Cyberattacks seldom happen when it’s convenient. In fact, it’s relatively common for them to occur on weekends or holidays — threat actors capitalize on the fact that there is fewer staff on site, and those who are there are focused on the coming weekend or time off.

It’s also not uncommon for attacks of this nature to involve critical systems — systems that help EMT professionals route patients to life-saving medical care or those that ensure food supplies continue to flow to grocery stores. Cyberattacks are no longer relegated to data accessibility — they frequently cross the line into real-world effects felt by everyday people.

It’s a familiar story for incident responders: It’s Friday afternoon, and a client calls to report they’re experiencing a serious incident. Sometimes it involves multiple systems and threatens to take their business completely offline. They need immediate assistance — and every second counts.

The first 72 hours of an incident are critical and can be incredibly demanding. Responders often work nonstop to locate the initial attack vector, contain the threat, assess the damage, and, ultimately, reduce the overall impact of the incident. Adding to that, this is likely not the only incident a responder is working — it’s common for incident response (IR) teams to have to focus on two or even three incidents simultaneously.

Incident responders are tasked with defending constantly expanding environments from evolving and increasingly aggressive threats. A new study from IBM Security conducted by Morning Consult surveyed more than 1,100 cybersecurity incident responders across 10 countries and found that 67% experience stress or anxiety daily due to the pressures of responding to a cyber incident.

Responders are unique individuals. They do what they do because they’re driven by a sense of duty to the organizations they defend and the people they protect. In fact, nearly 80% of incident responders reference this sense of duty among the top reasons that attract them to the profession.

Read on to unpack more of the top takeaways from the study.

Explore the Study

Most stressful factors facing incident responders today

According to 50% of survey respondents, managing expectations from multiple stakeholders is the most demanding aspect of the job. At any given time during an incident, responders are fielding multiple, concurrent requests from the client’s C-suite and board of directors, as well as their own management and colleagues.

Underpinning that is the responder’s sense of responsibility to their client and team to mitigate the incident. It’s our innate drive to do good in the world and our commitment to help people that drives the work we do, and these statistics reflect that.

What’s more immediately tangible is the skillful time management and energy incident responders put into their work. The study backed this up, finding that:

Real-world mental health implications

If you add these factors up, it’s clear that incident response can take a toll on mental health. It’s not uncommon for teams to experience insomnia, burnout and even impacts on their social life.

Adding to that anxiety is the evolving sophistication of damaging cyberattacks. Ransomware is called out by name in the study, with 81% of the responders experiencing heightened pressure as a result of increased ransomware attacks in the last year.

Thankfully though, support systems are in place for many of these hardworking teams – 84% say they have adequate access to mental health resources, and a notable 95% feel their senior leadership provides the necessary support structure to be successful.

A sense of duty drives them

Through it all, responders are still willing to do what they do because of their exemplary sense of duty. About 36% listed the sense of duty to help and protect others as the number one reason that attracted them to the job, and this was the top reason attracting them to the field across all 10 countries surveyed.

Another reason responders do what they do is they’re driven by the need to solve urgent problems, as well as the fact that they learn every time they perform an incident, only sharpening their skillset.

An incident responder’s DNA is rooted in compassion, creativity, and adrenaline, and a thirst for knowledge and growth shapes their psyche – in turn, inspiring their craft.

How to better support incident responders

I want to be clear – IR, while challenging at times, is not all grim. From my personal experience and the experiences of those studied, the fulfillment, excitement, and career growth potential outweigh the negative. And there are practical steps organizations can take to mitigate some of those negatives and help themselves in the process.

First, build IR plans and playbooks from the perspective of the responder. Bring responders in at the very beginning of the playbook process — and when regularly reviewing and updating these plans. Explicitly ask an IR professional what they need in the first day or first 72 hours because these are critical timeframes for responding to an incident successfully. Involving IR professionals from the very beginning of restructuring your plan can keep a bad situation from becoming a worst-case scenario.

Next, practice these plans. Don’t just check a box with the annual tabletop exercise. Really commit to running through the drills and rehearsing the incidents in a way that is immersive, realistic, and relevant to your specific line of business. A good mindset for rehearsing your plans is thinking of it like a professional athletic team thinks about their training. A team doesn’t just walk onto the field unpracticed. Hours upon hours of planning and practice go into every game so all teammates put their best foot forward, together.

Careers in IR are unique in their own right, and distinctive within the cybersecurity industry itself. The nature of the work has the potential to impact on not only businesses, but also on our fellow humans. Join me in celebrating our #CyberResponders this month. Take a moment to create a custom card to recognize those defending your digital front line here.

Want to learn more about what it’s like to work incidents live? Hear directly from me and other X-Force incident responders in our webinar, Tales from the Digital Frontlinesavailable on demand.

More from Incident Response

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

PR vs cybersecurity teams: Handling disagreements in a crisis

4 min read - Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do. When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today