“At 5am on a Monday morning at the end of September I found myself at the top of a building incoherent with emotion, raging at the universe, and willing myself to jump off.”
So writes Thom Langford on the growing stress that came with his position of Chief Security Officer. This incident can serve as an extreme example of what is being termed, ‘cybersecurity burnout’. Though many cybersecurity professionals may not be pushed as far as Langford, there is certainly a growing awareness of problems within this profession.
Stress in the cybersecurity profession was tangentially explored in a recent study by the Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA). The resulting report, The Life and Times of Cybersecurity Professionals 2018, looks at a number of attitudes of cybersecurity professionals towards their profession. It does not specifically target burnout, but I will try to use their data to see if it sheds any light on the burnout problem.
The increase in cybersecurity burnout happens to be coinciding with a shortage of cybersecurity professionals. In other words, some key people may be leaving the profession at a time when they are most needed. That said, the study found that 86% of cybersecurity professionals were mostly satisfied with their jobs, even though they did not see a clear career path for themselves. Such uncertainty about their futures could lead some to move to a related profession that offers more chances for career development and job security. But how can you explain the relation between high job satisfaction with growing burnout rates? The answer seems to be that cybersecurity professionals enjoy the technical aspects of their job but dislike, or have insufficient tools to deal with, the personal interactions that are associated with it.
All jobs are, to some degree, stressful. However, this study exposes the particular frustration cybersecurity professionals experience in trying to maintain high security standards that few others in their enterprises truly understand or don’t take seriously. Instead of being simply concerned with tangible security measures, they suddenly find themselves dealing with the psychological attitudes of cybersecurity-naïve employees and management. No one ever taught these technically minded professionals how to deal with the emotional resistance they would encounter when trying to change long-accepted, but outdated, cybersecurity behavior. They know what needs to be changed but no one else does.
Faced with this indifference, one wonders if cybersecurity professionals can ever get a decent night’s sleep or enjoy days off. Cyber criminals know that the best time to launch an attack is on holidays and weekends, when most of the IT staff is away. Without a doubt, IT management realizes this as well, and it might make them more apprehensive when they are away from work than when they are at work. This condition may be responsible for the concern about professional life/personal life balance reflected in the chart below.
To a large degree, cybersecurity professionals feel under appreciated, if not unappreciated. They may be tolerated as a necessary evil in some organizations. This can easily happen if upper management does not fully understand the role of cybersecurity professionals in the company hierarchy. Basically, the only time that management pays attention to cybersecurity is when something goes wrong. This attitude combined with management’s lack of knowledge of basic cybersecurity principles may lead to a lack of communication between upper management and the IT department. The charts above indicate that this lack of communication is a major cause of job dissatisfaction.
Underappreciated workers are inevitably bound to look elsewhere for job satisfaction. They will either leave the enterprise they’re working for or leave the profession entirely, feeling that conditions will probably be no different in whatever organization they go to. Here is what the study found about why cybersecurity professionals leave their jobs.
Notice the feeling of alienation that many in the field feel. It is as if they are part of an enterprise and not part of an enterprise at the same time. This may be one reason for the rise of the virtual CISO; a CISO that remotely monitors a firm’s security needs. However, what we really see in the virtual CISO is institutionalized alienation. The virtual CISO position may be more beneficial for the company than the person working as the virtual CISO. This is because the virtual CISO will continue to have all of the stress associated with a physically present CISO but with no change in the degree of acceptance or communication. In fact, the situation may be worse. Upper management may feel justified in not communicating with the virtual CISO since they are, after all, not really part of the enterprise.
The biggest cyber attacks that cybersecurity professionals have encountered have some relationship to all of the above mentioned factors. Those participating in the survey claimed that major security breaches occurred because of employees who were unaware of proper cybersecurity practices and management that paid little attention to any input from the IT staff.
The mention in the chart below of the implementation of new IT initiatives without proper cybersecurity oversight seems to be a combination of a lack of communication combined with management’s lack of cybersecurity savvy. It often happens that a naïve CEO or other high-ranking manager hears about a new cybersecurity approach (such as cloud computing) and implements it without proper consultation with cybersecurity experts. The cybersecurity professional is only called in when something with the new initiative goes awry.
It is no wonder, then, that 91% of cybersecurity professionals feel that a major cyber attack or breach is inevitable for most organizations.
Within the prevailing climate of cyber-insecurity, it is little wonder that cybersecurity professionals feel the deck is stacked against them. They clearly feel the metrics favor the attackers. In fact, 93% of cybersecurity professionals feel attackers have the upper hand. This fact alone has to be demoralizing.
In many ways, cybersecurity employees are no different than any other employees. All employees want their work to be appreciated. For this to occur, they need feedback from their supervisors and company management. In short, they need good communication. They need to be respected and have their expertise treated seriously. But communication is not a one-way street. Upper management must be willing to take the time to understand the basics of cybersecurity and IT staff must be told what the practical considerations are in adopting new cybersecurity strategies. Management, for example, may believe that cloud based security is always safe and can never be compromised. It is here that the IT professional can explain that the cloud is actually just a server and that any server can be vulnerable to an attack. On the other hand, IT staff may believe a new cybersecurity tool should be implemented. However, management may need to step in to explain that practical considerations (cost, down time, training) may make such a tool inappropriate. Subsequent negotiations will at least begin a dialogue which is, after all, the point. Each side will go away with a little more understanding of each other’s position.
What really emerges from this report is that an enterprise’s cybersecurity is a team effort. Management must play it’s role in building this team approach and integrating the cybersecurity team into the enterprise at every level. This can only happen, however, if the enterprise truly concerns itself with cybersecurity. Waiting for a breach to occur is a dangerous way for management to begin taking an interest in cybersecurity. That approach often begins with blaming cybersecurity professionals and no one else, and this is certainly not a way to build a coordinated team approach.