Professionals involved in cybersecurity in the APAC region are well-acquainted with job-related pressure.
Studies have pointed out that the majority of cybersecurity workers in this area undergo burnout, with up to 9 in 10 employees being impacted to some extent. Reasons for burnout include inadequate resources and alert exhaustion, leading to employee tension or disengagement.
Sources at the senior level in the Australian cybersecurity company Tesserent have given some tips for CISOs who wish to safeguard their mental well-being within the cybersecurity field. These recommendations have been made in conjunction with Australia’s mental health initiative called R U OK? Day.
Reasons for CISOs to Prioritize Mental Health in Cybersecurity
Various professions in the cybersecurity sector face mental health issues. The roles of CISOs, specifically, are acknowledged as high-pressure positions, partially due to a constant and expanding threat landscape.
This pressure has propelled certain professionals to take drastic career decisions. On a global scale, Gartner foresees that nearly half of cybersecurity leaders will switch jobs by the conclusion of 2025, with around a quarter moving on to different roles. Concurrently, industry body AustCyber estimates that Australia will witness a deficiency of 17,000 security professionals over the next two years.
Impact of Burnout Driving Cyber Specialists Away from the Field
Executives at Tesserent in Australia have directly observed cybersecurity burnout.
Patrick Butler, who serves as the managing partner for managed and professional services, revealed that he is acquainted with “multiple” CISOs who exited their positions, opting for alternative careers or cybersecurity roles beyond incident response and security.
Jason Plumridge, the CISO at Tesserent, has also witnessed the pressure and stress experienced by other CISOs.
“I would estimate that, on average, CISOs and other security leaders change positions due to stress and lack of assistance in about 50% of cases,” he remarked. “However, global data indicates that the turnover rate is higher.”
VIEW: Ways Your Business Can Gain from a Mental Health Strategy
Mark Jones, a senior partner at Tesserent, also attested to witnessing “many individuals experiencing burnout and exiting the cybersecurity realm.”
“I am familiar with at least five former senior professionals who left the industry because the unrelenting pressure became too much,” he voiced. “There is a significant amount of after-hours work needed, and this can have a personal toll on relationships and one’s well-being.”
Meanwhile, Silas Barnes, the senior partner for offensive security services at Tesserent, observed CISOs quitting due to stress and pressure. “One of them resigned and took a full year off to recuperate,” he added.
Techniques for CISOs to Maintain their Mental Well-being
Proper Preparation
Butler admitted to being “completely unprepared” for the stress in cybersecurity when he started working in this field 16 years ago.
“It took a considerable amount of time for me to figure out how to handle this stress, and even now, I have not entirely conquered it,” he stated.
One particular incident remains vivid for him. In 2017, Butler endured burnout and health issues after participating in an adversary simulation exercise, where his team mimicked a sophisticated threat actor in the network for over a week. By the end of that week, “the sheer exhaustion and burnout took several months to recover from,” he disclosed.
CISOs can better handle stress and pressure by acknowledging their own vulnerabilities, assessing risks, and preparing for worst-case scenarios, according to Butler.
“Being adequately prepared reduces stress during a crisis,” he explained. “It is crucial to distribute the responsibility of security risk across the entire organization.”
Segregate Work from Personal Life
CISOs should draw a distinction between the stress accompanying cybersecurity tasks and their personal lives.
Barnes disclosed his own experiences of burnout and fatigue during his cybersecurity career. He shared that the stress and pressure affected his sleep patterns and his ability to detach from work outside office hours.
“The convergence of significant responsibilities, intense pressure, and severe consequences of security breach incidents can make it challenging to disconnect, even during vacations,” he observed.
Butler urged CISOs to fortify their abilities to compartmentalize both physically and mentally.
“Discover a method to safeguard your personal time so you can unwind and signal to your mind the transition from work to personal time,” he suggested, affirming that this approach enables cybersecurity experts to “leave behind the day’s troubles.”
Share Responsibilities
Plumridge affirmed that setting clear boundaries between work and personal life is crucial. He stated that CISOs should also assign tasks strategically to team members to alleviate their own stress.
“While the CISO role necessitates being contactable 24/7 in case of a security incident, it does not mean you have to be mentally and physically on call 24/7,” Plumridge explained.
CISOs should evaluate and prioritize tasks based on their risk and impact to manage time and stress. “CISOs must trust in their colleagues’ ability to handle the role’s requirements during their absence and avoid micro-managing every event,” he advised.
Maintain Basic Mental Health Practices
Basic mental health and well-being are essential for sustaining the performance of senior cybersecurity professionals. Barnes recommended that cybersecurity experts allocate time for physical exercise, adhere to a nutritious diet, and monitor their alcohol consumption.
For instance, he took up skydiving to detach from work, relieve stress, and immerse himself in the present moment.
“In addition to skydiving, I ensure to take substantial breaks when on leave, ensuring they last longer than one or two days, to allow myself sufficient time to completely relax,” he mentioned.
Emphasize Continuous Growth, Not Perfection
The role of CISO has become intricate and all-encompassing, Plumridge acknowledged. This role generates numerous competing priorities requiring attention and action. He suggested that CISOs comprehend they can “manage some but not all” of these priorities.
Barnes articulated that CISOs can only give their best efforts.
“Avoid wasting time pursuing perfection, and do not dwell on not achieving flawlessness,” he advised. “Instead, concentrate on the value you contribute to your organization and on continuous and sustainable enhancement.”
Recognize the Influence of Social Media
Security leaders should gauge the amount of time spent browsing content from other cybersecurity professionals and business leaders on business-oriented social media platforms, Barnes proposed, as it could lead to adverse effects on mental health.
“The increasing pressure to build a personal brand or be recognized as a ‘thought leader’ by the broader community can evoke feelings of self-doubt, inadequacy, and anxiety for those engrossed in their daily work,” he opined.
CISOs should instead concentrate on their own
Individual journey and refrain from comparing themselves with others. The portrayals of other experts showcased on social media websites may not accurately represent the real experiences of working within the sector, according to Barnes.
Strategies for safeguarding mental health in organizations
Embrace collective responsibility for cybersecurity
According to Tesserent executives, cybersecurity should be a mutual obligation shared by all members of an organization.
“The entire senior leadership team should stand behind the Chief Information Security Officer (CISO) as cyber resilience is a collaborative duty,” emphasized Barnes.
Listening to the requirements voiced by CISOs in safeguarding the organization, its personnel, and its clients can contribute to supporting the mental well-being of their cybersecurity team, stated Kurt Hansen, the CEO of Tesserent.
Implement a robust business framework to thwart cybersecurity risks
A robust business framework is essential for overseeing continuous efforts in containing and eliminating cyber threats. Butler highlighted that this responsibility extends beyond incident response teams or the security operations center to encompass IT and management staff, who should be “readily available around the clock during a major crisis.”
“Organizations frequently overlook this aspect, leading to a substantial risk of key resources being unavailable or teams experiencing burnout due to working non-stop,” he elaborated.
Butler proposed that employers should acknowledge that employees are human beings and devise procedures, frameworks, and tactics that reduce the likelihood of burnout or stress.
“This approach not only benefits your workforce but is crucial for risk management and effectively eliminating threats,” he emphasized.
Prioritize investments in cybersecurity technologies and expertise
Enterprises must allocate resources to acquire the necessary technology and skill sets to enhance their cybersecurity stance.
Plumridge remarked that many CISOs face job-related stress due to the challenge of securing the essential investment in cybersecurity technology to fortify an organization’s defenses.
Employers should comprehend that processes and other non-technical human factors also influence the security posture.
Plumridge recommended that companies should be willing to remunerate competitively for safeguarding the organization and obtaining the requisite competencies and expertise.
About Author
