January 12, 2021 By George Platsis 4 min read

There is one risk cybersecurity experts often overlook: burnout. We can build on threat detection and incident response capabilities and use cybersecurity risk management frameworks, such as NIST CSF, to improve our overall risk posture all we want without ever looking inward. Because burnout is internal, we may not always see it. But left unmanaged, it can be a serious problem for workers.

Walking The Peaks and Valleys of Stress In Cybersecurity Risk Management

The Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) report, The Life and Times of Cybersecurity Professionals 2020, provides insights into the current mood of cybersecurity professionals. Some highlights include:

  • The skills shortage is getting worse.
  • Career guidance is lacking.
  • Many people are competing for the very few leadership positions, which require management and business skills not often possessed by those who focus on technical skills.
  • Job happiness and salary concerns.
  • Career choices leading to personal issues.
  • Threat actors still maintain the upper hand.

In other words, even though your employees surge to meet business demands and become cybersecurity risk management experts for the systems they protect, their baseline for personal stress is pretty high.

Cybersecurity Risk Management: Not Just About Technology

There is a very good case for integrating technological support into your operations. For example, artificial intelligence can assist your staff immensely if implemented correctly. Similarly, a well configured SIEM and SOAR and policies and procedures that balance out security-related responsibilities between users across the enterprises can significantly reduce the time employees need to address alert overload and repetitious menial tasks. These solutions can certainly help during peak times when staff feels as though they are being overwhelmed.

But in the basket of cybersecurity tips, digital tools are only part of the solution because they are not magic wands. And despite the advancements over the last decade, the ESG/ISSA report states the mood hasn’t changed much. But, why?

Cybersecurity Burnout is Real

The World Health Organization and Mayo Clinic have dedicated resources that draw awareness to burnout in the workplace. Within the cybersecurity space, there are some specific issues that could lead to burnout:

  • Workload, most notably if it’s constant, such as in incident response
  • Perceived lack of control and chance to make decisions
  • Reward, or lack thereof
  • Team dynamics
  • Problems with fairness
  • Mismatched values

These are all valid issues. Can we look elsewhere for solutions? Emergency services may be a good place to start.

Addressing Burnout in Emergency Management Sectors

The Federal Emergency Management Agency conducted a research study on firefighter burnout and workplace safety. The findings are revealing and applicable to the cybersecurity field, even though they don’t get talked about as much as other aspects of cybersecurity risk management.

First and foremost, understand the drivers of burnout: exhaustion, distance from co-workers and bitterness toward people and goals being served. These issues have follow-on effects, too, such as poor sleep, feeling zombie-like, avoiding exercise, and in the worst cases, increased use of tobacco, alcohol or even drugs.

In the case of the firefighter burnout study, there were three main findings that could help reduce burnout:

  • Place an emphasis on a safety-conscious transformational style of leadership.
  • Require team leaders to provide rest and healing while fighting fires, and allow for post-event rest.
  • Promote health and wellness goals and a positive safety climate.

Can these findings be applied to cybersecurity staff and reduce the stress endemic in the cybersecurity industry? They can.

Set Your Team Up for Success, Not Cybersecurity Burnout

Make the project as easy as you can. Don’t create bottlenecks, avoid delays, and don’t put your staff in a position where they can become compromised or left out to dry. Remember, your staff will be focused on the cyber incident, meaning they don’t need to be chasing down tasks outside their job description or outside of their strength areas. This demonstrates you have your staff members’ backs.

Post-event rest is critical. The cyber world has a different type of exhaustion: eyes tire, mental acuity drops and minds can wander. Reviewing alerts, forensic evidence and logs on a screen all day does that. Leadership needs to make rest time essential.

Health and wellness mean different things to different people, too. Be mindful that your preferred method to decompress is not necessarily the same as everybody else’s. Give everyone the latitude to rest in the form they feel is best for them. Don’t impose on them, and respect their boundaries.

Emotional Intelligence Skills for Cybersecurity Risk Management

Cybersecurity leaders, this is your opportunity to up your game through communication and/or emotional intelligence improvement by focusing on:

  • Self awareness
  • Self management
  • Social awareness
  • Long-term team management
  • Valuing people as ends in themselves, not seeing people as means of production

Cybersecurity risk management requires handling resources. This industry has a lot going on at all times: staffing, money, tools, cost, time management and people. Be mindful if somebody needs to tag out by following what they are doing, because there’s always the risk they won’t speak up. And consider flexible work schedules, too. For example, if somebody has been going hard for three weeks, including over the weekend, give them a few days as a break during the week.

Trust your staff. Expertise in this field is hard to come by. They’re part of your team for a reason. So keep in mind, as you are holding them to account and delegating tasks to them, to give them the magic key: authority. Restricting your staff while they are already doing a difficult job will just contribute to the burnout. Letting go of power should not be treated as a zero-sum game if you’re looking to bring out the best in your team.

How Cybersecurity Leadership Can Model Mental Health

Be ready to jump in yourself. I grew up in the restaurant business (an entirely different sort of chaos, not for the faint of heart).

In the basement office, my dad has a sign that said, “work eight hours a day and don’t worry, one day you’ll become the boss and work 24 hours a day and have all the worry.”

Team leaders, be ready to jump in and get your hands dirty. In the restaurant business that meant cooking, serving, washing dishes and mopping floors. In the cybersecurity business, that means getting behind a keyboard, reviewing logs, conducting interviews, reading through forensic evidence and writing reports.

Lastly, one final idea for cybersecurity leaders to help avoid burnout: be the hardest working member of your team by being in the fight with them and showing your passion. It’s more evidence that you have their back when it comes to the mental health side of cybersecurity risk management.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today