Low Battery: Ransomware Pressure Drives Cybersecurity Professionals to Quit
Ransomware. Nation-state attacks. Massive data breaches. The headlines are full of cybersecurity threats and incidents, and the persistent pace of attacks is driving “increasing and unsustainable stress levels” in the cybersecurity workforce, according to a report from cybersecurity company Deep Instinct.
More than 90 percent of cybersecurity professionals are stressed in their roles, and many concede that it is negatively impacting their ability to do the work, ZDNet reported.
Security leaders are hit particularly hard. One in three C-suite cyber executives—including CISOs, CTOs, ITOs, and IT strategy directors—said they were highly stressed. The report, Voice of SecOps 2022, found that 46 percent of senior and executive-level cybersecurity professionals have considered quitting the industry altogether due to stress, which is being driven by an “unrelenting threat from ransomware.”
“The stress we’re seeing across the cyber industry appears to be accelerating the exodus of talented people from the industry: a particular challenge when many cybersecurity defences and mitigation processes are human-dependent, requiring constant monitoring and intervention,” the report said.
The unrelenting threat of ransomware is pushing cybersecurity workers to quit https://t.co/yOvnG22yOd
— ZDNet (@ZDNet) June 15, 2022
Remote work has made cybersecurity management even more challenging. Remote work leads to diminished oversight of devices and IT security practice compliance, according to ZDNet, and the Deep Instinct survey found that 52 percent of C-suite professionals said securing a remote workplace was their biggest cause of concern.
Security operations teams are also juggling larger workloads and longer hours in the face of heightened cybersecurity threats. Of cyber professionals outside the C-suite, 47 percent told Deep Instinct that they felt pressured to stop every threat—despite acknowledging that this is impossible—and 43 percent said there was an expectation to be always on call or available.
As one UK-based CISO at a large police force said, “We are too reliant on the hero mentality—we have some people who are working 16-18 hour days at times. That’s not sustainable, and we certainly shouldn’t be expecting people to put in those kinds of shifts as a part of our capability. They’ll burn out.”
Burnout doesn’t just have effects on the available workforce—it has security ramifications. According to a 2020 study from Tessian and Stanford University, 88 percent of data breach incidents were caused by human error—47 percent cited distraction as the top reason for falling for a phishing scam, and 44 percent blamed tiredness or stress.
According to Tessian CISO Josh Yavor in an interview with ZDNet, “ when people are stressed or burned out, their cognitive load is overwhelmed, and this makes spotting the signs of a phishing attack so much more difficult.”
Burnout is not limited to cybersecurity, however. According to the National Safety Council (NSC), nine in 10 employees said their workplaces caused them stress, and 83 percent said they experienced “emotional exhaustion.” The December 2020 Mental Health Index found that in the first year of COVID-19, there was a 9 percent decline in memory recall capacity overall and a 62 percent decrease in focus and sustained attention capacity, Security Management reported.
“Our work and our workplaces impact our mental health and wellbeing,” the NSC said. “This has never been more evident than with the changes in working conditions this past year—with some working from home indefinitely, some in extraordinarily high-stress and high-risk frontline jobs, often for longer hours, and others experiencing layoffs and job insecurities. …Mental distress includes periods of intense nervousness, hopelessness, restlessness, depression, feeling like things require great effort, or feeling worthless or down on oneself. This distress is painful and costly for both employers and employees.”
Cybersecurity is a stressful business. Here’s what managers can do to help reduce stress in the workplace and promote a healthy work–life balance. https://t.co/MK2Mq0mPzN
— Security Management (@SecMgmtMag) June 3, 2020
“Some teams are in a constant state of overwork and intense activity,” wrote Sarah Powell, director of emergency management at Temple University, for Security Management in 2019. “A colleague recently told me that her team is subject to relentless and unmitigated pressure and high-stress assignments. This has created a revolving-door-like turnover, as staff seek employment elsewhere that will provide a more balanced workflow.
“Savvy managers understand that they may need to protect their teams by providing opportunities to wind down operations a bit after periods of intense activity,” Powell continued. “Some give team members an opportunity to work on projects they enjoy, without brutal deadlines. This helps team members regain a sense of work balance before a new high-intensity period arrives.”
To learn more about managing teams under high-stress situations or combating burnout, check out previous coverage from Security Management:
- How to Help Prevent Employee Burnout
- Under Pressure Managing Team Wellness
- How to Address Shift Stress in Security Operations Centers
- Engaging Employees on Their Mental Health