With the existing cybersecurity shortage, 61% of organizations report an increase in workload for existing staff. Burnout for security analysts is common and occurs quickly, within 1 to 3 years. The loss of critically experienced professionals is one of the most significant issues within the current shortage.
Entry level positions in cyber security are quickly filled. Employers can be flexible in their selection process and train new hires. What employers cannot supply these new professionals with is the “experience” that burnout is draining from the talent pool. “Jobs that require less than five years of experience are filled within just three months 85 percent of the time, and 99 percent are filled within six months.” It’s the jobs that need 10 or 20 years of experience that take significantly longer to fill and can sit empty for years.
The fear of an attack happening at anytime, unmanaged stress, lack of sufficient training, and the absence of clear wins all contribute to cybersecurity burnout. Teams that are shorthanded, in a highly perfection centered industry create the perfect storm. Not to mention a lack of job security for CISOs, as 12% believe they would be fired after a breach.
Symptoms of Burnout?
Burnout doesn’t happen overnight. Here are 10 signs to look for:
- Physical and emotional exhaustion, feeling tired or drained a significant amount of the time, and lacking the energy to engage in activities (social or athletic) as usual
- Frequently being ill, a reduced immune function, or an increase in other health problems
- An increase in pessimism, self doubt, or feeling like a failure
- Feeling helpless, trapped, or defeated
- Increased interpersonal problems (at home or work), with potentially feeling detached or alone in the world
- Withdrawing from responsibilities, including taking care of yourself
- Isolating yourself from others
- Missing work, procrastinating, taking longer to finish tasks than usual, or not doing as well at work as before
- Staying preoccupied with work even when you are off duty
- A general decrease in satisfaction with everything
Job fatigue is real. Experiencing some of these symptoms from time to time is normal. However, a continual increase in number or duration could signal burnout.
Steps to Take
In 2015, a study was done on burnout in a Security Operations Center, resulting in “A Human Capital Model for Mitigating Security Analyst Burnout” report. The findings indicated that it wasn’t simply the workload but a lack of cooperation between groups, misunderstandings that lead to inefficient task management, and incomplete information from other groups that contributed to burnout.
The same study identified that the “four factors that impact the creation and preservation of efficient security analysts” are skills, empowerment, creativity, and growth. Providing these for employees or for yourself may help prevent burnout and plug the drain of critically skilled talent in the cyber sector.
On an individual level, taking time to self-assess, set boundaries, determine what training would better empower you to do your work, taking a break, re-connecting with family and friends, engaging in physically and emotionally engaging activities that are not work related, and setting up small wins are also helpful steps in navigating potential job fatigue.
Finally, the industry must “stop treating security as an option or hindrance, and let go of the ‘hero culture’ approach that is lionized by business and tech culture.” Burnout is a real factor in the Cybersecurity industry that all need to become more aware of.