The cybersecurity industry continues to focus almost exclusively on technology at the expense of dealing with the heart of cyberdefenses: the people. Yet the stress of expectations, limited resources, and detriments to well-being continues to cause havoc with the mental and physical health, productivity, and retention of the cybersecurity workforce.

A few of us on the S&R team decided to tackle the topic of burnout head on. As we collaborated and wrote, as with all great pieces of research, we were challenged, we challenged one another, and we accepted wisdom on this topic. Our research (Forrester clients can read here) defines and deconstructs burnout in cybersecurity and offers detailed guidance on how you can address it. In this blog, we share our biggest learnings, and surprises, with you.

  1. Burnout in cybersecurity is NOT only a human issue — it’s a cyber risk. As with all difficult people-related matters, it is easy to relegate burnout as a social or mental health issue. Make no mistake, it certainly is that — we spoke to folks who came to the realization that they haven’t seen their kids for eight years, those who could no longer get up in the morning, and others whose bodies gave way to the physical symptoms of burnout. But, as well, burnout is causing critical talent to exit the industry and preventing others from entering — this ultimately impacts our ability to manage cybersecurity for organizations.
  1. Security leaders hold themselves to an unrealistic set of standards, at a cost. The purpose-driven nature of security pros adds a significant burden on people to “put up,” often for extended periods of time. The CISOs we interviewed spoke of their desire to support their teams, insisting that they take their vacation days and fighting for resources for them. When we asked whether they extended this kindness to themselves, we were often met with deafening silence. Their own needs were not always a priority — they talked to us about “servant leadership,” protecting their troops, giving everything to others, and sacrificing themselves as leaders. While the sentiment is noble, not only is this leading to their own burnout, but their teams may receive mixed messages when they model different behaviors from the ones they advise.
  1. We don’t spend enough time on understanding the inputs to burnout. Stand-alone, Band-Aid solutions such as self-care, meditation, and yoga are often offered to address burnout. As a yogi of 25 years, I can’t be more thrilled that we’ve normalized the conversation around mental health and self-care. As someone who has just completed the research, however, this terrifies me. Treating the symptoms without addressing the causes only masks the problem. We need to better understand this nuanced epidemic before we jump into solution mode. Burnout can usually be attributed to a chronic imbalance between the following:
          • Expectations: imposed by the organization (e.g., job tasks, work hours, dress codes) or self (individual intrinsic motivations, feelings of loyalty to a team, career ambitions)
          • Resources: organizational (e.g., pay, autonomy, job fit, tools, technology), social (team members, collaboration processes, recognition), or personal (personal energy, well-being, health, creativity, hours in the day)
          • Perceptions: How one feels about that relationship will often act as a modifier. A positive outlook on the direction of the organization or team and its culture means many will willingly work through imbalances. A negative perception of the organization or culture can exacerbate the imbalance even further.
  1. Women, and other groups in cybersecurity, face systemic issues that cause burnout. A study by Cybermindz showed that female engineers and consultants scored higher on the emotional exhaustion dimension of burnout than their male counterparts. This is unsurprising, given how much work women have to undertake to fit in. Incident responders, security analysts, and CISOs also face highly unique challenges, putting them at great risk of burnout.
  1. A deeply concerning percentage of cybersecurity workers are close to the edge. Our research into the causes and effects of employee burnout produced a surprise: Burnout isn’t always the opposite of engagement. It is not a binary state of yes or no. In fact, examining the relationship between engagement and burnout reveals four burnout segments, each with a different potential solution (see the figure below). The most concerning finding is that the 59% who are Tired Rockstars — if we are not careful — will slip to the Red Zone.

Image showing four segments of burnout.

Take The Burnout In Cybersecurity Survey

Forrester clients can take Forrester’s Burnout In Cybersecurity Survey to see what your profile is and what you can do about it. Reach out (see below) to learn how.

Let’s Connect

Forrester security and risk clients who have questions about burnout in cybersecurity, and how to best address this issue, can reach out to me or any one of my coauthors — Heidi Shey, Jess Burn, Jonathan Roberts, David Levine, Allie Mellen, or Madelein van der Hout — via inquiry or guidance session.