October 26, 2021 By Mike Elgan 3 min read

Cybersecurity demands skill and experience. But it also calls for an engaged, motivated and energetic team. And that’s why tech burnout among staff is not only a mental health problem for the employees, it’s also a cybersecurity vulnerability for their employer.

What Is Burnout, Anyway? 

The word ‘burnout’ was first used by psychologist Herbert Freudenberger in 1974. He defined it as a point of mental and physical exhaustion that results from sustained stress.

We all feel stress at work and in our lives. Sometimes we feel stress daily. But after a stressful day, we can go home, relax, forget about work, get a good night’s sleep and feel renewed. That’s not burnout. The problem with burnout is when the stress is sustained and leaves us exhausted. Burnout makes us less productive because in that exhausted state we’re not functioning at our best.

Since Freudenberger’s time, the scope of what we mean by burnout has expanded. Burnout can create a feeling of hopelessness about work, trouble sleeping, withdrawal, aggression, anxiety and more. Burnout goes beyond exhaustion, too. It can affect your mindset. Feelings of cynicism, despair, contempt for others and feeling ineffectual can dominate your thinking.

Where Does Tech Burnout Come From?

Burnout is not a mental illness. But it is a mental health issue. Some 89% of employees surveyed by Korn Ferry in all fields say burnout is a problem, with 38% saying they, themselves, are feeling burnout.

While tech burnout can be a problem for all tech-related staff, burnout is a special problem for cybersecurity workers.

Beyond being overworked and under-resourced, tech burnout can come from a sense that one’s concerns are being dismissed by leadership. The rejection of resources, such as requested staff or tools, leads to burnout when the burden for lacking those resources is felt by the staffers who argued for them.

In other words, that sense of futility, isolation and lack of control is heightened when requests for help are rejected, leaving staff to save the company without the resources they need to do so.

Breaches in security can also trigger burnout. The entire staff works hard to prevent an incident. And when they do occur, a sense of futility and discouragement can arise.

And, of course, burnout leads to errors, both in action and in judgment. Cybersecurity calls on all staff to have full attention and tackle potential threats and problems with great energy and creativity. So, burnout directly impacts the safety of your networks.

Compounding the problem is that burnout encourages top staff to quit. A different survey discovered that around 70% would quit to work at a place with better resources for coping with burnout. When the department is bleeding talent, the resulting understaffing compounds the existing professional shortage and drives even higher rates of burnout among the remaining staff.

Burnout Prevention in the Workplace

While burnout got worse during the pandemic, it will continue to be a challenge in the future. Here are burnout prevention steps you can take to avoid the worst effects among cybersecurity staff:

  • Leadership. Addressing burnout starts at the top. It’s vital for managers, team leaders, department heads and the C-suite to tackle this problem.
  • Simpler tools. The long sought-after ‘single pane of glass’ dashboard to monitor and manage security tools and incidences is an ideal to be pursued. Disparate, overlapping, redundant and diverse tools contribute to mental overload and burnout, as they mean that human brains are doing work that machines should be doing.
  • Smarter tools. In addition to simpler interfaces and more elegant toolsets easing mental burdens, artificial intelligence can offload work as well.
  • Real breaks. One impulse is to tell staff feeling burnout to take an extra day off or take a vacation. And while this might help, some creative suggestions for that vacation might help even more. For example: to encourage staff to unplug completely during time off, or not look at any work messages.
  • Boundaries. One source of burnout is an erosion of the wall between work and life. Establish a culture where when staff are off, they’re really off, and not half working all the time. Part of this is psychological. It’s important, for example, to wear different clothing at work, to work in a different place (difficult for remote workers, but still needed to prevent remote work burnout) and to use the transition between work and home to mentally reset. Establish the norm of context-setting and compartmentalization. Work is work. Life is life. And the two shouldn’t mix.
  • Professional help. Make sure staff have access to mental health workers, so they can talk through their feelings of burnout and come to terms with it, and also learn coping skills.
  • Training. Staff awareness efforts should offer coping skills as part of cybersecurity training for preventing burnout. This could include total engagement in leisure like movies, concerts and books, as well as meditation, yoga and breathing exercises.

Burnout among cybersecurity experts is a huge problem for staff, and a serious problem for security. It’s time to get ahead of this growing issue and tackle it head-on.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today