Share this article on:
Cyber security is the hottest place to be in technology right now, between setting the pace for government agencies and organisations to fend off the bad guys and sitting at the convergence of machine learning, social engineering, and advanced computing.
Working with cutting-edge tools and in fast-paced environments is a huge draw for many people to enter cyber, but as an industry, we’re not doing enough to keep practitioners healthy and happy once they’re in the field. According to a Gartner report published earlier this year, stress alone will cause at least 25 per cent of cyber security leaders to exit their roles by 2025, and with the high stakes, 24x7 nature of the job not changing anytime soon, that number is liable to rise. It’s not tenable to continue to ignore the ticking time bomb of burnout in cyber security.
The unique challenge that cyber security faces, when compared to other realms of technology, is that there is a real adversary that, quite literally, never stops working to make you or your cyber security organisation’s products obsolete. This intrigues plenty of people who like solving problems for a living, but it can wear on a person to encounter an ever-evolving threat landscape day after day that usually only ever gets more difficult to protect against. The amount of time the cyber community needs to invest in staying up to date can be daunting and often cuts into the personal time of its practitioners. This, coupled with businesses struggling to find the right tools, products, and cyber partnerships, as well as corporate budgets being slimmed down, lands us in a perfect storm of high stress. This isn’t a new phenomenon, as a 2021 VMware report found that 65 per cent of cyber security professionals say they’ve considered leaving their jobs due to stress. There’s no doubt that the pandemic exacerbated the stress levels of cyber security professionals by limiting their resources and expanding their workload as many businesses shifted to remote work. But with 30,000 open jobs throughout the industry in Australia, it’s unlikely that pre-pandemic workloads will return anytime soon.
The impending economic downturn that many experts are predicting will also likely limit the amount of resources available to stressed-out cyber security professionals. A quarter of respondents in Arctic Wolf’s “State of Cybersecurity Survey” recently conducted in Australia and New Zealand say they cut IT and security headcount last year, with 15 per cent also expecting to conduct layoffs in 2023. Surprisingly, the survey also found a disconnect between executives’ confidence in their team’s ability to defend against attacks (88 per cent) and the increased threat levels, ultimately creating more pressure on cyber professionals.
I would go as far as saying there’s no area of the community that isn’t under some element of stress. But there are signs, and strategies, that could improve the reality that talented and eager practitioners face over the next several years. On a positive note, with the layoffs in the tech sector, we are also seeing a lot of extremely qualified candidates applying to open roles in cyber, providing a great mixture of talent to be building teams at this time. If companies aren’t getting ahead of the burnout with their most precious assets, they will see them leave, incentivising businesses to perhaps reduce the stress of their employees. And there are plenty of ways to accomplish that.
Hiring additional staff or putting the staff you do have on shorter shifts is a great way to reduce the burnout that can happen when a few employees are asked to tend to entire organisations’ security needs. Improving pay and benefits or offering additional resources at work to boost the quality of life in the office will lift spirits, but now is the time to get creative. If we have a focus of investing in our people and search within ourselves, we can find creative ways to provide space and time for team members to thrive in the cyber world.
There’s no easy way to help people without directly understanding what their problems are, and the more comfortable employees feel in addressing their issues and concerns, the clearer the path leadership will have to fix them. Optimisation of processes or deprioritising under-valued “busy work” may be what needs to happen through challenging times. These critical conversations should be had weekly or bi-weekly, not just once, to ensure that cyber professionals stay on a sustainable work schedule, and they should include everyone from the C-suite to the first-year analyst.
Setting boundaries to prevent stress is a mental health conversation that may not be comfortable for everyone but will benefit those who need it most immediately. Thankfully, as the pandemic shifted conventional workplace schedules and behaviour, these conversations are more common than ever across different industries. But in cyber security, in order for the industry to sustain its growth, we need to take burnout in the workplace seriously — and we have no time to waste.
Lisa Tetrault is vice-president, global security operations, at Arctic Wolf