Security Pro Burnout Signals IT Security Shift
Major changes to our world, ushered in by the global pandemic, have put a huge strain on IT security professionals’ mental health.
Increased demands by organizations to adapt to a remote-first way of working meant that these individuals had to work overtime to ensure not only quick but secure digital transformations.
A survey by 1Password has found cybersecurity professionals have been negatively impacted by these changes, and the dangers for organizations loom large: Twice as many significantly burned-out security professionals say security rules and policies “aren’t worth the hassle,” compared to those who are only somewhat burned out.
Jeff Shiner, CEO of 1Password, said when it comes to cybersecurity, the employee burnout conversation should remain front and center—even more so in an increasingly geographically dispersed workforce.
“Our report findings revealed that one-way organizations can begin combatting employee burnout is to employ high-quality, user-friendly software that enables productivity or resolves any process challenges they may be encountering,” he said. “Doing this can have a substantial impact on security.”
Shiner noted that for any organization that’s looking to better support its security staff, the most important first step is to acknowledge that people may be struggling to cope.
This means organizations need to make sure they’re regularly assessing the cause of their employees’ burnout, looking at their internal processes and then addressing problems in a way that’s in line with their company mission and culture.
“Unfortunately, many cybersecurity solutions deployed today are designed to raise alerts with the focus on—in theory—more information equating to better security,” said John Morgan, CEO at Confluera. “Of course, we know in practice this is not true.”
He said that because most cybersecurity investigations result in false positives, it’s difficult for security professionals to feel rewarded by their hard work and to believe they are making a real difference in enhancing the overall security of their organization.
“This has been a challenge in the cybersecurity industry for many years,” he said. “Coupled with the sudden increase in initiatives due to the shift in the business model, ranging from shifting to a virtual workforce to cloud adoption, organizations are facing significant and real cybersecurity challenges.”
Maximizing IT Security’s Time
Morgan said organizations should focus on maximizing the IT security staff’s time, enabling them to work smarter.
“Automation can help, but streamlining the wrong part of the security process can make the situation even worse by increasing the tasks requiring human analysis,” he explained. “What organizations should focus on is assessing which aspects of the IT security staff’s responsibilities can best be automated.”
For example, with so much time lost investigating false positives, streamlining the process to bubble up only the alerts that “matter” can drastically improve security staff’s productivity as well as improve their job satisfaction.
“There are many factors associated with the cause of employee burnout,” Morgan added. “Major factors that can help reduce the risk of burnout are ensuring that employees have a sense of accomplishment for the work they are putting in, feel appreciated, listened to and empowered to make decisions.”
He pointed out that in general IT can often be a job without a lot of praise if things are going well but with incredible pressure and a crushing sense of emergency when things are not going well given business productivity is reduced.
“With that in mind, my advice to business owners is to praise during the good times to help offset the firefighting,” Morgan said.
Shiner added that as long as the pandemic persists and threats escalate, burnout will remain an issue.
Alleviating Burnout
“Thankfully there are solutions at our disposal to alleviate burnout—organizations should consider making these core to their cybersecurity skills training initiatives,” he said.
He explained that reports showed virtually zero unemployment among cybersecurity professionals, which means organizations are fighting for the best talent.
“Taking burnout seriously could be a competitive advantage for recruiting and retaining talent,” he added.
John Hellickson, cyber executive advisor at Coalfire, a provider of cybersecurity advisory services, said as an industry, there is a need to collaborate more with HR business partners to find better ways to make work feel less like work.
“We’ve lost a lot of the in-person human element of working together toward a common goal when a majority of the workforce shifted to remote work,” he said. “Now that most companies have succeeded in enabling an entirely remote workforce, security leaders need to shift their attention to creative ways to lessen the burden that traditional security measures have ineffectively carried onto the remote worker.”
Hellickson warned that until CISOs and HR business partners find ways to quickly adapt to the market demand of talented cybersecurity staff with the ease of job-hopping, this burnout will continue for the foreseeable future.
“Frankly, we’re going to see a surge in salaries and benefits that will lure employees away, and this will drive a need for HR departments to shift away from their traditional structured compensation analysis of what the market demands to a more proactive and favorable adjustment of current employees’ compensation plans,” he said.
He predicted that if this doesn’t happen, CISOs and security leaders will be spending a lot more of their time on managing attrition that could be otherwise spent on managing cybersecurity risk at the organization.
That perspective was echoed by Morgan, who said he does not foresee the current challenges of IT security professionals getting resolved in the near future.
He pointed out that many industries are continuing to evolve their businesses and that adoption of new processes and technologies show no signs of slowing down, while new cyberattacks leveraging current events and new technologies have also accelerated.
“Simply hiring more resources is not a practical approach given costs and talent availability,” he said. “Cybersecurity is a specialized field, so opening hiring to remote workers will help, but ensuring they are qualified will continue to be difficult.”
Morgan said organizations should focus on equipping their IT security professionals with the right tools to maximize their abilities to identify the latest cybersecurity threats and attacks especially in new cloud environments and improve their sense of accomplishment in adding significant value to the organization.
“Fortunately, recent innovations in the cybersecurity industry are offering organizations many such tools,” he said.
