Combatting Burnout Among IT Security ProsCombatting Burnout Among IT Security Pros

Cybersecurity experts, the first responders to security incidents, arguably have more stressful jobs than their IT peers. A cybersecurity expert needs broad IT and security-specific knowledge — and there aren’t enough of these professionals to fill available positions. I first wrote about this persistent problem two years ago.

The U.S. isn’t the best country for cybersecurity preparedness, as I reported earlier this year in the post, “Cybersecurity Posture by Country: U.S. Not the Best.” U.S. organizations need to step up their cybersecurity efforts. The shortage of expertise is one factor; but also of interest are the pain points, turnover, and burnout of those holding cybersecurity roles.

CNBC earlier this year reported on how “the serious shortage of cybersecurity experts could cost companies hundreds of millions of dollars.” In the article, CNBC concluded that: 1) cybersecurity has become a significant priority for organizations, 2) there are 2.93 million cybersecurity unfilled positions around the world, and 3) the talent shortage will lead to significant financial losses because organizations don’t have the right controls or security processes for detecting, mitigating, and preventing cyberattacks.

Barriers to Cybersecurity Success

The study “Improving the Effectiveness of the Security Operations Center,” sponsored by Devo Technology and independently conducted by Ponemon Institute, finds the biggest barriers to SOC effectiveness are the lack of knowledge and missing visibility of an organization’s infrastructure, with an incomplete inventory of and up-to-date status on configuration and location of assets. Many organizations, especially SMBs, need to outsource security capabilities but discover the security services don’t align well with their industry and culture. There’s also a conflict between IT and line-of-business (LoB) priorities, as I’ve discussed in a previous post, “Cloud Security Concerns: IT vs. LoB.”

Pain Points

The single biggest problem is a burnout-inducing workload, as you can see in the image below; this leads to performance issues, reduces security effectiveness, and produces turnover. The cycle is never-ending, with fewer staff leading to further workload increases, and on and on.

Close behind is the lack of network visibility, followed by the requirement to be available 24/7. When alert volume is too high, some get missed and others ignored — there aren’t enough hours to respond to them. This opens the organization to threats. It also means that intrusions can go undetected for weeks and months.

Those Who Quit Cybersecurity

Two thirds of survey respondents reported they are likely or very likely to quit their SOC jobs. Turnover, of course, exacerbates the understaffing problem, and leads to a lack of loyalty in general among SOC employees. The stress and pain of the working conditions in a SOC limits the ability of organizations to hire and retain experienced IT security experts.

The survey respondents point out that automation and a normalized work schedule would reduce their complaints. They’re not looking for more vacation time but want workflow automation. Additional survey recommendations are:

Recommendations

Organizations are frustrated and struggle with SOC effectiveness when confronted with challenges such as budgets, lack of infrastructure visibility, and organizational culture. The limited talent pool, growing workloads, and alert fatigue cause stress that leads to a career change for many.

The report stressed three main points: