Cybersecurity demands skill and experience. But it also calls for an engaged, motivated and energetic team. And that’s why tech burnout among staff is not only a mental health problem for the employees, it’s also a cybersecurity vulnerability for their employer.

What Is Burnout, Anyway? 

The word ‘burnout’ was first used by psychologist Herbert Freudenberger in 1974. He defined it as a point of mental and physical exhaustion that results from sustained stress.

We all feel stress at work and in our lives. Sometimes we feel stress daily. But after a stressful day, we can go home, relax, forget about work, get a good night’s sleep and feel renewed. That’s not burnout. The problem with burnout is when the stress is sustained and leaves us exhausted. Burnout makes us less productive because in that exhausted state we’re not functioning at our best.

Since Freudenberger’s time, the scope of what we mean by burnout has expanded. Burnout can create a feeling of hopelessness about work, trouble sleeping, withdrawal, aggression, anxiety and more. Burnout goes beyond exhaustion, too. It can affect your mindset. Feelings of cynicism, despair, contempt for others and feeling ineffectual can dominate your thinking.

Where Does Tech Burnout Come From?

Burnout is not a mental illness. But it is a mental health issue. Some 89% of employees surveyed by Korn Ferry in all fields say burnout is a problem, with 38% saying they, themselves, are feeling burnout.

While tech burnout can be a problem for all tech-related staff, burnout is a special problem for cybersecurity workers.

Beyond being overworked and under-resourced, tech burnout can come from a sense that one’s concerns are being dismissed by leadership. The rejection of resources, such as requested staff or tools, leads to burnout when the burden for lacking those resources is felt by the staffers who argued for them.

In other words, that sense of futility, isolation and lack of control is heightened when requests for help are rejected, leaving staff to save the company without the resources they need to do so.

Breaches in security can also trigger burnout. The entire staff works hard to prevent an incident. And when they do occur, a sense of futility and discouragement can arise.

And, of course, burnout leads to errors, both in action and in judgment. Cybersecurity calls on all staff to have full attention and tackle potential threats and problems with great energy and creativity. So, burnout directly impacts the safety of your networks.

Compounding the problem is that burnout encourages top staff to quit. A different survey discovered that around 70% would quit to work at a place with better resources for coping with burnout. When the department is bleeding talent, the resulting understaffing compounds the existing professional shortage and drives even higher rates of burnout among the remaining staff.

Burnout Prevention in the Workplace

While burnout got worse during the pandemic, it will continue to be a challenge in the future. Here are burnout prevention steps you can take to avoid the worst effects among cybersecurity staff:

  • Leadership. Addressing burnout starts at the top. It’s vital for managers, team leaders, department heads and the C-suite to tackle this problem.
  • Simpler tools. The long sought-after ‘single pane of glass’ dashboard to monitor and manage security tools and incidences is an ideal to be pursued. Disparate, overlapping, redundant and diverse tools contribute to mental overload and burnout, as they mean that human brains are doing work that machines should be doing.
  • Smarter tools. In addition to simpler interfaces and more elegant toolsets easing mental burdens, artificial intelligence can offload work as well.
  • Real breaks. One impulse is to tell staff feeling burnout to take an extra day off or take a vacation. And while this might help, some creative suggestions for that vacation might help even more. For example: to encourage staff to unplug completely during time off, or not look at any work messages.
  • Boundaries. One source of burnout is an erosion of the wall between work and life. Establish a culture where when staff are off, they’re really off, and not half working all the time. Part of this is psychological. It’s important, for example, to wear different clothing at work, to work in a different place (difficult for remote workers, but still needed to prevent remote work burnout) and to use the transition between work and home to mentally reset. Establish the norm of context-setting and compartmentalization. Work is work. Life is life. And the two shouldn’t mix.
  • Professional help. Make sure staff have access to mental health workers, so they can talk through their feelings of burnout and come to terms with it, and also learn coping skills.
  • Training. Staff awareness efforts should offer coping skills as part of cybersecurity training for preventing burnout. This could include total engagement in leisure like movies, concerts and books, as well as meditation, yoga and breathing exercises.

Burnout among cybersecurity experts is a huge problem for staff, and a serious problem for security. It’s time to get ahead of this growing issue and tackle it head-on.

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…