Burnout has definitely hit the cybersecurity industry. Hard.
A recent Gartner report describes cybersecurity leaders as “burnt out, overworked and [working in] ‘always-on’ mode.” Why are they always “on?”
According to the same report, there are a few things. Cybersecurity leaders are increasingly striving to manage expectations for managing risk and facilitating secure yet agile product development. They are also seeing more control and decisions that impact security risk move beyond their line of sight in the organization. But they struggle to share accountability in the same way in order to make security an organization-wide function rather than a departmental one.
These complex challenges put them at high risk for ongoing stress and burnout.
Technically speaking, burnout is a state of physical and mental exhaustion due to overwork and stressful work conditions. Eventually – and inevitably – “always-on” leaders will crash and burn. And then they will experience the classic burnout symptoms: crippling fatigue, frustration, and cynicism. The result is decreased professional satisfaction and productivity.
Burnout is Costly.
Burnout costs organizations in many ways. We can draw a straight line between exhaustion and human error, which may account for up to 88% of data breach incidents. That number comes from a joint study between Tessian and Stanford University researchers in 2020. In a follow up report in 2022, roughly half or more of surveyed employees said they make mistakes when they are working quickly (47%), feel stressed (50%), and/or are tired or distracted (51%).
We can also draw a straight line between burnout and the Great Resignation. In the Stanford/Tessian study, nearly 6 out of every 10 employees said that their departments are understaffed in the wake of unprecedented quit rates over the last 18 months. What’s more, threat intelligence company Threat Connect has reported that a third of IT managers and a quarter of IT directors are considering quitting their jobs this year.
This will of course put a greater burden on remaining staff, which will lead to greater stress and strain, greater burnout, greater chance of human error, and…well, you get the idea. This feedback loop of burnout, human error, and greater risk means the cost of burnout will only continue to rise… unless something is done about it.
Burnout is a Shared Responsibility.
Let’s nix the idea that the problem of burnout is: 1) simple, 2) caused by a few, superficial issues; and 3) best fixed by the burned out individuals themselves. Research says that addressing burnout is a shared responsibility between individuals and the organizations they work for. Sure, employees can use mindfulness apps and yoga to help treat their symptoms. But these will not cure more systemic issues with workplace culture, the glorification of work overload, and so on.
The Solution to Burnout is to Rethink, Retool, and Rebound.
Cybersecurity leaders are already aware that a new approach is needed. Leaders are rethinking the technology stack, tools used, vendor consolidation, and more agile distributed decision making models. It’s a great start.
To maintain momentum, leaders must also identify what employees are experiencing in their organizations and the underlying causes of burnout. This will be critical to changing the culture and to holistic behavior changes that reduce risk, engage employees for enhanced performance, and limit the hiring/turnover challenges. Common causes of burnout, particularly when there is quick growth and change, include imbalanced workloads, staffing that does not grow at the volume of the work increase, inefficient or inconsistent processes, misaligned talent, and a workplace culture that boosts burnout and stifles well-being.
Leaders need to rethink:
- How they play a role in the creation of culture (spoken and unspoken) that perpetuates burnout;
- How to manage workplace stress at the individual, team, and organizational levels;
- How to be deliberate in recovering from crisis and burnout; and
- How to apply evidence-based approaches to address workplace stress at its source.
Next, leaders can focus on building the skills, technologies, talent practices, and workflows that will make a difference today and better prepare the cybersecurity industry for the future. This retooling may involve incremental changes at several levels: organization, departments, teams and individuals.
When discussing changes, effective leaders will include those closest to the work in order to build trust and buy-in for the change. They will also customize new tools and approaches to fit the specific and unique needs of their organization, team, and/or individual.
New tools on the cybersecurity horizon may include:
- Enterprise security charters signed by the board and C-suite executives that outline decision-making strategies to protect organizations against cyber risk;
- New advisory services that provide guidance to the rest of the organization on security and risk;
- New performance goals related to security and risk for leaders across the organization;
- Holistic-leadership skill building;
- People-focused routines, rituals, benefits, and behavioral skill building to support employee well-being and engagement; and
- On the technical side, deploying Integrated Development Environments (IDEs) to help developers fix errors as early as possible that would otherwise leave organizations vulnerable to risk.
The rebound phase means more than recovery from overwork and burnout. Leaders must also build a safe, resilient workplace culture that prevents further burnout and promotes wellbeing. This includes leading by example. Leaders will be responsible for setting the pace for the work to get done and exemplifying appropriate work-life integration themselves. Putting new ways of thinking and new tools into practice in a sustainable way will be essential to coming back from burnout.
Burnout is not just a CISO problem anymore. This crisis now includes the areas of governance, risk, and compliance. Organizations and leaders need to take immediate action to rethink, retool and rebound from burnout. Cyber growth and change show no signs of slowing, and there will inevitably be other crises to hit the industry, so what we do now will be critical to the strength, resilience, and scalability of the cyber industry.