020, provides insights into the current mood of cybersecurity professionals. Some highlights include:

  • The skills shortage is getting worse.
  • Career guidance is lacking.
  • Many people are competing for the very few leadership positions, which require management and business skills not often possessed by those who focus on technical skills.
  • Job happiness and salary concerns.
  • Career choices leading to personal issues.
  • Threat actors still maintain the upper hand.

In other words, even though your employees surge to meet business demands and become cybersecurity risk management experts for the systems they protect, their baseline for personal stress is pretty high.

Cybersecurity Risk Management: Not Just About Technology

There is a very good case for integrating technological support into your operations. For example, artificial intelligence can assist your staff immensely if implemented correctly. Similarly, a well configured SIEM and SOAR and policies and procedures that balance out security-related responsibilities between users across the enterprises can significantly reduce the time employees need to address alert overload and repetitious menial tasks. These solutions can certainly help during peak times when staff feels as though they are being overwhelmed.

But in the basket of cybersecurity tips, digital tools are only part of the solution because they are not magic wands. And despite the advancements over the last decade, the ESG/ISSA report states the mood hasn’t changed much. But, why?

Cybersecurity Burnout is Real

The World Health Organization and Mayo Clinic have dedicated resources that draw awareness to burnout in the workplace. Within the cybersecurity space, there are some specific issues that could lead to burnout:

  • Workload, most notably if it’s constant, such as in incident response
  • Perceived lack of control and chance to make decisions
  • Reward, or lack thereof
  • Team dynamics
  • Problems with fairness
  • Mismatched values

These are all valid issues. Can we look elsewhere for solutions? Emergency services may be a good place to start.

Addressing Burnout in Emergency Management Sectors

The Federal Emergency Management Agency conducted a research study on firefighter burnout and workplace safety. The findings are revealing and applicable to the cybersecurity field, even though they don’t get talked about as much as other aspects of cybersecurity risk management.

First and foremost, understand the drivers of burnout: exhaustion, distance from co-workers and bitterness toward people and goals being served. These issues have follow-on effects, too, such as poor sleep, feeling zombie-like, avoiding exercise, and in the worst cases, increased use of tobacco, alcohol or even drugs.

In the case of the firefighter burnout study, there were three main findings that could help reduce burnout:

  • Place an emphasis on a safety-conscious transformational style of leadership.
  • Require team leaders to provide rest and healing while fighting fires, and allow for post-event rest.
  • Promote health and wellness goals and a positive safety climate.

Can these findings be applied to cybersecurity staff and reduce the stress endemic in the cybersecurity industry? They can.

Set Your Team Up for Success, Not Cybersecurity Burnout

Make the project as easy as you can. Don’t create bottlenecks, avoid delays, and don’t put your staff in a position where they can become compromised or left out to dry. Remember, your staff will be focused on the cyber incident, meaning they don’t need to be chasing down tasks outside their job description or outside of their strength areas. This demonstrates you have your staff members’ backs.

Post-event rest is critical. The cyber world has a different type of exhaustion: eyes tire, mental acuity drops and minds can wander. Reviewing alerts, forensic evidence and logs on a screen all day does that. Leadership needs to make rest time essential.

Health and wellness mean different things to different people, too. Be mindful that your preferred method to decompress is not necessarily the same as everybody else’s. Give everyone the latitude to rest in the form they feel is best for them. Don’t impose on them, and respect their boundaries.

Emotional Intelligence Skills for Cybersecurity Risk Management

Cybersecurity leaders, this is your opportunity to up your game through communication and/or emotional intelligence improvement by focusing on:

  • Self awareness
  • Self management
  • Social awareness
  • Long-term team management
  • Valuing people as ends in themselves, not seeing people as means of production

Cybersecurity risk management requires handling resources. This industry has a lot going on at all times: staffing, money, tools, cost, time management and people. Be mindful if somebody needs to tag out by following what they are doing, because there’s always the risk they won’t speak up. And consider flexible work schedules, too. For example, if somebody has been going hard for three weeks, including over the weekend, give them a few days as a break during the week.

Trust your staff. Expertise in this field is hard to come by. They’re part of your team for a reason. So keep in mind, as you are holding them to account and delegating tasks to them, to give them the magic key: authority. Restricting your staff while they are already doing a difficult job will just contribute to the burnout. Letting go of power should not be treated as a zero-sum game if you’re looking to bring out the best in your team.

How Cybersecurity Leadership Can Model Mental Health

Be ready to jump in yourself. I grew up in the restaurant business (an entirely different sort of chaos, not for the faint of heart).

In the basement office, my dad has a sign that said, “work eight hours a day and don’t worry, one day you’ll become the boss and work 24 hours a day and have all the worry.”

Team leaders, be ready to jump in and get your hands dirty. In the restaurant business that meant cooking, serving, washing dishes and mopping floors. In the cybersecurity business, that means getting behind a keyboard, reviewing logs, conducting interviews, reading through forensic evidence and writing reports.

Lastly, one final idea for cybersecurity leaders to help avoid burnout: be the hardest working member of your team by being in the fight with them and showing your passion. It’s more evidence that you have their back when it comes to the mental health side of cybersecurity risk management.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today