Stressed security analyst sitting in front of computer

The Root Cause of Security Analyst Burnout: Human Vulnerabilities

According to a study from Hack the Box, cybersecurity and Infosecurity professionals say that work-related stress, fatigue, and burnout are making them less productive, including taking extended sick leave – costing US enterprises almost $626 million and UK enterprises almost £130 million in lost productivity every year. When we think of cybersecurity, we envision 24/7 protocols and technology measures to stop the influx of cyber-attacks and while that is often necessary, it comes at the expense of people.

Cybersecurity data breaches are near constant, placing immense pressure on security teams. We hear the word ‘burnout’ quite often but what is overlooked is the root cause. Yes, alert fatigue is real and the ‘always on’ component to ensure you are both proactive and reactive in protecting your organization doesn’t help. But, in the end, it’s a human problem.

Forrester recently issued a report, The Cybersecurity Firefighter’s Guide To Controlling Burnout, noting that burnout is a human issue which then can lead to a larger cyber risk issue.

Adopting an inclusive culture

Since security teams are often in a high-stress environment, it’s critical to build a culture that is not only positive but inclusive and diverse. Diversity in particular fosters problem solving. Employees, for example, can provide a different perspective and approaches to problems. Think about different genders, cultures, ages and experiences and what each one can bring to the table. These same employees can become disenfranchised and susceptible to burnout if their gender, lifestyle and even heritage is not supported.

According to an ISC2 Cybersecurity Workforce Study, almost 70% of cybersecurity professionals reported that an inclusive environment was important for their team to succeed, while just over half said diversity within the security team had contributed to the team’s success. Inclusivity can have a far-reaching impact.

Building a comfort level among security teams

Another key element to lessening the chances of burnout among security teams, is a comfortable environment that puts security team members at ease. It can be as simple as varying shifts to fit employee needs, implementing a dress code that makes them comfortable and even paying attention to computer preferences.

Team building exercises with a cyber security focus also provide an avenue through which to foster a tight knit and engaged team. For example, organizing a security-focused tabletop exercise in a team setting that includes game play, incentives (even prizes) and learning simultaneously is a win-win for everyone. Role playing games akin to Dungeons & Dragons work incredibly well for these. They allow the participants to immerse themselves in real world scenarios while still adding the ability to have entropy introduced in the same way you would have in an actual incident.

It’s also important for leaders and management to engage with security team members in a distributed workforce. Goals should include building and investing in effective remote teams and taking proactive steps to connect on a human and supportive level. This includes team leaders getting to know their team, as well as encouraging connections among team members. It can be as simple as setting aside a few minutes at the start of team meetings to allow for small talk and discussion of random, non-work-related topics. In-person meetings that allow time for distributed teams to connect are also critical to the health of a team, even if it is just once a year. Investing in your people may seem like a given but it is critical and often gets put on the back burner when real-time cyber-attacks occur.

Regular communication with team members is always critical in order to spot any signs of burnout. Identifying any stressors amongst individuals should be a priority. Recognizing stress and taking proactive steps to minimize it is also an important component in a supportive cybersecurity culture.

Setting cyber-risk expectations from the top

In an organization where the security operations center (SOC) team rarely gets praise when things are going well, and fingers pointed at them when security measures go awry – like in the event of an incident –  there becomes a continuous, unrealistic pressure to be vigilant. Looking at the big picture, organizations must communicate internally from the top down that cyber risk is just one category of risk and one component of total business risk. So, while it’s important, it is not the entire focus for the business.

Yes, organizations can and should prepare for this risk, however it can’t be one-hundred percent controlled. Expectations should be set at the Board level; identifying different stages of success versus a pass/fail scenario. Setting these expectations goes a long way for security teams feeling the pressure to perform and protect. Organizations often think of cybersecurity as ‘serious and scary’. However if we can change the mentality, and therefore, the culture, we can enable teams to take on a serious topic by taking away the serious and scary mindset.