It’s no secret that burnout is an epidemic among cybersecurity professionals that threatens not only the mental health of workers in the field, but also the security of organizations. But how to resolve the growing crisis is still a question the industry is grappling with.
Pietro Coroneos, founder of CyberMindz, and Kayla Williams, CISO of I have tohave different perspectives on cybersecurity burnout given their distinct roles and perspectives as industry leaders, but together they have a shared vision to find solutions that help break the current cycle of burnout plaguing the cybersecurity profession.
Coroneos is the founder of CyberMindz, a non-profit organization that offers, among other things, resilience training for cyber teams; and Williams is the chief information security officer (CISO) at Devo, a cloud-native security analytics company.
The two – whose companies already they are partners in the fight against burnout – will meet soon RSA Conference to host a session called “Burnout in Cyber: The Intersection of Neuroscience, Gender, and Wellbeing.” Their session will present some reasons why cybersecurity burnout has become a vicious cycle, and how a combination of empathetic leadership and neuroscience-based training can help break it.
Security staff burnout: a wake-up call
The “wake-up call” for Coroneos about the severity of the burnout problem came when a survey of 200 cybersecurity professionals conducted by Wakefield Research on behalf of Devo released its findings last September. THE study found that a good 83% of those interviewed admit that stress has led them and their colleagues to make mistakes that they have caused data breaches.
Workplace changes related to the COVID-19 pandemic and the increase in cyberattacks that exploit organizations’ hasty and often insecure shift to accommodate a remote workforce have truly kicked cybersecurity burnout into high gear, he has declared.
“COVID brought together a number of factors that had been in the background for several years,” Coroneos says in a recent interview.
Work remotely, IT security professionals they felt even less separation between work and home life and felt like they literally always brought work home with them. And as cyber attackers exploited the vulnerable security situation many companies were facing at the time, there was even more work for them to do, and therefore more pressure than ever, he says.
It was a “perfect storm” of conditions to foster burnout, Coroneos says. “We started getting a lot more reports of worsening mental health among cybersecurity teams,” he says. “They feel this relentless pressure with no end in sight.”
The blame game
Part of this pressure comes from the often unfair burden of blame that CISOs and Chief Security Officers (CSOs) in particular shoulder when a data breach or attack goes horribly wrong for a company, says Williams, who in his position of CISO also knows everything WELL.
A major source of stress experienced by these executives is that they often do not control their budgets and the overall security roadmap in their organizations, and therefore typically do not obtain sufficient funding to realize their vision for a company’s security. However, they will still be held accountable if something goes wrong, Williams says.
He cited major high-profile lawsuits filed against top security executives from Uber and SolarWinds in which they took responsibility for security incidents at their respective companies as scenarios that are scaring top professionals in the industry.
“From what I see and hear, turnover is incredibly high,” Williams says. “Talking to my colleagues, they no longer want to be civil society organizations.”
In fact, the Devo survey revealed that 85% of the professionals interviewed will leave their role in the next year, while 25% will leave the sector altogether.
The current situation many security professionals find themselves in is a cycle of burnout that causes those who remain in the profession to feel stressed and hopeless about their jobs, while creating unprecedented turnover numbers in a position that already has to address the shortage of jobs. This circular cycle creates even greater burnout for those who maintain cybersecurity roles, Coroneos and Williams say.
Break the cycle of safety fatigue
To break this cycle, the two professionals pose a combination of empathetic leadership strategies and a neuroscience-based solution to help retrain people’s minds to deal with high levels of stress.
As a CISO herself, Williams says she knows how important it is to communicate effectively with people in various cybersecurity roles within the organization to ensure their individual needs both professionally and emotionally are met. This is especially true as a new generation of IT professionals with different emotional needs enters the workforce, she says.
“As a people leader, it’s my responsibility to make sure I communicate with my teams in a way that resonates with them,” says Williams. It’s important for leaders to take time to understand the needs of individual team members and check in with them as they would family or friends to ensure they don’t feel overwhelmed by the stress or demands of their responsibilities, she says.
Meanwhile, Cybermindz is taking a cue from the international military program with a training solution called Integrative Restoration (iRest) that has been implemented by the US and Australian militaries since 2006 and 2016 respectively.
iRest: the result of more than 40 years of observation, research and development by clinical psychologist Richard Miller and his team at an institute of the same name California: is an attention training technique to help the limbic system of the brain return to a resting state after an intense period of high stress.
The problem for cybersecurity professionals is that they often get stuck in a constant state of psychological “fight or flight” response due to the constant stress cycle of their job, explains Coroneos. iRest is a workout that helps them break out of this cycle to bring them into a deeper state of relaxation to restore the fight or flight response. This will help the brain shut down, so it doesn’t constantly create stress not only in the workplace but in everyday life, thus creating burnout, she says.
“We need to put them in a position where they can enter into a proper relationship with their subconscious,” says Coroneos, adding that so far cybersecurity professionals who have experienced the training – which Cybermindz is currently piloting – report sleeping better and doing clearer decisions after just a few sessions of the program.
Indeed, although burnout remains a serious problem, the message that Coroneos and Williams want to convey is that of hope that there are solutions to solve the burnout problem that cybersecurity professionals currently face and that the enormous pressures that these dedicated professionals they have to face are not neglected.
“We want to show them that their mental health doesn’t have to be the price of their career,” Coroneos says.