Cyberattacks seldom happen when it’s convenient. In fact, it’s relatively common for them to occur on weekends or holidays — threat actors capitalize on the fact that there is fewer staff on site, and those who are there are focused on the coming weekend or time off.

It’s also not uncommon for attacks of this nature to involve critical systems — systems that help EMT professionals route patients to life-saving medical care or those that ensure food supplies continue to flow to grocery stores. Cyberattacks are no longer relegated to data accessibility — they frequently cross the line into real-world effects felt by everyday people.

It’s a familiar story for incident responders: It’s Friday afternoon, and a client calls to report they’re experiencing a serious incident. Sometimes it involves multiple systems and threatens to take their business completely offline. They need immediate assistance — and every second counts.

The first 72 hours of an incident are critical and can be incredibly demanding. Responders often work nonstop to locate the initial attack vector, contain the threat, assess the damage, and, ultimately, reduce the overall impact of the incident. Adding to that, this is likely not the only incident a responder is working — it’s common for incident response (IR) teams to have to focus on two or even three incidents simultaneously.

Incident responders are tasked with defending constantly expanding environments from evolving and increasingly aggressive threats. A new study from IBM Security conducted by Morning Consult surveyed more than 1,100 cybersecurity incident responders across 10 countries and found that 67% experience stress or anxiety daily due to the pressures of responding to a cyber incident.

Responders are unique individuals. They do what they do because they’re driven by a sense of duty to the organizations they defend and the people they protect. In fact, nearly 80% of incident responders reference this sense of duty among the top reasons that attract them to the profession.

Read on to unpack more of the top takeaways from the study.

Explore the Study

Most stressful factors facing incident responders today

According to 50% of survey respondents, managing expectations from multiple stakeholders is the most demanding aspect of the job. At any given time during an incident, responders are fielding multiple, concurrent requests from the client’s C-suite and board of directors, as well as their own management and colleagues.

Underpinning that is the responder’s sense of responsibility to their client and team to mitigate the incident. It’s our innate drive to do good in the world and our commitment to help people that drives the work we do, and these statistics reflect that.

What’s more immediately tangible is the skillful time management and energy incident responders put into their work. The study backed this up, finding that:

Real-world mental health implications

If you add these factors up, it’s clear that incident response can take a toll on mental health. It’s not uncommon for teams to experience insomnia, burnout and even impacts on their social life.

Adding to that anxiety is the evolving sophistication of damaging cyberattacks. Ransomware is called out by name in the study, with 81% of the responders experiencing heightened pressure as a result of increased ransomware attacks in the last year.

Thankfully though, support systems are in place for many of these hardworking teams – 84% say they have adequate access to mental health resources, and a notable 95% feel their senior leadership provides the necessary support structure to be successful.

A sense of duty drives them

Through it all, responders are still willing to do what they do because of their exemplary sense of duty. About 36% listed the sense of duty to help and protect others as the number one reason that attracted them to the job, and this was the top reason attracting them to the field across all 10 countries surveyed.

Another reason responders do what they do is they’re driven by the need to solve urgent problems, as well as the fact that they learn every time they perform an incident, only sharpening their skillset.

An incident responder’s DNA is rooted in compassion, creativity, and adrenaline, and a thirst for knowledge and growth shapes their psyche – in turn, inspiring their craft.

How to better support incident responders

I want to be clear – IR, while challenging at times, is not all grim. From my personal experience and the experiences of those studied, the fulfillment, excitement, and career growth potential outweigh the negative. And there are practical steps organizations can take to mitigate some of those negatives and help themselves in the process.

First, build IR plans and playbooks from the perspective of the responder. Bring responders in at the very beginning of the playbook process — and when regularly reviewing and updating these plans. Explicitly ask an IR professional what they need in the first day or first 72 hours because these are critical timeframes for responding to an incident successfully. Involving IR professionals from the very beginning of restructuring your plan can keep a bad situation from becoming a worst-case scenario.

Next, practice these plans. Don’t just check a box with the annual tabletop exercise. Really commit to running through the drills and rehearsing the incidents in a way that is immersive, realistic, and relevant to your specific line of business. A good mindset for rehearsing your plans is thinking of it like a professional athletic team thinks about their training. A team doesn’t just walk onto the field unpracticed. Hours upon hours of planning and practice go into every game so all teammates put their best foot forward, together.

Careers in IR are unique in their own right, and distinctive within the cybersecurity industry itself. The nature of the work has the potential to impact on not only businesses, but also on our fellow humans. Join me in celebrating our #CyberResponders this month. Take a moment to create a custom card to recognize those defending your digital front line here.

Want to learn more about what it’s like to work incidents live? Hear directly from me and other X-Force incident responders in our webinar, Tales from the Digital Frontlinesavailable on demand.

More from Incident Response

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today