Cybersecurity Burnout Persists

  • The majority of cybersecurity professionals believe they are overworked or burned out.
  • Survey finds security professionals don’t get the support they need from their organizations to succeed.
  • Overall, challenges around managing staff remains a big hurdle for cybersecurity programs.

Work-related burnout remains a significant challenge for those who work in information security. This isn’t new to anyone who has been watching, but recent surveys shed light on persistent challenges that frustrate security professionals’ efforts.

According to The Security Profession 2019/2020 report from the Chartered Institute of Information Security (CIISec), based on a survey of 445 information security professionals. The survey found that 54% of respondents either left a job due to overwork or burnout or worked with a professional who has done so.

A sizeable 82% of respondents said their security budgets were either rising too slowly, flat, or falling and not keeping pace with increased threat levels. The majority of organizations don’t seem fazed by the situation, with 64% saying that their organization hopes to cope with fewer resources when necessary, and 51% said they’d let routine and non-critical tasks slip if necessary.

This report also found that that respondents believe, by far, that the most significant security challenge organizations face within the people, process, and technology triad stems from people. At 67%, people outranked processes (14%) and technology (11%).

Considering that, it’s no surprise that the top three reasons security professionals took a new security position, in order, were: remuneration; the opportunity and scope for progression; and the variety of work. Related, the top reasons to leave a security job were lack of opportunity or progression, unpleasant or bad management, and inadequate compensation.

“Unless the industry can learn how to do more with less while also addressing issues of diversity and burnout, risks will rise, and organizations will suffer. To avoid this, we need the right people with the right skills, giving them the help they need to reach their full potential. This doesn’t only apply to technical skills, but to the people skills that will be essential to giving organizations a security-focused culture that can cope with the growing pressure ahead,” said Amanda Finch, CEO at CIISec.

Part of the reason could be that too many organizations still fail to view information security as a strategic challenge. A survey from LogRhythm found that for a decent percentage of organizations, 57%, to be exact, reported that security doesn’t get the strategic vision, buy-in, or budget they believe is needed to succeed. What’s more, the survey found leadership isn’t held to answer to their security-related decisions. Survey respondents cited this as the top reason (42%) for security professionals to leave their jobs. Many also say they don’t have enough time for their job, and they don’t get enough executive facetime.

The solution? At least according to LogRhythm survey respondents, the solution is more enterprise support for their cybersecurity programs. Such support includes, for 44%, an increase in budget, more experienced staff for 42%, and improvement of collaboration among IT for 42%. An increase in executive support was cited by 41% and fully staffing the security team by 39%.