Skip to content
All posts

The forgotten human factor in cybersecurity

What is it to be a cybersecurity professional? As a psychologist entering the industry several years ago, I was impressed (and surprised) to discover the multitude of skill sets, many with extreme industry specificity, that are required of CISOs. I was also surprised at the frequency with which many change employers or move out of active security roles to more advisory positions (read: consulting). Throughout our work at praxis security labs, I have begun to see why.

Following reports that the vast majority of cyber attacks somehow leverage human vulnerabilities (Verizon 2022), the term “human factors” is becoming integral when discussing cybersecurity. However there is one human factor that is falling under the radar, one that is putting everyone at risk - the wellbeing of cybersecurity professionals.

Over half of cyber security professionals have experienced extreme stress or burnout

Forrester reports that 51% of cybersecurity professionals experience extreme stress or burnout throughout their careers (Predictions 2022: Cybersecurity, Risk, And Privacy | Forrester).  Let us take a look for what that actually means for those affected, according to the WHO:

  • feelings of energy depletion or exhaustion;
  • increased mental distance from one’s job, or feelings of negativism or cynicism related to one's job; and
  • reduced professional efficacy.

Burn out, or extreme stress, is often only discussed within the context of the workplace and how it influences the ability of the individual to do their job. However, the emotional impact of work is not left at the door when one leaves the office - these feelings affect home, families, and quality of life. Those experiencing a severe burnout will find recovery difficult. Those who emerge from the other end of such an incident will find themselves at a lifelong increased risk of it happening again. This leads to cybersecurity professionals often changing workplace, requiring sick leave or quitting the industry altogether. 

Is the issue really one of just workload?

The assumption made by many is that cybersecurity professionals experience burnout because there is too much work and not enough resources, and while this imbalance continues the inevitable weight of “not enough” eventually takes its toll. This is only part of the story - many security professionals I have spoken to feel that they would be able to sufficiently fulfil their job role if they were provided with better working environments, despite the high workload.

Security professionals are often isolated in their work roles, which in the (in)appropriate environment can feel like it's them against the organization. We often hear how they struggle to get cooperation from stakeholders to make necessary improvements in security, find little support when trying to engage employees across their organization, and are either not given sufficient budget or have too little control over budget decisions.

Projects aimed at improving the state of security often take months or even years to begin to implement due to bureaucracy and/or a lack of understanding from board members, and many are fighting tooth and nail for the smallest amount of cooperation. The weight of the responsibility of keeping an organization safe from (or resilient to) cyber attacks becomes too heavy to bear when one is not given the time, cooperation or resources to meet that responsibility. 

3.5 million unfulfilled positions in the industry in 2021

This is not just a problem for those directly affected - cybersecurity is in dire need of more professionals. This is only set to continue as more industries make the switch to heavier reliance on digitalisation (such as shipping, for example). When we consider that 3.5 million cybersecurity positions remained unfilled in 2021 (CybersecurityVentures), the issue of burnout becomes a worrying trend that urgently needs to be addressed. We don't have enough skilled professionals as it is, running those we have into the ground is disastrous.

You don't need to take my word for it. Research into burnout specifically within the field of cybersecurity has seen a significant rise in popularity in the last two years, which in itself is a sign of the rising problem and its potential impact going forward. Peer-reviewed articles by and large agree that “Human performance degradation in cybersecurity is a critical risk factor and requires immediate attention”  (Nobles, 2022).

What to do if you or a colleague are suffering from burnout

The science is clear - you need to stop working, and spend time on activities that are non-work related (Oerlemans & Bakker, 2014). This is part of the reason why burnout is so dangerous for the industry and the individual - many will not return. As a board member or stake holder in an organization, you can help prevent burnout in your cybersecurity colleagues by:

  • Being proactive in learning and understanding the risks as they are presented to you, and generally approaching cybersecurity with a more positive than skeptical position.
  • We would also recommend that cybersecurity professionals are as integrated as possible with the rest of your organization. The days of your “IT guy” in the basement should be well and truly over. Cybersecurity is essential for everyone, and a culture where that is physically demonstrated will ease the process and remove social barriers for those working to protect your organization. 

The current cohort of cybersecurity professionals, be they consultants, CISOs or otherwise, are some of the most valuable and irreplaceable members of the global workforce. Their years of knowledge and on the job experience needs to be leveraged to train those needed for the next generation. We lose them at our peril.

Do you want to make positive changes to cybersecurity at your organization? We can help. Contact us today for a meeting with one of our team.

 

References

1. Oerlemans, W. G., & Bakker, A. B. (2014). Burnout and daily recovery: a day reconstruction study. Journal of occupational health psychology, 19(3), 303.

2. https://cybersecurityventures.com/cybersecurity-jobs-report-2019/#:~:text=The%20New%20York%20Times%20reports,one%20million%20positions%20in%202014.

3.  Nobles, C. (2022). Stress, Burnout, and Security Fatigue in Cybersecurity: A Human Factors Problem. HOLISTICA–Journal of Business and Public Administration, 13(1), 49-72.