Employee burnout plagues the cybersecurity industry and has for years. Sixty percent of companies struggle to recruit cybersecurity talent and 52% struggle to retain qualified individuals, according to Fortinet research.
With security teams on the clock 24/7 year-round, it's nearly impossible for cybersecurity professionals to have a work-life balance. It's therefore critical for enterprise and security leaders to learn how to prevent cybersecurity burnout.
1. Acknowledge the problem
More than 90% of security professionals are stressed in their role, and 46% have thought about quitting the industry, according to a report from Deep Instinct.
Stress stems from a variety of factors, from the overwhelming number of alerts security teams receive to insufficient staffing to handling new threats. Stress levels also depend on the role of the employee, whether they're on the front lines or in the C-suite or anywhere in between. Ultimately, for those on the front lines, burnout typically occurs within the first six months of employment. For managers, it usually takes one to two years to experience the same problem.
The truth is, everyone is feeling more pressure, regardless of their role. And once an employee leaves, it can make others feel more overwhelmed than they already were; it can be hard to backfill a replacement due to the competitive nature of the industry. Bad reviews from former employees can also make it harder to find a replacement as information spreads through the security grapevine rather quickly.
Exacerbating the issue, the Fortinet research found 80% of companies experience breaches that can be attributed to a lack of security skills or awareness. This is often when organizations buy tools and products to throw at the problem rather than dealing with the root of the issue. Some point toward cybersecurity insurance as the answer, but that's become much more difficult to attain and it's unlikely to cover easily avoidable mistakes that get lost in the shuffle of turnover.
2. Address the issue
For starters, the entire industry -- from CISOs to hiring managers -- needs to acknowledge the security community has a mental health problem. If employees don't feel valued or heard, it can quickly lead to frustration, which in turn causes employee apathy -- the real root cause of burnout.
Many believe burnout is directly tied to too much work. In most cases, however, when employees are doing what they love, they don't tend to get burned out. It often boils down to whether their company and managers provide a belonging environment, such as listening to their concerns, being transparent, caring about their well-being and offering time for team members to "recharge their batteries," given the intense nature of the job.
Many organizations, however, continue to inadequately invest in their cybersecurity talent, costing valuable time and resources in the long term. To change the trajectory, companies should reevaluate their leadership and offer more benefits to address mental health.
Organizations should also offer accessible and affordable cybersecurity training. Many professionals are responsible for upskilling on their own time and dime, and many security training avenues are too cost prohibitive or structured or don't promise jobs at the end. Companies need to find options that are flexible and provide hands-on learning opportunities.
3. Invest in diversity, equity and inclusion
Burnout has a strong tie to diversity, equity and inclusion (DEI) efforts across teams, whether they're security-related or not.
Simply put, if DEI was a priority for organizations, there would be greater representation on company boards. If employees see people who don't look like them on the board or even within the C-suite, they often feel like they don't belong. Although many believe they're an ally to minority or underrepresented groups, that belief doesn't always translate to those on the opposite end of the spectrum.
One example is reflected in the hiring process. If companies base job postings on the traits of people who've previously held those positions, it leads to unconscious bias and hiring teams may overlook those who aren't of the same demographic or socioeconomic status.
HR needs to reevaluate automated tools that scan resumes, as many good candidates are unfairly weeded out. Hiring teams also need to remember that candidates' resumes don't need to perfectly align with the job description -- skills can often be taught on the job.
The cybersecurity industry doesn't have a shortage of people. Hiring and retaining practices are just not aligned with onboarding and training processes. By understanding that talented people are the most basic yet important asset within their organization, businesses can finally begin to invest in cybersecurity talent.
About the author
Chloé Messdaghi is the chief impact officer at Cybrary. Over the last 10 years, her work has helped businesses unlock opportunities to enhance trust and mitigate risk. Messdaghi is a public speaker, published writer and listed as one of Business Insider's 50 Power Players. She is also the co-founder of We Open Tech and Open Tech Pledge. She has an advice column called "Ask Chloé" on Security Boulevard and hosts ITSP Magazine's "The Changemaking Podcast."