Frustration and burnout are common among IT infrastructure experts of many types right now, including and especially cybersecurity and network operations teams. Nearly a third of cybersecurity experts say they consider leaving the profession on an occasional (21%) or regular (9%) basis – citing stress associated with the career as the top reason. Additionally, 55% say they experience on-the-job stress at least half the time.
I’ve had three friends leave the NETOPS and SECOPS fields lately. One became an organic, local farmer. Another opened a food truck. And the third is remodeling houses. They each took pay cuts, at least initially, but they’ve told me the lower stress was well worth it. I’m sure many of you can share similar stories.
Cybersecurity is about, among other things, attention to detail, careful planning, and precision execution during incident response times. Distracted, stressed-out, and understaffed teams are a recipe for disaster. A perfect storm of factors is contributing to this scary reality, but there are also strategies we can implement as technology and business leaders to navigate these challenging waters.
There’s no doubt that the global pandemic and shift to the work-from-anywhere model have added a new level of stress and complexity to the daily lives of SECOPS and NETOPS teams. Compounding the pressure, the rocky tech and VC economies over the last several months have resulted in nearly 50% more tech layoffs in 2023 than in 2022, with those who remain being asked to do more with less. In addition to layoffs, many organizations are tightening their belts and aren't able to pace salary increases with the cost of household goods and other inflationary times, which further fuels an environment of high stress.
Conversely, cybercrime activity is rising across the board, which places added stress on key technical experts within enterprises and managed security service providers (MSSPs), and due to the financial crunch, the risk has never been greater. Check Point Research found global cyberattacks rose by 38% in 2022 compared to 2021 and continued an upward trajectory in 2023. Meanwhile, according to the 2023 Security Budget Benchmark Summary Report, “Cybersecurity spending continues to rise, but at a lower rate than prior years and at an insufficient rate relative to the increases in scope facing security teams.” Specifically, spending in the U.S. and Canada increased by just 6% in 2022-2023 compared to 17% in 2021-2022.
Cybersecurity specialists not only face an increase in cybercrime along with a reduction in resources but are also juggling collections of disconnected tools that do not work together. The rapid rise of cybersecurity-focused technology startups over the last ten years has created a market full of best-in-class products. But it also created an environment where security operations center (SOC) and network operations center (NOC) teams are commonly stitching together products from three to five different vendors to satisfy standard operational workflows. The flurry of M&A activity and consolidation will help in many cases. However, effective integrations will take months, if not years, to complete and bring to market once transactions are closed.
The cybersecurity industry is evolving rapidly, along with the environment in which security professionals operate. In many cases, roles are poorly defined, and the workload is unevenly distributed. Everyone is so heads-down that it can be hard to take time to stop and figure out how to mitigate stress and focus on mental health.
Employee turnover is costly, particularly in cybersecurity, where there are currently more than 572,000 job openings in the U.S. alone, signaling a significant gap in qualified workers. Companies cannot afford to lose the security experts they have and, as a result, put their organizations at risk. But it's happening. So, what can we do to stanch the burnout?
As the adage goes, the best defense is a good offense. Plus, it’s cheaper in the long run to pay for mental health/fitness benefits and group outings than to deal with heavy turnover within your highly skilled technical teams. Following are some best practices and strategies that organizations can implement to support the mental health and well-being of their cybersecurity teams.
A shift in mindset. We need to start thinking of our cybersecurity teams as our private police force and recognize that people with jobs this stressful require specialized programs and investments to enable them to operate effectively in today’s increasingly demanding environments. Cybersecurity professionals should be encouraged to join peer groups and participate in out-of-office activities such as company-sponsored charitable activities. These opportunities are great for team building, sharing experiences, and providing relief to the challenges security professionals face in ways that support their mental wellness.
Align with support groups. Mental healthcare, or as I think of it, "mental fitness and training," must be available to everyone, and there are organizations that are dedicated to preventing burnout in the cybersecurity field. A good example is Cybermindz, an organization based in Australia and rapidly expanding its programs to other parts of the world, including the U.K. and the U.S. Founded by cybersecurity professionals, it offers a range of tools to help organizations and individuals navigate the challenges that come with operating in relentlessly stressful environments.
Look to technology integration and automation. Nearly two-thirds of cybersecurity professionals believe that their jobs have become more difficult over the last two years, citing the overwhelming workload (35%) as the most stressful aspect of cybersecurity jobs. Practitioners should look for software that offers deep integrations and has formal partnerships with adjacent product technologies. One good example of this would be the integration of OS patching and upgrade automation with vulnerability and threat intelligence. Instead of spending hours on tedious manual work, security, and network infrastructure teams can easily discover vulnerabilities in their network, prioritize CVEs according to their unique risk profile, and automate remediation.
Create a cybersecurity culture. Cybersecurity professionals say working with disinterested business managers is the second (30%) most stressful aspect of their jobs. Anytime you have a job that your friends, family, and even boss don't understand, it’s easy to feel dissatisfied. There are some relatively simple steps organizations can take to improve their cybersecurity culture, including requiring non-technical employees to participate regularly in cybersecurity awareness training and providing professional development opportunities for IT and software development teams. These two steps alone not only demonstrate leadership’s commitment to cybersecurity and the value placed on cybersecurity best practices but also strengthen defenses in the process.
Just like a police force, IT infrastructure experts operate under sustained stress. It comes with the territory. But they will also always be critically important to protect and enable organizations to function and thrive. The challenge we face as leaders is to provide security and network teams with the support and tools they need to get their jobs done and avoid burnout. Fortunately, the topic is getting much-needed attention, and an increasing number of resources, alongside advances in technologies and best practices, are available to help.
Josh Stephens is the CTO of BackBox.
Related articles:
NetOps teams, like Spider Man, have great powers and great responsibilities. Increasingly, they are adopting a Zero Trust approach to network operations to help fight their battles.
Senior stakeholders who want to hold on to their CISOs must ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
