Leadership and recruitment changes needed to address burnout in cybersecurity

Most organizations—across almost every industry—have been forced to implement extensive digital components to their everyday operations so they can function efficiently. With this shift, cybersecurity awareness is permeating every business department and as malicious activity skyrockets, the role of security teams is becoming even more prominent across business functions.

In 2021, businesses suffered 50% more cyberattack attempts per week, and within this environment, 51% of those currently working in cybersecurity have experienced extreme stress or burnout. This stress is only further complicated by the widening skills gap, with more than 400,000 job openings all requesting cybersecurity-related skills. Now more than ever, it is critical that organizations address the issue of burnout among cyber employees before the talent pool dries up.

As a CSO, I understand the struggles that come with being in a security role. There is rarely a time in which it’s possible to separate oneself from the job. Most security practitioners will spend most of their waking hours—and sometimes their sleeping hours as well—thinking about their organization’s technology, the bad actors, and what new threats they could be facing tomorrow. These all-consuming stressors leave individuals very little room for self-care and, unfortunately, employers can also lack the infrastructure required to support employees who are struggling with burnout and mental health challenges.

If employees continue to feel unsupported in their roles and overtaken by negative emotions, they are much more likely to leave their jobs. The most effective way for organizations to mitigate this level of burnout is to thoroughly understand the pressure security practitioners are under, then take effective actions.

Encouraging high-level conversations

Many security professionals don’t feel comfortable admitting that they are struggling with their mental health because the threat of personal and professional repercussions can be daunting. Therefore, those senior leaders who are unafraid to speak out should take ownership of educating executive teams and bringing these critical conversations to the top. With that said, the elevation of such conversations should not stop at the organization’s C-suite but continue all the way to its executive board.

Not only is the board responsible for governing the company’s cybersecurity risk and strategy, but it is also the first stop for decision-making that can have an impact on the overall health of an organization (from hiring practices to day-to-day operations). These decisions should always promote a “psychologically safe” environment for their employees and prospective talent—meaning the organization fosters an environment that feels comfortable and supportive.

Building such an environment cannot happen unless there are advocates willing to speak about the mental health issues their teams may be facing, including the increased pressure on cybersecurity professionals. Ultimately, ensuring security practitioners feel supported and empowered while doing their jobs falls on an organization’s leadership. Otherwise, they risk losing key talent that is crucial to protecting the entire organization and its data against the next cyberattack.

Promoting individual empowerment

If security teams are going to function effectively and contribute to long-term business success, the mental health crisis permeating the cybersecurity industry must be addressed from all sides. While board-level discussions need to happen for effective changes to be made, security teams must also be encouraged by their direct leads to improve their work-life balance at an individual level. While organizations can invest in programs and tools that help employees identify strategies for stress management, cyber professionals themselves must also decide to make self-care a priority.

Most security professionals operate with a fast-paced, results-driven mindset and, when faced with workplace stress and challenges, their immediate reflex is to keep pushing themselves and stay quiet. The constant stream of threats coming toward an organization places immense pressure on security professionals and can put them on edge. As a result, allowing this stress to be the main facilitator for project completion may temporarily drive results, but it is not sustainable. This is the kind of stress and overexertion that leads to burnout and an unproductive work environment.

Instead, these practitioners must be encouraged to detach. Embracing daily personal wellness strategies, as well as taking time to breathe and regroup away from the computer screen, is a much more effective way to foster a healthy pattern of productivity when overwhelmed. In addition to daytime stress mitigation, taking time at the end of each day to review action items and opportunities for improvement and putting them on paper can also help alleviate the mental strain of retaining information that doesn’t need to live in an individual’s mind.

Changing the future of recruitment

It is both outdated and unproductive to harbor the mindset that an applicant applying to an open cybersecurity role at a company should have skills and experiences that align perfectly with the position. This only allows for cyber teams to remain understaffed for longer periods of time, prolonging additional stress for current security employees.

Rethinking job descriptions to be more inclusive and focused on core requirements may open the door to non-traditional candidates that will bring significant value to the team. By emphasizing the availability of training, mentorship, and resources to help support an individual’s expertise and career growth, businesses will likely find the talent they may have missed out on with a narrow job description. This will ultimately help shrink the existing cyber skills gap and bring in additional employees that can effectively alleviate some of the pressure that current team members are facing.

Alongside such changes in hiring, recruitment should also involve properly educating young professionals about security careers. Clarity must be provided around the roles they choose to seriously pursue before the responsibilities of that new role potentially overtake them and they quit. It’s also important to note that those who are interested in pursuing a career in cybersecurity but aren’t familiar with the industry, most likely picture “black hat” hackers as the only type of “cybersecurity professional.” But there is a wide range of cybersecurity professions that require varying security skillsets. By not effectively advocating for and educating young or aspiring professionals on the possibilities for a cyber career, organizations and business leaders are further contributing to the existing skills gap and lack of visibility over the many unique opportunities that exist in this space.

The role of a cybersecurity professional is both complicated and critical, so teams will always be under some sort of pressure. The most important thing we can do is talk openly about the causes of such stress and provide support where necessary. Fortunately, this new era of work comes equipped with a plethora of programs and tools for aiding employees and guiding employers to make their organizations a positive place to work. This makes taking action the only reasonable response to the existing mental health crisis.