Cyberattacks seldom happen when it’s convenient. In fact, it’s relatively common for them to occur on weekends or holidays — threat actors capitalize on the fact that there is fewer staff on site, and those who are there are focused on the coming weekend or time off.

It’s also not uncommon for attacks of this nature to involve critical systems — systems that help EMT professionals route patients to life-saving medical care or those that ensure food supplies continue to flow to grocery stores. Cyberattacks are no longer relegated to data accessibility — they frequently cross the line into real-world effects felt by everyday people.

It’s a familiar story for incident responders: It’s Friday afternoon, and a client calls to report they’re experiencing a serious incident. Sometimes it involves multiple systems and threatens to take their business completely offline. They need immediate assistance — and every second counts.

The first 72 hours of an incident are critical and can be incredibly demanding. Responders often work nonstop to locate the initial attack vector, contain the threat, assess the damage, and, ultimately, reduce the overall impact of the incident. Adding to that, this is likely not the only incident a responder is working — it’s common for incident response (IR) teams to have to focus on two or even three incidents simultaneously.

Incident responders are tasked with defending constantly expanding environments from evolving and increasingly aggressive threats. A new study from IBM Security conducted by Morning Consult surveyed more than 1,100 cybersecurity incident responders across 10 countries and found that 67% experience stress or anxiety daily due to the pressures of responding to a cyber incident.

Responders are unique individuals. They do what they do because they’re driven by a sense of duty to the organizations they defend and the people they protect. In fact, nearly 80% of incident responders reference this sense of duty among the top reasons that attract them to the profession.

Read on to unpack more of the top takeaways from the study.

Explore the Study

Most Stressful Factors Facing Incident Responders Today

According to 50% of survey respondents, managing expectations from multiple stakeholders is the most demanding aspect of the job. At any given time during an incident, responders are fielding multiple, concurrent requests from the client’s C-suite and board of directors, as well as their own management and colleagues.

Underpinning that is the responder’s sense of responsibility to their client and team to mitigate the incident. It’s our innate drive to do good in the world and our commitment to help people that drives the work we do, and these statistics reflect that.

What’s more immediately tangible is the skillful time management and energy incident responders put into their work. The study backed this up, finding that:

Real-World Mental Health Implications

If you add these factors up, it’s clear that incident response can take a toll on mental health. It’s not uncommon for teams to experience insomnia, burnout and even impacts on their social life.

Adding to that anxiety is the evolving sophistication of damaging cyberattacks. Ransomware is called out by name in the study, with 81% of the responders experiencing heightened pressure as a result of increased ransomware attacks in the last year.

Thankfully though, support systems are in place for many of these hardworking teams – 84% say they have adequate access to mental health resources, and a notable 95% feel their senior leadership provides the necessary support structure to be successful.

A Sense of Duty Drives Them

Through it all, responders are still willing to do what they do because of their exemplary sense of duty. About 36% listed the sense of duty to help and protect others as the number one reason that attracted them to the job, and this was the top reason attracting them to the field across all 10 countries surveyed.

Another reason responders do what they do is they’re driven by the need to solve urgent problems, as well as the fact that they learn every time they perform an incident, only sharpening their skillset.

An incident responder’s DNA is rooted in compassion, creativity, and adrenaline, and a thirst for knowledge and growth shapes their psyche – in turn, inspiring their craft.

How To Better Support Incident Responders

I want to be clear – IR, while challenging at times, is not all grim. From my personal experience and the experiences of those studied, the fulfillment, excitement, and career growth potential outweigh the negative. And there are practical steps organizations can take to mitigate some of those negatives and help themselves in the process.

First, build IR plans and playbooks from the perspective of the responder. Bring responders in at the very beginning of the playbook process — and when regularly reviewing and updating these plans. Explicitly ask an IR professional what they need in the first day or first 72 hours because these are critical timeframes for responding to an incident successfully. Involving IR professionals from the very beginning of restructuring your plan can keep a bad situation from becoming a worst-case scenario.

Next, practice these plans. Don’t just check a box with the annual tabletop exercise. Really commit to running through the drills and rehearsing the incidents in a way that is immersive, realistic, and relevant to your specific line of business. A good mindset for rehearsing your plans is thinking of it like a professional athletic team thinks about their training. A team doesn’t just walk onto the field unpracticed. Hours upon hours of planning and practice go into every game so all teammates put their best foot forward, together.

Careers in IR are unique in their own right, and distinctive within the cybersecurity industry itself. The nature of the work has the potential to impact on not only businesses, but also on our fellow humans. Join me in celebrating our #CyberResponders this month. Take a moment to create a custom card to recognize those defending your digital front line here.

Want to learn more about what it’s like to work incidents live? Hear directly from me and other X-Force incident responders in our webinar, Tales from the Digital Frontlinesavailable on demand.

More from Incident Response

How to Start a Career in Cyber Incident Response

Cyber incident response is one of cybersecurity's most interesting and rewarding careers. It’s an in-demand role, and it pays well. But how do you get started? First, let’s start with the basics. What is Cyber Incident Response? Cyber incident response is the preparation for and practice of identifying, containing and ending cyber attacks. A computer security incident response team (CSIRT) within an organization — ideally including the chief information security officer, security operations center staff, executives and representatives from the…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…