From the Winter 2023 Issue

Burnout in Cyber-Attack Experts

Usman Choudhary
Chief Product Officer | VIPRE Security Group

Human error has long been one of the most critical cybersecurity risks. Now burned-out employees might be the newest threat continuing to face businesses in the months ahead. Businesses must tackle this issue head-on and prioritize their employees’ well-being, investing in the proper cybersecurity training and support.

According to research firm Gartner, cybersecurity leader’s today are burnt out, overworked and practice an “always-on” mode. This is a direct reflection of how elastic the role has been over the past decade due to the growing misalignment of expectations from stakeholders within their organizations. On a similar note, new concepts have emerged such as:

  • Resilience and risk quantification.
  • Increased levels of digital connections forcing organizations to put significantly higher levels of effort into controlling (evaluating, influencing) the cyberhealth of external parties.
  • Employees now make decisions with cyber risk implications without consulting security and risk management leaders.
  • Executive committees being established outside the scope/purview of the cybersecurity leader.

Causes of Employee Burnout

The number of data breaches reported in 2021 soared past the numbers reported in 2020, putting more pressure on cybersecurity teams to keep their companies secure. And the numbers continue to rise.

Low staff morale, burnout, and high employee turnover are all severe issues facing businesses trying to manage the increasing number of cybersecurity threats. When you pair the increased number of threats with a highly tight hiring market and that high turnover, it is easy to see how that affects the tech industry.

According to a survey conducted by ThreatConnect, more than 500 IT decision-makers say they have gaps, already, in their technical IT security skills. About 32% of those surveyed said they are considering quitting their jobs, leaving their companies with ongoing hiring, management, and IT security issues.

The Root Causes

Not only are the number of cyber-attacks escalating globally, but employers also see record numbers of resignations. As a result, the talent battle will continue to hit cybersecurity companies hard.

Many of those resigning are being lured away by the prospect of better pay and more flexibility in their work schedules. 

That talent battle, excessive workloads, and performance pressures make for a more significant toll. The ThreatConnect research found that those high-stress levels were among the top three contributors to employee turnover, according to 27% of those surveyed.

How Burnout Affects Work

Burnout threatens the tech industry in multiple ways, the first being human error. For example, there is a risk of causing a data breach or falling for phishing attacks when employees are overly stressed and burned out.

Potentially distracted employees, many of whom are now working from home and are also stressed and tired, may leave organizations that much more vulnerable to cyber-attacks.

Combating the Issue

Instead of taking a punitive approach, companies can reinforce a strong security culture by building on training and continuing education to help their employees avoid common email mistakes that are otherwise inevitable.

Phishing attacks are difficult to find when people looking for them are stressed or burned out because their cognitive load is overwhelming.

Numerous automation tools can help burned-out security teams be more effective. However, employers also must support their employees.

Investing in the best security education and training is crucial. The course content should enable employees to gain value and retain it. Employees need to be able to identify cyber-attacks before they occur. Therefore, training should include real-life, relevant scenarios, including phishing, ransomware, malware, and others.

Phishing attacks are difficult to find when people looking for them are stressed or burned out because their cognitive load is overwhelming.

Threat actors know this, so they are making their phishing attacks more sophisticated and launching them during the afternoon employee slump when they know people are tired or distracted. Data shows that most attacks occur between 2 p.m. and 6 p.m.

Exhaustion is an issue and should not be shrugged off or underestimated by employers. Instead, create a simulated phishing campaign as part of your security awareness program.

Carlos Rivera, a principal researcher for Info-Tech Research Group, says the program can be optimized by requiring at least one hour of training each year. This training can be broken up into 15 minutes per quarter.

Base this training on current events manifesting hackers’ Tactics, Techniques, and Procedures (TTPs). Ensure that your business leaders are going past just dealing with risks. They should also be responsible for providing executive-level information on risk decisions and ensuring their employees have comprehensive cybersecurity knowledge.

By 2026, analyses show half of all C-suite executives will have cybersecurity risk built into their contracts. Unfortunately, that means cybersecurity leaders will have less control over the IT decisions they control today.

Managers should identify single points of failure that lead to added stress and burnout. Have security and tech teams work with other departments to bring organizational awareness to the issues of overwork and burnout to avoid losing good employees. Instill a culture of resiliency within your company.

Consider adopting a “left-shift mindset” where burnout and stress can lead to errors. Instead, Rivera suggests organizations introduce security early in the development process and use leveraging tools to automate and support that goal.

For example, on the tech front, build a continuous improvement/continuous delivery pipeline. Deploy tools such as an Integrated Development Environment, or IDE, which gives companies the best chance for success. This consists of a source code editor and debugger and will build automation tools for self-service capabilities and to identify errors in near real-time.

Couple your IDE with static analysis security testing. Include open-source scanning in your pipeline to provide effective defect mitigation.

Communication is also critical. Leaders must do better by admitting limitations, so the entire organization understands capacity constraints. Let all employees know what your IT department can and cannot do with the resources and constraints the department faces.

Finally, tech leaders need to simplify their cyber incident response processes and software solutions to be better integrated with the organization and with the best practices of the team responding to issues to prevent alert fatigue and crisis mode management. 

Crisis Mode

Burnout reaches crisis mode in professions where the stakes are high and there is high adversity. This is where mistakes are costly, every task is mission-critical, and every employee uses hyper-vigilance as their default.

When a department suffers burnout, it suffers slow performance and disengagement. This can cost companies 10 times more than absenteeism.

Spot and Prevent Burnout

The stress in cybersecurity is not going to vanish. However, there is more that can be done past referring employees to employee assistance programs.

Recognize the signs of burnout. There are telltale warnings when burnout is occurring. It does not all happen at once, but you can see signs of disengagement, cynicism, and eventually exhaustion.

Watch for performance decline, the intensity of disagreements, increased sick days, and impaired concentration.

Employees also need to know they can experience burnout and that they can feel safe expressing their concerns. This gives supervisors a chance to head off the problem before employees give up and head for the door.

Your cybersecurity experts are your vanguards and need periodic relaxation and rejuvenation to remain focused and vigilant. Rotate your experts to prevent fatigue and burnout. Fresh eyes are always more alert in spotting threats.

Ensure your employees have some fun and relax to avoid stress while threat monitoring. Build in blocks of time for team bonding while on the clock. That might be a game to play, a local café to visit for lunch, or pub time just before the workday ends. This builds camaraderie, lets people get to know each other, even if they work from home, and allows your team to spend some “unplugged” time together.

Also, have times when team members can talk about their problems and brainstorm ways to manage them effectively. Consider training an employee to be your inside professional, someone employees can turn to and discuss their stress levels. Allow for one-on-one time and group discussions. Ensure your employees feel secure enough to come forward and ask for help when needed.

Discourage multi-tasking. It draws focus away from core tasks and tends to lead to faster burnout. Instead, focus on smaller, more achievable tasks with clear instructions and the right tools.

What Really Helps

Showing your employees that you care about them and empathize with them helps. Invest in not just their technical skills but also their well-being. Use resilience training to give them the tools to handle their stressors better.

Let employees know that working harder and faster is not necessarily a badge of honor. Instead, teach them to slow down and take the time they need to accomplish a task. In the end, this will be better for them, and the department will run more smoothly and effectively.

Keep an Eye on Your Own Well-Being

Cybersecurity professionals are so busy protecting their teams that they sometimes forget to tend to their own well-being.

Keep in mind that your emotional and physical state are intertwined. Take a positive approach to stress. Instead of saying, “This work level is insane!” consider saying, “We’ve got so much opportunity here!”

Tend to your focus. While some say never take your eye off the ball, do not dwell on problems. Take periodic breaks. Try to solve only some problems right away. Make the solutions and the successes your focus.

Take care of your physical body. Use reminder apps for breaks, drinks, sitting up straight, and going for a walk. Use them. Find a walking partner, eat lunch with a friend, or take an online class during your break. Commit to others to help you commit to yourself. Invest in yourself by finding a coach or program to learn more ways to handle adversity.

Most cybersecurity professionals crave mentoring and career mapping as their workload grows, and they spend more time putting out fires. 

Look at what other companies are doing and find common ground.

Train all employees on how to look for signs of burnout and avoid it.

Business executives need to realize they must acknowledge that they play a crucial role in addressing burnout by investing in their people to retain good talent.

Build a culture of security support. This shows that you value their function.

Integrate Solutions into General Use

Reading about how you can wrestle with stress and burnout and how to take care of yourself is not enough. Instead, put these lessons into actions that can be used on the job daily, weekly or quarterly.

Do not dismiss burnout or the signs that it is coming. Do not expect people experiencing burnout to suck it up. This issue is causing numerous mistakes that hurt the industry and its people.

By keeping your employees safe from stress and burnout and giving them tools to help them cope and even avoid burnout, you are also keeping the data world safer.

Even with lots of tips and tricks, winning over burnout in cybersecurity is a challenge. But you owe it to your employees to provide a safe, manageable and happy environment so they can focus safely on cyber threats. lock

VIPRE Security Group

VIPRE Security Group is a leading provider of advanced security products purpose-built to protect major attack vectors from today’s most costly and malicious online threats. Leveraging decades of proven industry expertise, our portfolio includes comprehensive email and endpoint security, along with real-time threat intelligence and the industry’s premier sandbox for next-gen malware analysis.

Unlike competitive solutions, VIPRE Security Group products combine a comprehensive, layered defense against evolving threats that receive the highest ratings from leading independent testing agencies and feature the industry’s most intuitive user interface. We offer server and cloud-based deployment, plus mobile interfaces that enable instant threat response – anywhere, any time, from any device.

Usman Choudhary

Leave a Comment