teissTalk: Why your security team is burned out and what to do about it

Views on news

Cyber security can, at times, be "the best job in the world". But when things get bad "it can be a bit of a dangerous place to be". The stress that cyber-security professionals often experience is also revealing itself in data collected by ISC2, the membership organisation for cyber security professionals. Its Annual Workforce Study showed a 66% favourable job satisfaction rate in 2024, down four percentage points from the previous year. 

Professionals in the industry are increasingly being asked "to do more with less" which only increases stress and job dissatisfaction. Also, hackers have become more aggressive and as private and public sector organisations have digitised more of their operations, the ramifications of a cyber-attack or data breach are now more severe. Constant alerts from warning systems might compound the problem, presenting professionals with a barrage of data they have to make sense of. Burnout in cyber security shouldn’t be seen as a stigma but, rather, as an operational risk.  To address the issue, some responsibility should be taken off cyber professionals and working long hours shouldn’t be regarded as a merit. 

The cause of burnout and how to manage it

Consistently high levels of noradrenalin triggered by stress lead to taxing alertness characterised by anxiety, irritability, difficulty sleeping and always-on-edge feelings, which, eventually, can lead to systemic exhaustion. Security roles are also getting broader and more demanding and although cyber-security experts like to see themselves as superheroes, this is not a state that can be sustained for a long time. Small teams don’t necessarily experience higher levels of burnout, provided they have clear roles and processes in place. Budget constraints, however, are a big issue in companies both large and small. 

It’s not the event itself but our interpretation of it that causes stress. Blurring the boundaries at a workplace between time on and off is bound to trigger burnout issues in the long run. Practising for cyber incidents regularly and consistently means that they put less pressure on professional when they actually happen. Drilling is key to managing stress in the army too. Recruitment plays an important part as well – businesses should hire for temperament and train for competence. Diversity in a team means that members will also handle exposure to stress differently and there will be ones that can keep their calm and reassure others too during a crisis. Changing who the CISO reports to can also help – if it’s not just one board member but two or more the CISO reports to, it can become easier for them to get their message across, as well as to learn more about the business’s risk appetite.  When trying to figure out why one finds something stressful, they should consider how they feel about a situation requiring adaptability – whether they are entrenched in an old idea or unhappy about taking a new direction. As a cyber-security professional, you must set boundaries with both the upper management and your team to mitigate the risk of a burnout. 

The panel’s advice

• Put the right processes in place and adhere to them to prevent burnout.
• Switching off when not working is key to burnout prevention.
• Burnout can be the indirect cause of cyberattacks and data breaches.  
• Cyber is typically number eight on any board’s list of risks.