The cybersecurity kids aren’t all right

For the fourth year of our "The Future of Cybersecurity in Asia Pacific and Japan" research survey, Sophos commissioned Tech Research Asia to ask questions around a different, somewhat taboo topic - the effects of mental health issues within the cybersecurity field. The results were startling: More than four out of five survey respondents reported some degree of burnout or fatigue, with one contributing factor (lack of resources / overwhelming workload) cited in nearly half of all responses.

The simple process of asking our respondents how they (along with their organization) are doing, specifically about how developed their cybersecurity culture is and whether fatigue or burnout has become an issue, led to some interesting conversations. Ironically, perhaps the most interesting of those conversations was about the lack of conversation between cybersecurity professionals and their leadership or board of directors. This gap suggests a series of endemic problems that have a direct impact on maintaining proper institutional security posture - not to mention an impact on the beleaguered teams charged with the task.

What we learned

Eighty-five percent (85%) of respondents declared their employees had suffered, or were currently suffering from, fatigue and burnout (two halves of a whole, as the survey worded it). The sheer complexity of the cybersecurity industry, and the findings from this report, dramatically underscore the impact endemic stress has on the individuals who make up the teams we expect to defend us. Again, that's endemic stress, before an incident has even taken place. (Situational stress is probably an inevitable byproduct of crisis situations, but if the crisis is never-ending, the stress becomes endemic.)

Looking more deeply into the report, some of the core reasons for these overwhelming levels of fatigue and burnout wouldn't be surprising to most: 48 percent said their burnout and fatigue were caused by a lack of resources, while 41 percent cited the monotony of routine activities. Overall, respondents perceived that time lost to fatigue or burnout per employee, per week works out to an average of 4.1 hours - a tenth of the "normal" workweek, if such a thing can be said to truly exist in cybersecurity.

Surveys measure perception, and though having well over 900 individual respondents to our survey makes for a reasonable statistical basis, perception can be hard to translate into facts. Still, statistics such as these should bring about a level of concern that at the very least invokes a sense of duty of care - to check in on those that could be highly strung out and potentially struggling to keep up with the daily volume of effort. Sheer volume of data and incidents is a source of stress and concern, of course, but one of the survey's most unnerving findings is that it's not just about the stresses attackers and the tech itself cause. The call, in short, may well be coming from inside the house.

As mentioned above, lack of resources and job apathy are key issues around cyber fatigue in our defenders. A remarkable portion of both problems may stem from poor hiring practices. If we listen to news outlets, governments, policy makers, and organizations, we hear a common theme that many struggle to find and retain 'talent' in our vast industry. It's also far too common to hear of candidates who work to break into 'cyber' and then find out that the position they're filling isn't what they expected it to be. But were they consulted, prescriptively, on what their roles would be? How many posted job descriptions truly represent the job that awaits the successful applicant? Detection engineering, threat hunter, forensic analysis - all are deeply rooted technical specializations within our industry. However, do we clearly define these roles and responsibilities when we need someone desperately?

As an industry I don't think we do, and that's a problem. Mis-hiring cyber specialists into roles that don't match their skill sets or career goals is a sure way to set people up on the back foot. At best, they must quickly bring themselves up to speed in a new specialty; at worse, you've set them up to fail, with all the fatigue and burnout that will cause not just them but the colleagues who will inevitably be affected.

In the latter, worst-case situation, this is where apathy starts to creep in: "This is boring. I didn't sign up for this." It's easy to deduce that this may be one of the reasons a practicing cybersecurity professional starts to push back on their new role - they've been thrown into the deep end and expected to swim without coaching or guidance, as they're the one who is now responsible for that function, whether or not that truly matches their broader career goals and interests. This lack of support and resourcing breeds more friction and prevents smooth operational defense against threats - to the point where 19% of respondents stated that such issues contributed to a breach.

Why aren't we fostering our teams of cyber-defenders to do more of what they like to do best, and guiding them toward acquiring greater abilities?

What needs to happen

This industry desperately needs a better attitude toward healthier cyberculture, and it needs to flow from the very top of the food chain down to individual practitioners. Overall, forty-nine percent (49%) of respondents said their company's board members didn't fully understand requirements around cyber resiliency; 46% said the same thing about their C-suite. This is disturbing, as these are precisely the people who need to be accountable. Risk starts and stops with them. They have the power to listen. They have the power to prioritize the enterprise's efforts to address the problem, either using current staff skills and budgets or, if necessary, choosing to re-allocate resources to make the necessary changes.

Unfortunately, survey respondents reported that lip-service and non-committal indicators from On High are the norm - and that their lack of understanding of their accountability leads to an incorrect expectation of how overall secure the business is. (And the lack of understanding at that level isn't for want of information; overall, 73% of companies brief their boards on cybersecurity matters at least monthly, with 66% of C-suites also briefed at least that often.)

This personnel crisis is, frankly, an issue of proper risk management. It may be that making that case at the executive committee and board levels will cause the picture to click into focus: stress -> fatigue and burnout -> staff turnover, or worse. We've all read stories of how small and large businesses have fallen to cyber breaches due to employee error (or, again, worse). Let us look at these lived experiences as a starting point to help educate and bootstrap a change in attitude towards cyber resilience.

In fact, where regulatory fines from governing bodies have been imposed onto directors, board members, and C-level executives, it may be useful to think of that sort of legal and regulatory impact as a way of reallocating stress from the rank-and-file to the top of the org chart. Phrasing it that way may greatly help reset leadership's expected level of accountability and drive change. (The respondents would certainly agree; when we asked whether legislation and regulatory changes mandating cybersecurity board-level responsibilities and liabilities increased the focus on cybersecurity at a company board or director level, 51% said it had helped a little - and another 44% said it had helped a lot.)

Team leaders and middle management will be crucial in identifying where excessive load is being placed on employees and, at the very least, in starting to have conversations around alleviating and avoiding stress. However, be warned that refined management skills are needed, as simply walking in and asking "what's the problem?" will further burden the employee.

There isn't a quick fix to pervasive workplace stress. Attitudes toward better stress management, and indeed toward improving other problematic cultural issues in cybersecurity, have traditionally moved at a glacial pace. But at least they're moving, and tech leaders can move the needle in individual organizations even if they're not at the top of the corporate food chain. Even relatively small steps can bolster your teams of cyber defenders. Consider the most basic building blocks of their day-to-day work: If your people are equipped with the right technology to help minimize noise and repetitive tasks, and empowered with processes to help guide them through risk identification and communication, they'll have a great foundation to build on.

Keep a regular cadence of communication with your team members and understand if the slightest signs of fatigue or burnout are forming. It can be hard for managers to see those small stressors individually, especially since so many defenders take pride in their ability to "tough out" bad work situations, but the cumulative effects of stress are a genuine vulnerability. (And learn to recognize the signs of stress in yourself and your peers as well. Management jobs can be uniquely stressful, especially for those folk whose current role may include less tech and more administrivia than they might like.)

Stress management, and the human vulnerability that leads to it for potentially any and every one of us, is a skill many organizations lack. Acknowledging stress and taking corrective action to minimize or mitigate it is a solid base for building a great cybersecurity culture. It's our hope that the simple fact of asking how our colleagues are doing - and of normalizing conversations around a topic that is often avoided, or celebrated as a sign of seriousness about the work, or even treated as taboo - can help infosec leaders to better drive positive outcomes around cyber resiliency.

Public link

Please use the above public link if you want to share this noodl on another website.