Heidrick & Struggles’ 2023 Global Chief Information Security Officer (CISO) Survey reveals that CISOs view stress (71%) and burnout (54%) as top concerns, growing year over year (see Figure 1).
Figure 1: Most significant personal risks CISOs face
In a 2023 Gartner Peer Community survey of 178 infosec and IT leaders with primary responsibility for security, 62% personally experienced burnout at least once, with 44% reporting multiple instances.
“Cybersecurity professionals are stuck in “survival” mode. This is not because of the vast number of threat actors, the ever-expanding attack surfaces or the chronic shortage of cybersecurity talent. What stops them from thriving amid chaos and complexity is the mindset of zero tolerance for failure that continues to pervade cybersecurity and organizational cultures.” Augmented Cybersecurity: Act Now to Thrive Amid Chaos and Complexity, Gartner Cybersecurity Research Team
In the Gartner CISO Effectiveness: Start Practicing 3 Burnout-Avoiding Behaviors Now report, it was stated that “CISOs are burning out from decision, data and device overload.”
The real cause of burnout
Alex Tilley, head of threat intelligence for Asia Pacific and Japan (APJ) at Secureworks, opines that burnout in cybersecurity says the burnout is real.
“It’s a cliché, but it’s true – hackers just need to get it right once, cyber defenders need to get it right all the time,” he begins.
“Attack vectors are expanding, the volume of attacks is proliferating, and tech continues to progress at a crazy pace. The stakes are high, and that creates a lot of pressure on cyber teams, and it can be hard to find balance.”
Alex Tilley
“Yet neither is it sustainable to be in a constant state of fight or flight,” he concludes.
What’s the effect?
Tilley says the burnout manifests itself at a people and corporate level. He cautions that at an individual level, burnout is serious. He stressed the importance of recognising the signs and identifying the triggers.
“When you’re working in an intense environment it’s easy to think ‘Oh I’ll deal with that later,’ but you’ve got to prioritise yourself and your mental health,” he continued. “At a corporate level, not having the right support structures in place can lead to an inadvertent decline in vigilance which hackers can exploit.”
Role of tech in cybersecurity
Security experts agree that the threat landscape is evolving faster than before. The very technologies, like artificial intelligence and machine learning, created to support security professionals, are opening new windows of opportunities for threat actors as well.
Tilley adds: “If you haven’t worked in cyber, I think it can be hard to understand just how in-depth – and therefore potentially overwhelming – it is.
“The to-do list is never done. A lot of cumbersome and time-consuming work can certainly be automated to remove some of the burden of investigations. That said, burnout is multi-faceted, so whilst AI can play a contributory role, it is not a silver bullet and does not solve for having the right support structures in place,” he elaborates.
Expectations
In the Proofpoint 2023 Voice of the CISO report, Celeste Lowe, then group director for IT Security at Nine, comments that: “CISOs have always had a stressful job, but the additional pressures—like board expectations to deliver risk reduction faster and challenges in influencing middle management on delivering it, budget challenges and shortages of skilled talent—are creating an untenable situation for many.”
She concludes that CISOs are changing roles or leaving the cybersecurity field altogether. While she laments that finding a better balance may sound impossible – given the 24/7 nature of the role. She is, however, adamant that “it is absolutely necessary for maintaining resilience in the face of burnout.”
Tilley acknowledges the difference between high and unrealistic expectations. He explains that given what is at stake the board has the right to have high expectations of cyber leaders, but they (the board) also need to appreciate that cyber is a whole business problem.
“Threat actors are not an ‘IT’ problem or a ‘cyber’ problem – they are a business problem,” he explains. “You can’t just delegate it to the CISO, everyone in leadership has to work together to embed the right cyberculture, one that empowers the whole business.”
The pressure that comes with the hero label
According to Deloitte, the CISO job often hangs by a thread, adding that a single difficult-to-manage cyber incident can lead to being handed a pink slip. In the Trellix ebook, The Mind of the CISO: Behind the Breach, it was revealed that 13% of 500 surveyed CISOs (“with experience managing a major cybersecurity incident within the past 5 years”) experienced job loss or redundancies in the past year—a decrease from 23% one-to-three years before the conducted survey, and 31% more than 3 years before the publishing of the data.
Tilley laments the difficulty of articulating how integral cyber defenders are to the fabric of all that we hold dear. “From being able to easily call a family member on the other side of the world, order our favourite coffee to our doorstep or manage our pension portfolio,” he mused.
“Those services we take for granted and secured every day by cyber teams. We should celebrate them whilst recognising that cyber defence is a collaborative endeavour. We all need to answer the call,” he voiced out.
The burnout and mental well-being dialogue
The World Health Organization says burnout is not an illness, nor is it a mental issue. The organisation refers to it as an ‘occupational phenomenon.’
Acknowledging that security people are overwhelmed, Thea Manix, co-founder and director of research at Praxis Security Labs, explains that in addition to their day-to-day work, security professionals are expected to be futurologists able to predict the future, and psychologists able to understand the human elements of security – how users may react to social engineering and how they may subvert security controls to make work easier.
“And they never get any positive feedback; it’s mostly negative because the whole process of security is mostly negative – stop the outside bad guys doing anything bad, and stop the inside good guys doing anything wrong,” she continued.
On the bright side, Secureworks’ Tilley says: “The newer generation is much more at peace with talking about mental health struggles and things like strategies for working with neurodiverse people.
“The crusty old campaigners like me I think are at large worn down and burnt out by the unrelenting nature of the work and the commodification of what has historically been a niche skillset.”
Alex Tilley
“Those folks need assistance in talking about and dealing with their struggles before they become a problem in their lives in general,” he continued.
Holistic view
Cybersecurity should be seen as a long game. As threats, regulations and technologies evolve, so should the cybersecurity profession adapt to the changing environment.
Resilience has long been a theme – build resilience into your cyber strategy but more often than not this relates to tech. Do we need to start thinking more holistically – tech, process and people?
Tilley acknowledges that mental health issues like burnout cannot be fixed with technology. “We can use technology to ease certain tasks or make some aspects slightly less taxing but anyone in these roles can tell you, you remove one problem and there are 2 more lining up behind it to be worked on.
“Resilience” in this instance should be replaced with “understanding” the days of “brush it off and get on with it” type attitude has caused unfathomable damage to mental health and life outside of work. Alex Tilley
Call to arms
Just as boards and the C-suite have come to recognise the importance of cybersecurity, the recognition needs to be displayed through visible support of the security team tasked with an organisation’s defence.
Tilley suggests treating the cybersecurity staff as people and not a headcount. “People who feel like they are just a number will act like just a number,” he opines. “Invest in your people and their mental health and struggles and you will find them to be more productive for longer and perhaps they may care more about their work as it is once again seen as an interesting challenge, not as an unrelenting crushing weight of expectation,” he concluded.
