During the fourth year of our research survey on “The Future of Cybersecurity in Asia Pacific and Japan,” Sophos partnered with Tech Research Asia to explore a different, somewhat controversial subject — the impacts of mental well-being issues within the cybersecurity domain. The findings were astonishing: Over four out of five survey participants reported experiencing some level of exhaustion or weariness, with one main cause (lack of resources / overwhelming workload) mentioned in almost half of all responses.
Simply by inquiring about the well-being of our participants, specifically in relation to the maturity of their cybersecurity culture and the prevalence of fatigue or burnout, we sparked some intriguing dialogues. Interestingly, one of the most thought-provoking discussions was centered on the absence of communication between cybersecurity professionals and their top management or board of directors. This communication gap hints at a range of inherent issues that directly affect the maintenance of a strong institutional security stance – not to mention the well-being of the overwhelmed teams tasked with this responsibility.
Our discoveries
A striking 85% of respondents stated that their workforce had encountered, or were currently experiencing, fatigue and burnout (termed as two sides of the same coin in the survey). The intricate nature of the cybersecurity realm, as revealed by this report, accentuates the profound impact chronic stress has on the individuals who constitute the teams entrusted with safeguarding us. This stress is intrinsic even before any security incident occurs. (Situational stress might be an unavoidable consequence of crisis situations, but if the crisis persists, the stress becomes chronic.)
Diving deeper into the report, some of the primary reasons for this overwhelming fatigue and burnout aren’t surprising: 48% indicated that their exhaustion and weariness stemmed from a lack of resources, while 41% attributed it to the repetitiveness of routine tasks. Overall, respondents estimated that each employee loses an average of 4.1 hours per week due to fatigue or burnout – a significant fraction of the “standard” workweek, if such a standard truly exists in cybersecurity.
Surveys gauge perceptions, and although having a sizeable pool of over 900 individual respondents gives a sound statistical foundation, perceptions can be challenging to substantiate as facts. However, figures like these should raise a sense of alarm that at the very least should prompt a duty of care — to monitor individuals who might be overstressed and possibly struggling to cope with the daily workload. The sheer volume of data and incidents is undoubtedly a source of stress and concern, but one of the most unsettling revelations from the survey is that the pressure isn’t solely originating from external threats and technology issues. The problem may actually be internal.
As previously mentioned, the lack of resources and work disinterest are critical factors contributing to cyber burnout among our defenders. A significant part of these issues may arise from inadequate recruitment methods. According to various sources, many struggle to recruit and retain ‘talent’ in this vast industry. It’s common to hear stories of candidates entering the ‘cyber’ field only to realize that the job they are undertaking isn’t what they envisioned. Were they appropriately consulted regarding their roles and responsibilities? Do the job postings accurately reflect the actual job awaiting the successful candidate? Detection engineering, threat hunting, forensic analysis – these are all highly specialized technical areas within our industry. However, are these roles distinctly defined when urgent staffing needs arise?
As an industry, it appears that we don’t adequately address these issues, and this poses a dilemma. Hiring cyber professionals for roles that don’t align with their expertise or career aspirations is a certain way to undermine their effectiveness. At best, they must quickly adapt to a new specialty; at worst, they are set up for failure, leading to burnout not just for them but also for their colleagues.
In the worst-case scenario, this situation breeds apathy: “This isn’t what I signed up for. This is uninteresting.” It’s plausible to assume that this is one of the reasons why cybersecurity professionals start resisting their new roles — they are thrown into tasks they are ill-prepared for and are expected to perform without adequate training or support, despite the fact that these roles may not align with their broader career ambitions and interests. This lack of support and resources fosters more friction and hampers effective operational defense against threats – to the extent that 19% of respondents mentioned that such issues had contributed to a security breach.
Why aren’t we encouraging our teams of cyber defenders to engage more in activities they are passionate about, while guiding them towards enhancing their skills?
The necessary steps
This industry urgently requires a more positive approach towards cultivating a healthier cyberculture, and this initiative must emanate from the upper echelons of management down to individual operators. Alarmingly, forty-nine percent (49%) of respondents claimed that their company’s board members didn’t fully comprehend the demands pertaining to cyber resilience; 46% reported the same about their C-suite executives. This is concerning, as these are the very individuals who should be held accountable. Accountability begins and ends with them. They hold the authority to listen, to prioritize the organization’s efforts in addressing the issue either through existing staff capabilities and resources or, if required, through reallocating resources to drive necessary changes.
Regrettably, survey participants indicated that non-committal responses from the top ranks are common, and their lack of awareness about their responsibilities leads to a misguided belief in how secure the organization truly is. (The lack of awareness at that level isn’t due to a lack of information; overall, companies brief their boards on cybersecurity issues monthly at a rate of 73%, with a similar frequency for the C-suite at 66%.)
This personnel predicament is essentially a matter of effective risk management. Presenting this case to the executive committee and the board might help them realize the severity of the situation: stress –> fatigue and burnout –> high turnover rates, or something more severe. We’ve witnessed examples of businesses, both small and large, succumbing to cyber breaches due to employee mistakes (or worse). Let’s view these real-life cases as a starting point to educate and instigate a shift in attitudes towards cyber resiliency.
When regulatory fines are imposed on directors, board members, and C-level executives by governing bodies, this punitive action might be viewed as a means of transferring stress from the front-line employees to the top tiers of the organizational hierarchy. Framing it in this manner could potentially redefine the level of accountability expected from the leadership and catalyze change. (It’s likely that the respondents would concur; when asked whether legislative changes mandating cybersecurity responsibilities and liabilities at the board level had increased the focus on cybersecurity at the organizational level, 51% saw a moderate difference, while another 44% perceived a significant impact.)
Team leaders and mid-level managers are pivotal in pinpointing areas where employees are burdened excessively and, at the very least, starting discussions on alleviating and preventing stress. However, it’s important to note that refined management skills are crucial, as simply asking, “What’s wrong?” might place additional strain on the employee.
There’s no instant solution to the prevailing workplace stress. Progress in attitudes towards superior stress management, and towards addressing other underlying cultural issues in cybersecurity, has traditionally been slow. Nevertheless, progress is being made, and technology leaders can influence change within their respective organizations even if they aren’t at the apex of the corporate hierarchy. Even small initiatives can invigorate your teams of cyber defenders. Consider the fundamental elements of their daily work: Equipping your personnel with appropriate technology to minimize distractions and repetitive chores, and providing them with processes to guide them through identifying and communicating risks, can establish a strong foundational framework.
Maintain regular communication with your team members and be alert to early signs of fatigue or burnout. Managers might find it challenging to identify these minor stress indicators individually, particularly since many defenders take pride in their resilience in tough work situations, but the cumulative effects of stress present a genuine vulnerability. (Moreover, remember to identify stress indicators in yourself and your peers. Managerial roles can be uniquely stressful, especially for individuals who deal with more administrative work than they initially desired.)
Stress management, and the inherent susceptibility to stress that plagues potentially everyone, is a competency many organizations lack. Recognizing stress and taking corrective actions to minimize or alleviate it is a solid foundation for fostering a robust cybersecurity culture. We hope that the simple act of inquiring about the well-being of our colleagues – and normalizing discussions on a topic often skirted around, glorified as indicative of a deep commitment to work, or even considered taboo – can empower infosec leaders to drive positive outcomes regarding cyber resiliency.
About Author
