Working with psychologist Dr. Chris Brauer, cybersecurity agency Symantec has put together a study examining burnout amongst cybersecurity professionals. The results are simultaneously unsurprising and concerning. In a survey of over three thousand decision-makers, 80 percent are burnt out and nearly two-thirds are thinking about abandoning the industry.
“It’s evident that cybersecurity professionals face a battle they feel is difficult to win,” Symantec Senior Vice President of EMEA Stuart Henderson explains in a blog post about the study. “Looking around at the industry, this comes as no real surprise. The profession has always had acute moments of failure, but it is becoming clear that the everyday role is reaching a state of chronic overload.”
The study identifies multiple sources of stress, including:
- Million-dollar data protection fines.
- The growing intelligence and skill of cyber-criminals.
- A constantly widening skills gap.
- The complicated, sprawling nature of IT infrastructure.
- An insufficient budget constantly besieged by decision-makers who don’t understand the importance of cybersecurity.
- Having to stay abreast of and responsible for regulatory requirements.
- The ever-present knowledge that one’s organization may already be breached.
It’s abundantly clear that something needs to change. But what exactly can we do? According to Henderson, the first step lies in reducing complexity and sprawl within the enterprise infrastructure.
By eliminating unnecessary software and hardware, organizations will allow their cybersecurity team to better-focus their efforts on protecting the assets that actually matter. This is, however, only the first step. Automation – specifically, through cloud infrastructure and services – can further reduce stress, centralizing a business’s security processes and eliminating a lot of the busywork that comes with network monitoring.
Beyond that, however, businesses must start focusing more on the well-being of their employees.
We need to start having open, honest conversations with staff about how much work they’ve taken on, and whether they have the capacity to do more. We need to create work schedules that ensure cybersecurity professionals aren’t overworked and driven inexorably towards burnout. We need to start offering support and counseling to help cybersecurity professionals cope with and relieve stress.
This is about more than caring for one’s employees (though that should be a good enough reason on its own). Criminals don’t need to worry about burnout. They can operate entirely on their own schedule, and at their own leisure.
If cybersecurity professionals are stressed, overworked, and exhausted, we’re ceding yet another edge to attackers in the war on cyber-crime. They already have more than enough advantages. After all, protecting corporate assets requires constant vigilance.
And criminals only need to succeed once.
Perhaps as we address the cybersecurity talent shortage, the problem will correct itself. But in the interim, cybersecurity professionals are horrendously overworked. If we are truly serious about protecting end-users and preventing data breaches, that needs to change.