Cybersecurity burnout is real. And it's going to be a problem for all of us

Burnout might be the most critical cybersecurity risk facing organizations in 2022. So, how do we tackle it?

Burnout has become endemic in the tech industry.

With the number of data breaches in 2021 soaring past that of 2020, there is even more pressure on security teams to keep businesses secure in 2022. But at a time when strength and resilience have never been more important, burnout, low staff morale and high employee turnover could put businesses on the backfoot when attempting to manage the mounting cybersecurity threat.

Employers are already face something of a dilemma when it comes to cybersecurity in 2022. Not only is the number of attempted cyberattacks escalating worldwide, but employers face the added pressure of a tightening hiring market and record levels of resignations that are also affecting the tech industry.

This battle for talent could hit cybersecurity particularly hard. According to a survey of more than 500 IT decision makers by threat intelligence company ThreatConnect, 50% of private sector businesses already have gaps in basic, technical IT security skills within their company. What's more, 32% of IT managers and 25% of IT directors are considering quitting their jobs in the next six months – leaving employers open to a cacophony of issues across hiring, management, and IT security.

Many employees are being lured away by the prospect of better pay and more flexible working arrangements, but excessive workloads and performance pressures are also taking their toll. ThreatConnect's research found that high levels of stress were among the top three contributors to employees leaving their jobs, cited by 27% of survey respondents.

Burnout threatens cybersecurity in multiple ways. First, on the employee side. "Human error is one of the biggest causes of data breaches in organisations, and the risk of causing a data breach or falling for a phishing attack is only heightened when employees are stressed and burned out," says Josh Yavor, chief information security officer (CISO) at enterprise security solutions provider Tessian.

A study conducted by Tessian and Stanford University in 2020 found that 88% of data breach incidents were caused by human error. Nearly half (47%) cited distraction as the top reason for falling for a phishing scam, while 44% blamed tiredness or stress.

"Why? Because when people are stressed or burned out, their cognitive load is overwhelmed and this makes spotting the signs of a phishing attack so much more difficult," Yavor tells ZDNet.

Threat actors are wise to this fact, too: "Not only are they making spear-phishing campaigns more sophisticated, but they are targeting recipients during the afternoon slump, when people are most likely to be tired or distracted. Our data showed that most phishing attacks are sent between 2pm and 6pm." 

Carlos Rivera, principal research advisor at Info-Tech Research Group, says the role exhaustion plays in making a company susceptible to phishing attacks should not be shrugged off or underestimated. It is, therefore, good practice to create a simulated phishing initiative as part of an organization's security awareness programme, he tells ZDNet.

"This program can be optimized by enforcing an hour's worth of training per year, which can be carved into five-minute training sessions per month, 15 minutes a quarter," says Rivera.

"In order to have the most impact on your training effectiveness, base it on topics stemming from current events that typically manifest as tactics, techniques and procedures used by hackers."

A report by analyst Gartner recently argued that the role of the cybersecurity leader needs to be "reframed" from one that predominantly deals with risks within the IT department to one that is responsible for making executive-level information risk decisions and ensuring business leaders have comprehensive cybersecurity knowledge.

The analyst predicts that 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026. This would mean that cybersecurity leaders will have less direct control over many of the IT decisions that would fall within their remit today.

"Cybersecurity leaders are burnt out, overworked and in 'always-on' mode," said Sam Olyaei, research director at Gartner. "This is a direct reflection of how elastic the role has become over the past decade due to the growing misalignment of expectations from stakeholders within their organisations."

Yavor also says it is critical to consider how burnout affects security teams and the knock-on effects for the wider organization. According to Tessian research, security leaders work an average of 11 hours extra per week, with one in 10 leaders working up to 24 hours extra a week. Much of this time is spent investigating and remediating threats caused by employee mistakes, and even when they've logged off, some 60% of CISOs are struggling to switch off from work because of stress.

"If CISOs are experiencing this level of burnout, imagine the impact this has on the wider organisation as well as the people they work with. You're going to lose good people if teams are constantly burned out."

The culture around cybersecurity also needs to change, which Yavor believes wrongly idolizes overtime and sacrificing personal wellbeing for the sake of the company.

"As security leaders, some of our most exciting stories include pulling all-nighters to defend the organisation or investigate a threat. But we often fail to acknowledge that the need for heroics usually indicates a failure condition, and it is not sustainable," he says.

"As leaders, it's critical that CISOs lead by example and to set their teams up for sustainable operational work. Ensure there is confidence in the boundaries that are set – when you're off call, you're off call – and that the whole team feels supported."

Rivera points out that the growing popularity of remote working might be increasing the tendency of staff to put in longer hours, which may "contribute to burnout, unaccounted absences and in some cases, higher than expected turnover."

Security and tech teams should work with other departments to bring organizational awareness to the issue of burnout and overwork, Rivera says, which can help managers identify single points of failure and instil a culture of resiliency within the company.

This approach includes adopting a "left-shift mindset" within the development environment, where burnout and stress can lead to errors slipping through the gaps and making their way into published code. "Organizations will face the least risk when introducing security as early as possible in the development process and leveraging tools to automate and support this goal," says Rivera.

On the technical front, building a continuous improvement/continuous delivery (CI/CD) pipeline – and deploying tools such as an integrated development environment (IDE) – will give organizations the best chance of success. "An IDE will consist of a source code editor, debugger and build automation tools to provide the developer with self-service capabilities and identify errors in near real-time. IDE coupled with static analysis security testing and open-source scanning automated into the build pipeline will provide effective defect mitigation," Rivera adds.
Like any job function, communication is also critical. CISOs need to do a better job of communicating their capacity constraints, which Yavor says will set a precedent within the wider organization in admitting their own limitations.

"Be comfortable in saying, 'it's not possible for me to do these things, with the resources and the constraints we currently have,'" he says. 

"There is this unfortunate trend of heroism in the security industry – and that mindset needs to change."

Source - Owen Hughes – 25 February 2022 - ZDNet