Security Professionals Battle Burnout as Threat Landscape Evolves

A surge of cybersecurity incidents and a general feeling of work overload is leading to widespread burnout among IT security professionals, two surveys indicated.

A Cynet survey of chief information security officers (CISOs) of small to midsize businesses found nearly two-thirds (65%) said their ability to protect their organization is compromised due to an overwhelming workload–with nearly 100% admitting they needed additional resources.

The stress levels are affecting entire IT security teams, with nearly three-quarters (74%) of CISOs surveyed admitting they have lost team members because of work-related stress issues.

Nearly half (47%) of these CISOs have had more than one team member exit their role over the last 12 months.

Burning Out and Fading Away

Respondents to a Magnet Forensics survey said the rapid evolution of cybercrime is weighing on security teams substantially more than it did last year, leading to widespread burnout. Alert and investigation fatigue are twin contributing factors, the survey revealed.

The study also revealed that the evolving nature of threats is extending response times beyond what they feel is acceptable—43% of respondents said it takes them between one week and more than a month.

Nearly a third of respondents said that identifying the root cause of an incident requires either a “complete overhaul” or “major improvements” in the organization’s threat posture.

“We’re seeing a direct correlation between burnout and the increased activity of cybercriminals who are relying on more complex strategies and bombarding organizations with more attacks,” explained Adam Belsher, CEO of Magnet. “New cybersecurity regulations also impacted our respondents who said they’re now under increased pressure to get answers faster.”

He pointed out that a global talent shortage resulted in hiring challenges, and that digital forensics and incident response practitioners (DFIR) find themselves in a difficult situation.

“They need to respond to more incidents, get answers faster and do so while knowing no reinforcements are on the way,” Belsher noted. “It’s no surprise that they’re burned out.”

George Tubin, director of product marketing for Cynet, added that what stood out most is what a vicious cycle this work-related stress is. Their stress at work spills over into their personal lives, which increases their stress at work—and repeat.

“Because of their workload and stress, these CISOs said they’re missing vacations and private events and they’re also losing their tempers with family and friends. This only exacerbates their stress levels,” he says.

In addition, 80% of them have received complaints about how they handled security tasks and two-thirds said their ability to protect their organizations is compromised due to work overload and stress.

More Cybersecurity Staff Needed to Combat Burnout

The Cynet survey also asked CISOs whether they need more people, and the general consensus is that they could use 30% more staff.

They also said they’ve compromised on hiring decisions because it’s so hard to find good cybersecurity people.

“But, when we asked them what initiatives could help them reduce stress levels, rather than say hire more, more CISOs stated technology consolidation and automation, as well as outsourcing,” Turbin says. “Cybersecurity technology has become so complicated and so expensive that the cure is almost as bad as the disease.”

Belsher noted that each factor contributing to the burnout of DFIR practitioners is out of their hands.

“They can’t control how often cybercriminals attack their organizations or the methods they use,” he said. “Cybercriminals have continued to find new threat vectors and ways to scale the volume of their attacks. That won’t change in 2023.”

That means organizations must adapt to this threat landscape beyond trying to hire themselves out of this problem.

“If we maintain the status quo, burnout will only get worse,” he says. “Automation is essential to scaling the capacity of DFIR teams.”

Turbin agreed, noting a couple of the survey questions asked the respondents to compare the past year with previous years; the results were consistent or have become slightly worse.

“Unless these security leaders can somehow relieve their stress, mainly through simplifying and automating their cybersecurity technology, I expect the situation to get worse before it gets any better,” he said.

He added that CEOs and the board should be concerned about the threat of burnout, especially considering that this stress is leading to a degradation in security outcomes that increased risk for the organization.

“CEOs and board members should proactively reach out to their security leaders to discuss ways to reduce stress and improve the company’s security posture,” he advised.

Belsher pointed out that cybersecurity and IT personnel can’t tackle burnout alone.

“Mental health is a company-wide imperative that executives, HR departments and all people leaders should play an active role in addressing,” he said.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 277 posts and counting.See all posts by nathan-eddy