For Your Eyes Only: Tackling Cyber Security Burnout

A perfect storm is causing overload and stress for cyber security professionals.

Most people who enter the world of cyber security can’t help but feel a thrill of excitement, probably stemming from a deep-seated nugget of a memory from their favorite thriller. Given that life isn’t an Ian Fleming novel, however, few expect to end up jumping out of planes, being in car chases or ducking gunfire, but there is still a reason they didn’t apply for a job at the local tax office.

Cyber security professionals, it’s fair to assume, enjoy the mission to protect the organization they are a part of, and the customers it serves. It’s a profession where one can fully expect to be fighting criminal activity, perhaps even nation state activity, or terrorism. According to new Symantec research, more than half of those working in cyber security believe it is a vocation; something that makes a positive difference to the world in general.

This new research is extensive, encompassing the views of more than 3,000 cyber security professionals across France, Germany and the UK. They know that cyber security isn’t an easy option; indeed, they see it as a stimulating challenge. The research reports that almost all (92 percent) cyber professionals feel fully immersed in their work, even when it’s stressful. In fact, 90 percent of them say they thrive under pressure.

However, the vast majority (82 percent) of cyber security professionals also report feeling burnt out. And, worryingly, two-thirds are thinking of resigning from their current role, and about the same number are considering leaving the industry completely. It is a fairly simple correlation to note that about two-thirds think they are ‘set up for failure.’

In something reminiscent of Bond’s ‘off the rails’ montage in Skyfall — lost at the bar downing shots with a scorpion on his hand — 41 percent believe that a breach is inevitable, a third report they are currently vulnerable to avoidable threats, and a quarter admit to having already suffered an avoidable incident. Just over half (55 percent) fear they will be sacked for a breach on their watch, and 40 percent worry they will be held personally liable in such a scenario.

Heath Robinson: the real evil genius

The source of this spirit-crushing pressure is not having to narrowly avoid gangsters that can’t shoot straight, escape from hungry sharks or dodge steel rimmed bowler hats. Rather more mundanely, it’s a Heath Robinson contraption of cyber security point solutions.

Eighty-two percent of cyber security professionals complain of receiving too many security alerts. The alerts are often duplicative, having been triggered by siloed security products, and 79 percent say they have too many cyber defense products to manage effectively.

As a result, more than three quarters say they end up rushing assessments, make assessments they are not wholly confident with, and/or underestimate an incident or threat. More than two-thirds admit to leaving alerts unreviewed at the end of the day.

“Ensure the boardroom understands the risk, and that the risk can be managed given the right support”

Corporate reality — with its dastardly organizational structures, earnings reports, information silos, and IT budgets — also plays its part of tying cyber security’s hands as not all the foes are technical. Increasing regulatory compliance (as governments recognize the potential digital and physical impact of cyber threats) and the cyber security skills shortage are also highly cited points of stress for the profession.

How to fix this problem

To untie cyber security’s hands — not to mention roll out of the way of that laser and disable the cyber bomb with seconds to spare — one could ask what James Bond would do. And that answer, of course, is Tradecraft. CISO Tradecraft.

Ensure the boardroom understands the risk, and that the risk can be managed given the right support. Highlight the heavy fines and public censure for those that fall short. Ensure that security is embedded across an organization, from employee awareness and culture change right through to cyber security being an enabler for transformation and growth. Attaching cyber security to better business performance brings a step change budget (rather than being constrained as a percentage of the IT budget) that helps the CISO turn the tables on their cyber foes.

And if that seems a little short of a true James Bond style escape, then here comes the gadgetry. It may not have the box office appeal of an exploding pen, but an open standards cyber security platform can get a CISO out of just about any tricky situation. It helps to de-dupe alerts from previous siloed systems and enables levels of automation across everything from monitoring and patching, to reporting and compliance. Crucially, in a world that is woefully short of ‘double O’ agents, it frees up cyber security professionals to perform roles in which they can fulfill their passion and potential, and in doing so make a positive difference to the world.

Beating the villains and an outstanding people manager? Now there’s a modern day Bond.

Read the full report from Symantec, High Alert: Tackling Cyber Security Overload in 2019, here. A webinar based on the report is also available here.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.