Cybersecurity stress is an industrywide epidemic among security professionals. Burnout is a hard conversation, but it’s necessary for CISOs to face workplace stress before it compromises productivity, talent retention or individual well-being.
It’s not hard to understand why a security job can be stressful. Virtually all cyber teams are understaffed and overworked, and these resource shortages can make a serious impact. Globally, according to Nominet, one-quarter of security leaders have physical or mental problems that are the direct result of workplace stress, and 17 percent of those surveyed have even turned to alcohol or medication to cope with job pressures.
Stress is a serious risk to your organization’s security posture. CISOs need to understand why cyber teams face so much pressure and create a response plan for a healthier workforce.
Is Cybersecurity One of the Most Stressful Career Paths?
Workplace stress is an expensive global phenomenon across industries and professions. Tension isn’t unique to jobs in security or technology, but it’s difficult to assess just how the risks stack up. Everything is relative, including an individual’s perception of workplace stress.
Still, the average job tenure of a CISO is just 18-24 months — much shorter than the average 8.4-year tenure of CEOs. And data from multiple sources shows that cyber careers stack up unfavorably when compared to the average American worker’s experience. Security professionals in particular are:
Stress costs U.S.-based employers an estimated $300 billion each year, per The American Institute of Stress. The individual impact can include physical and mental health issues or damaged personal relationships. Stressful workplaces are linked to employee turnover, productivity issues and absenteeism — all of which can have a particularly nasty impact on understaffed cyber teams.
9 Reasons for Epidemic Levels of Cybersecurity Stress
Many reasons for epidemic levels of stress in a security career are unsurprising. Infosec teams face serious pressures to perform and limited resources. Other industry insights on cyber stress risks are a bit more surprising. Understanding the root causes of these workplace pressures can help guide more effective employee surveying and response efforts.
1. Resource Shortages
Over half of CISOs surveyed by Nominet believe they have enough resources to address security vulnerabilities, let alone address expanding threat vectors.
Tackling the real impact of resource pressures requires strategic conversations about risk tolerance to maximize budget, technology and talent. Security teams need to direct resources toward protecting their most critical vulnerabilities. This requires the technological capability to dynamically assess, rank and respond to risks in real time.
2. Internal Pressures
Cultural battles directly contribute to security job stress. Thirty-eight percent of cyber pros say they’re frustrated with trying to educate end users to change their behaviors. Additionally, 18 percent of CISOs believe fellow board members are indifferent to security or view it as an inconvenience.
Poor executive support for security is guaranteed to trickle down and result in a struggling security culture and bare-minimum efforts to conduct security awareness training. CISOs are fighting an uphill battle to create change without board support.
3. Overwhelming Workloads
Incredibly, 73 percent of security practitioners surveyed by the Ponemon Institute say an ever-increasing workload is causing burnout. SOC analysts are particularly likely to feel overwhelmed for many reasons, according to the same report. Sixty-five percent of SOC analysts have considered a job change because workload frustrations are compounded by poor visibility or alert fatigue.
Any effort to find solutions to stress should start with the employee’s perspective. People closest to the work are the best resource for understanding barriers to productivity. SOC analyst frustrations about false positives or excessive manual work can be addressed with cognitive solutions to orchestrate and automate the SOC. If you can’t afford to automate the SOC, it’s probably time to rethink resources and consider whether you’re underfunding security ops. Ponemon found that just one-third of security budgets go to the SOC on average.
4. On-Call Requirements
71 percent of security employees report they’re on call 24/7/365, per Ponemon. It’s a clear recipe for burnout. While security is a 24/7 business, every team needs to create a fair approach to on-call scheduling and compensation. Automation and incident response capabilities can further reduce on-call stresses by reducing false positive alerts and manual investigations.
5. Work Hours
The overwhelming majority of cybersecurity pros (88 percent) admit they work more than 40 hours each week, per Nominet. Workers who pull long hours are less attentive on the job, which can add to security stress and performance risks.
Addressing long work hours isn’t easy, especially if your talent is compensating for security skills shortages. CISOs need to understand how security teams are spending their time and addressing tasks that can be automated or outsourced. Providing more internal opportunities for continuing education and skills training can help ensure that security pros stay close to a 40-hour workweek.
6. Securing Transformation
Securing new IT initiatives stresses 40 percent of cyber pros, according to ESG. Teams have to create security controls at the speed of innovation to address the risks of new cloud or internet of things (IoT) initiatives. In addition, shadow IT is a major struggle — 39 percent of security pros are irritated by unpredictable requirements to secure technology projects which are started without cyber’s knowledge or input.
A culture of secure digital transformation can address this stress source and lower innovation risks and costs. Shared technologies can facilitate better communication and visibility between security and IT organizations.
7. Mental Health Risks
The impact of workplace stress can be particularly debilitating when it’s coupled with mental health issues. There’s a strong relationship between mental health effects and stress, especially when an individual has a pre-existing condition or increased risk factors. NSA research has found that security jobs measurably contribute to fatigue, frustration and other mental health concerns.
Individuals with pre-existing mental health conditions face an increased risk of debilitating workplace stress. Hacker subcultures may be associated with higher-than-average mental health risks, according to Black Hat research. According to Naval Veteran Joe Slowic, the cybersecurity industry may also have a high occurrence of PTSD, especially among cyber pros who are ex-military.
“Opening a workplace dialogue and teaching coping strategies can go a long way in aiding employees’ mental health, but sometimes people need professional treatment,” Amanda Berlin, security expert and CEO of the nonprofit Mental Health Hackers, told me. “Therapy can be expensive, even with insurance, and it can be hard to find providers. To close this gap, some companies are turning to online services.”
8. Skills Shortages
Workplace stress can spiral if an individual contributor feels poorly equipped with knowledge or skills. While the cyber skills shortage isn’t a simple conversation, CISOs need to measure and respond to internal skill gaps and stress impacts. Internal survey findings could create a strong use case to boost skills with simulation training or form partnerships with third-party vendors.
9. Race, Gender and Background
Minorities, women and individuals without traditional job qualifications are more likely to experience workplace stress, especially if they face bias or discrimination at work. Diversity issues or a non-inclusive culture can heighten individual stress and turnover risks. A cybersecurity stress strategy should involve a look at diversity culture and the experiences of minority and women employees.
Encouraging employees of all backgrounds to find community and practice self care can create more inclusive experiences, especially when that encouragement comes with organizationwide efforts to address workplace bias. Berlin recommends letting employees choose their own work hours and benefits whenever possible.
For instance, “a monthly stipend can be used for therapy appointments, massages, meditation apps [and] gym memberships,” Berlin advised.
Solving Cybersecurity Career Stress
A security stress strategy should begin with surveying and active listening. CISOs need to understand how security career stress is internally tied to bigger issues of skills shortages, technology or culture. Solutions such as training and automation can decrease individual pressures before these issues spiral into much bigger problems.
While it’s clearly time to take stress seriously, there’s little reason to feel hopeless about the industry’s stress epidemic. 2020 cybersecurity conferences will focus on stress and mental health risks and provide an opportunity for community problem-solving. It’s uplifting that studies show stressed-out security pros are actually pretty satisfied. Seventy-eight percent of cyber pros would recommend their career path to others, according to Exabeam, and 58 percent cite a challenging work environment as their favorite career benefit.
It’s time for CISOs to collaborate with other industry leaders to create new solutions for a healthier, happier workforce.
“Leading by example is an amazing start — showing that discussing mental health and treating employees with the respect and care that they deserve will continue to spread throughout the industry,” said Berlin.