Forrester predicted that in 2023, a Global 500 firm will be exposed for burning out its cybersecurity employees. In 2022, we saw at a very practical level in Australia that weaknesses in our cyberdefenses can impact society at mass levels. Impacts of breaches at Optus, Medibank, EnergyAustralia, and MyDeal include fines, exposure of millions of records, customer accounts taken over, and data sold. The media and social media called out root causes such as misconfigured APIs, compromised credentials, bad development practices, and account takeovers — to a point that my mother, an immigrant doctor at the end of her medicine career (with minimal tech or security experience), was asking me to explain misconfigured APIs.
Why are we sharing these breaches in a blog on burnout? We want to bring to our collective consciousness something that’s seldom discussed in public forums when such breaches occur or, at least, not enough in my view — the people on the front line. They are the heart of cyberdefenses. They’re doing all the defending.
Yet how much do we think about them and their experiences at work? Are they supported? Are there enough of them? How do their jobs impact their mental health? What happens to customers, employees, and society if they are not taken care of? They’re certainly feeling that right now — in Australia and elsewhere.
So let’s take a moment to take a look at the unsung heroes of our time and what they’re experiencing.
Soon-to-be-released research by a not-for-profit organization in Australia, Cybermindz, shows that cybersecurity workers scored significantly worse than the general population in one of the key burnout metrics of “professional efficacy” (how well workers think they’re performing in their current role). Preliminary findings also show that they are suffering burnout at a rate higher than healthcare workers.
A separate study of 1,027 members of security teams across the US and Europe shows that 66% of team members have significant levels of stress at work, 51% have been prescribed medication for their mental health, and 19% consume more than three drinks daily to deal with stress.
So let’s break burnout down — specifically for what it means for cybersecurity. We often think of the mental health impacts of burnout, and as shown above, these are significant. But there are other lesser-known and -discussed impacts. According to the (ISC)² Cybersecurity Workforce Study, the 2022 global cybersecurity workforce gap is 3.4 million workers, and in that context, we cannot afford to lose more talent. Yet a recent study of cybersecurity in critical national infrastructure organizations showed that 57% of directors state stress and burnout as the top reason for leaving their position. Productivity is also reduced, with 64% of security team members saying that stress has affected their productivity.
Even more upsetting and concerning are the reports of work-related deaths that we read about in 2022. In September 2022, a 33-year-old employee in a consulting firm in Australia was found dead, with some reports citing working long hours and cultural issues as a reason. Similarly, in China, a male employee of a tech company died, leading many to publicly comment on the heavy pressures of working in China’s large tech companies.
Not only do you want to protect people, care for their health, retain your talent, and create an environment where cybersecurity teams can do their best work (i.e., minimize risk for the organization and build trust), you also want to avoid being a firm that gets exposed for burning out its cybersecurity employees. In 2022, we saw tech whistleblowers go out with a bang, and cybersecurity will not be immune.
What does all of this mean? Researching and writing about burnout in cybersecurity is on my research agenda for 2023, and I intend to do it justice. I’ll therefore be collaborating with my colleague Jonathan Roberts, who has led the way in burnout research at Forrester, with reports such as The People Leader’s Guide To Burnout and Stop Burning Out Your Best People.
My key takeaways so far? Jonathan’s research tells us to evaluate and address the inputs to staff burnout — for incident responders, for example, yes, ransomware is a heavy contributor to stress, but what also contributed to this stress is managing stakeholder expectations, lack of visibility and recognition, and receiving pushback on recommendations.
Any of us who’ve been in cybersecurity are well familiar with the stress that comes from lack of organizational buy-in. If you’re a people leader, your job is to provide both physically and psychologically safe environments. For anyone else reading this, do all you can to ensure that cybersecurity teams have the tools, processes, and budgets to complete their jobs — there is a lot at stake, not just for them but for employees, customers, and society.
And last but possibly most important, from my perspective, at least, having been in this industry for 23 years: Normalize the conversation around mental health and burnout. Until about 2018, burnout in cybersecurity was discussed in hushed and careful whispers, with one or two small studies focusing on CISO burnout. I’m thrilled to see the myriad of studies conducted, conversations taking place, and elevation of this topic by organizations. I’m also delighted to be doing my small part in addressing the related issues — it’s not only a moral but also a business, retention, and productivity imperative, and we all need to get on board.