January 12, 2021 By George Platsis 4 min read

There is one risk cybersecurity experts often overlook: burnout. We can build on threat detection and incident response capabilities and use cybersecurity risk management frameworks, such as NIST CSF, to improve our overall risk posture all we want without ever looking inward. Because burnout is internal, we may not always see it. But left unmanaged, it can be a serious problem for workers.

Walking The Peaks and Valleys of Stress In Cybersecurity Risk Management

The Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) report, The Life and Times of Cybersecurity Professionals 2020, provides insights into the current mood of cybersecurity professionals. Some highlights include:

  • The skills shortage is getting worse.
  • Career guidance is lacking.
  • Many people are competing for the very few leadership positions, which require management and business skills not often possessed by those who focus on technical skills.
  • Job happiness and salary concerns.
  • Career choices leading to personal issues.
  • Threat actors still maintain the upper hand.

In other words, even though your employees surge to meet business demands and become cybersecurity risk management experts for the systems they protect, their baseline for personal stress is pretty high.

Cybersecurity Risk Management: Not Just About Technology

There is a very good case for integrating technological support into your operations. For example, artificial intelligence can assist your staff immensely if implemented correctly. Similarly, a well configured SIEM and SOAR and policies and procedures that balance out security-related responsibilities between users across the enterprises can significantly reduce the time employees need to address alert overload and repetitious menial tasks. These solutions can certainly help during peak times when staff feels as though they are being overwhelmed.

But in the basket of cybersecurity tips, digital tools are only part of the solution because they are not magic wands. And despite the advancements over the last decade, the ESG/ISSA report states the mood hasn’t changed much. But, why?

Cybersecurity Burnout is Real

The World Health Organization and Mayo Clinic have dedicated resources that draw awareness to burnout in the workplace. Within the cybersecurity space, there are some specific issues that could lead to burnout:

  • Workload, most notably if it’s constant, such as in incident response
  • Perceived lack of control and chance to make decisions
  • Reward, or lack thereof
  • Team dynamics
  • Problems with fairness
  • Mismatched values

These are all valid issues. Can we look elsewhere for solutions? Emergency services may be a good place to start.

Addressing Burnout in Emergency Management Sectors

The Federal Emergency Management Agency conducted a research study on firefighter burnout and workplace safety. The findings are revealing and applicable to the cybersecurity field, even though they don’t get talked about as much as other aspects of cybersecurity risk management.

First and foremost, understand the drivers of burnout: exhaustion, distance from co-workers and bitterness toward people and goals being served. These issues have follow-on effects, too, such as poor sleep, feeling zombie-like, avoiding exercise, and in the worst cases, increased use of tobacco, alcohol or even drugs.

In the case of the firefighter burnout study, there were three main findings that could help reduce burnout:

  • Place an emphasis on a safety-conscious transformational style of leadership.
  • Require team leaders to provide rest and healing while fighting fires, and allow for post-event rest.
  • Promote health and wellness goals and a positive safety climate.

Can these findings be applied to cybersecurity staff and reduce the stress endemic in the cybersecurity industry? They can.

Set Your Team Up for Success, Not Cybersecurity Burnout

Make the project as easy as you can. Don’t create bottlenecks, avoid delays, and don’t put your staff in a position where they can become compromised or left out to dry. Remember, your staff will be focused on the cyber incident, meaning they don’t need to be chasing down tasks outside their job description or outside of their strength areas. This demonstrates you have your staff members’ backs.

Post-event rest is critical. The cyber world has a different type of exhaustion: eyes tire, mental acuity drops and minds can wander. Reviewing alerts, forensic evidence and logs on a screen all day does that. Leadership needs to make rest time essential.

Health and wellness mean different things to different people, too. Be mindful that your preferred method to decompress is not necessarily the same as everybody else’s. Give everyone the latitude to rest in the form they feel is best for them. Don’t impose on them, and respect their boundaries.

Emotional Intelligence Skills for Cybersecurity Risk Management

Cybersecurity leaders, this is your opportunity to up your game through communication and/or emotional intelligence improvement by focusing on:

  • Self awareness
  • Self management
  • Social awareness
  • Long-term team management
  • Valuing people as ends in themselves, not seeing people as means of production

Cybersecurity risk management requires handling resources. This industry has a lot going on at all times: staffing, money, tools, cost, time management and people. Be mindful if somebody needs to tag out by following what they are doing, because there’s always the risk they won’t speak up. And consider flexible work schedules, too. For example, if somebody has been going hard for three weeks, including over the weekend, give them a few days as a break during the week.

Trust your staff. Expertise in this field is hard to come by. They’re part of your team for a reason. So keep in mind, as you are holding them to account and delegating tasks to them, to give them the magic key: authority. Restricting your staff while they are already doing a difficult job will just contribute to the burnout. Letting go of power should not be treated as a zero-sum game if you’re looking to bring out the best in your team.

How Cybersecurity Leadership Can Model Mental Health

Be ready to jump in yourself. I grew up in the restaurant business (an entirely different sort of chaos, not for the faint of heart).

In the basement office, my dad has a sign that said, “work eight hours a day and don’t worry, one day you’ll become the boss and work 24 hours a day and have all the worry.”

Team leaders, be ready to jump in and get your hands dirty. In the restaurant business that meant cooking, serving, washing dishes and mopping floors. In the cybersecurity business, that means getting behind a keyboard, reviewing logs, conducting interviews, reading through forensic evidence and writing reports.

Lastly, one final idea for cybersecurity leaders to help avoid burnout: be the hardest working member of your team by being in the fight with them and showing your passion. It’s more evidence that you have their back when it comes to the mental health side of cybersecurity risk management.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today