This guest blog was contributed by Devin Partida is the Editor-in-Chief of ReHack.com. Devin's work has been featured on Security Boulevard, AT&T Cybersecurity and Hackernoon.
Most cybersecurity professionals deal with the same thing — they have mountains of logs and alerts waiting for them at the office. Still, they can’t even rest on weekends because they get called in to respond to security incidents. In this sector, burnout is considered normal.
How Prevalent Burnout Is
Almost every single cybersecurity professional has experienced burnout at some point in their career. According to one survey, around 84% of them are currently struggling with severe, chronic stress. This statistic isn’t surprising to many in the industry, considering it’s been a significant pain point for ages.
Although chronic, prolonged stress has been a sector-wide issue for years, recent technological innovations, unprecedented global events and geopolitical tensions have substantially worsened it. For the most part, professionals are struggling to keep up with dramatic increases in cyber attack frequency and severity.
As a result, many have been burdened with staggering amounts of logs, tasks and duties. In fact, roughly 33% of all workers have excessive workloads. Unfortunately for cybersecurity professionals, it seems burnout is here to stay.
Why Are Cybersecurity Professionals So Stressed?
Of course, most professionals experience burnout because the industry forces them to. It consistently, intentionally overworks them. Unfortunately, security is a 24/7 responsibility — they need to be able to respond to security incidents at a moment’s notice.
Moreover, scarcity in the workforce has only intensified the burnout problem. The cybersecurity sector’s labor shortage reached 3.4 million openings in 2023, but some experts believe the actual figure is even higher. They claim the skill level available is disproportionate to the number of high-skill positions companies need.
Frankly, most people don’t think where they work has a handle on the situation. In fact, over half of people say burnout is common for them, meaning their employers are mishandling chronic workplace stress. Many industry decision-makers are reactive — they only attempt to fix the problem after someone brings it to their attention instead of trying to mitigate it before anyone shows symptoms.
Even though burnout is unequivocally damaging, the sector continues to overwork professionals. For instance, 51% of cybersecurity decision-makers think their current alert volumes are overwhelming. Unfortunately, many leaders believe it is necessary to maintain security and fend off cybercriminals.
Burnout’s Impact on Cybersecurity Professionals
Typically, burnout is characterized by a mixture of physical and mental symptoms. Most professionals in the cybersecurity industry will be able to attest to this fact, considering 65% of them experience extreme fatigue and a decline in comprehension because of their stress level. Plenty also have anxiety, sleep issues, nausea, depression and migraines.
Many people experience mental exhaustion because their work continuously grows. Even though they sift through logs and complete their everyday duties, they can’t outpace the rate new items come up. As a result, they experience cognitive fatigue and frustration. At this point, they’re far less likely to follow best practices — and more likely to make mistakes.
Some professionals in the sector have admitted their burnout-induced mistakes were the source of one or more data breaches. Ironically, the overwhelming amount of work they do to secure their organization often ends up being the reason for cybersecurity incidents.
The severe pressure of incident response only compounds the already tense situation. Around 67% of cybersecurity professionals say they feel intense stress during the process, with 65% even seeking mental health services as a result. Since response times take multiple weeks, it’s plain to see why it can be so mentally straining.
Most people in this industry have a poor work-life balance. As a result, they find themselves deeply unhappy in their roles even when they enjoy what they do. In other words, the sector may soon have an even more substantial skill shortage.
Burnout’s Impact on Cybersecurity
For the most part, professionals in the workforce collectively experience chronic stress. Thus, general performance, data safety and incident response time suffer. Security plummets and the number of breaches increases. In other words, burnout doesn’t just impact people — it affects the industry as a whole.
Moreover, sector-wide burnout leads to greater non-compliance fines, poor brand reputation and increased incident response expenses for every organization. Not to mention, it drastically contributes to worsening employee retention and cybersecurity fatigue.
Understandably, 66% of cybersecurity decision-makers feel chronically stressed. Eventually, this kind of mental and physical strain leads to habitual burnout — a severe, prolonged condition — and heavily impacts their daily lives. Consequently, many people turn to unhealthy coping mechanisms and their performance suffers for it.
Iit should come as no surprise that many people assume intense stress comes with the territory. According to one survey, more than half of cybersecurity professionals repeatedly hear burnout is a part of their career. When leaders have this mindset, they only magnify prevalent issues.
Many decision-makers insist chronic workplace stress is a necessary evil, but all evidence says otherwise. In reality, overworked employees don’t accomplish more — they make easily avoidable mistakes and cause more cybersecurity incidents. Undoubtedly, the sector is worse off as a whole because of burnout.
Chronic Stress in Cybersecurity Needs Attention
Burnout will continue to be a problem as long as industry leaders and professionals let it be one. Overworking puts them one step behind instead of giving them an advantage. No one denies network, data and system security is critical. In reality, there’s just no way to protect an organization at the most basic levels when the people in charge of defense are so mentally and physically exhausted.