Careers & People

5/23/2018
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Growing Job Pressures Increase Risk of Burnout for Cybersecurity Professionals

A new Trustwave survey shows information security executives and practitioners are under increasing pressure from trying to keep up with threats and compliance mandates.

The task of constantly keeping up with new threats and regulatory requirements has made cybersecurity something of a high-pressure career field for technology professionals in recent years. There are no signs that will change anytime soon.

A global survey of 1,600 IT professionals by Trustwave shows that a majority of cybersecurity executives and practitioners believed they were under more pressure at their jobs in 2017 compared with the year before. They expect 2018 to be no different.

Trustwave has conducted the same survey for five consecutive years, and each time survey respondents have reported increased pressure over the previous year. If the trend persists, expect one of two things to happen, says Chris Schueler, senior vice president of managed security services at Trustwave.

Either the pressure will push people to improved performance or it is going to cause them to crash. "Pressure to perform creates an overwhelming feeling that causes people to turtle up or become burned out quickly," Schueler says.

In the latest survey, 54% of the respondents reported experiencing more security pressures in 2017 compared to 2016, and 55% expect 2018 to be worse than last year. More cybersecurity professionals in the US (61%) feel that way than professionals in any other country, the Trustwave survey showed.

Advanced malware and zero-day vulnerabilities are the top cause for the pressure that security people feel on the operational side of things, with 26% citing that as a reason. Other top concerns include budget constraints at 17% and a lack of security skills at 16%.

The Trustwave survey also showed that phishing attacks and social engineering became more of a pressure-inducer last year, with 13% identifying that as a stressor compared with 8% who said the same in 2016. Somewhat surprisingly (considering all the concern over data breaches and attacker dwell time), only 11% of the respondents in Trustwave's survey identified malicious activity detection and compromise detection as contributing to their stress levels.

For cybersecurity professionals, a lot of the pressure comes from the constant reminder that peer industries and major brands are being breached daily and that they need to improve to stay ahead, Schueler says. "It's the only job in IT where there are people who are constantly trying to make your day bad," he notes. It's daunting to wake up every day with the constant worry of not knowing if your efforts have been enough, he says.

Adding to the pressure is the fact that many organizations are moving to a governance model that puts more pressure on security leaders and measures their effectiveness at reducing organizational risk, Schueler says.

One welcome result from the survey is the relatively bigger role that those closest to the security function appear to be playing these days. Thirty-nine percent identified board members, directors, the CEO, the CIO and other C-level executives as putting the most pressure on them. But that proportion is actually smaller than the 46% who said the same in 2017 and the 69% in 2016.

At the same time, a bigger proportion of respondents (27%) in Trustwave's most recent survey said pressure from direct managers had increased compared with 2016 (18%). "This is a very positive view because it indicates that the board has made cybersecurity a priority year over year and has shifted the ownership more to the people who are closest" to the function, Schueler says.

A 2017 survey by Enterprise Strategy Group (ESG) and the Information Security Systems Association (ISSA) shows that burnout is becoming a problem in the cybersecurity field. The perpetual battle to keep the enterprise safe against a constant barrage of attacks using suboptimal resources is wearing security professionals down, according to the report.

ESG and ISSA surveyed a total of 343 cybersecurity professionals. Sixty-eight percent strongly agreed that a cybersecurity career could be taxing on the balance between an individual's professional and personal life. Thirty-eight percent said the skill shortage in the industry had resulted in high employee attrition rates and burnout. The situation is made worse by the fact that there are far more security jobs than there are people to take them, according to the ESG-ISSA report.

"If you're a C-level executive, you should be thinking about the pressures on your security team and how you are managing that pressure," Schueler notes. Among the things you need to consider is your security maturity level, the partners that you might have on board to help you, and how effective that help might be.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ShelleyWestman
50%
50%
ShelleyWestman,
User Rank: Author
5/24/2018 | 1:29:26 PM
Cybersecurity Burnout and the Talent Gap
Thanks for sharing, Jai! Given the seriousness of the talent gap in cyber, the industry needs to work to ensure these critical employees don't feel burned out. Another layer to this is working to specifically retain female employees in the field. A recent study found that women represent more than 50% of college graduates in the U.S., but only 10% of cybersecurity professionals. If we're going to close that talent gap and retain employees, women should be a part of the solution. Making sure all employees have visibility, mentorship and support can hopefully prevent some of the burnout you mentioned.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Well, at least it isn't Mobby Dick!
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20165
PUBLISHED: 2019-03-22
Cross-site scripting (XSS) vulnerability in OpenText Portal 7.4.4 allows remote attackers to inject arbitrary web script or HTML via the vgnextoid parameter to a menuitem URI.
CVE-2019-1716
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 7800 Series and Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code. The vulnerability ...
CVE-2019-1763
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to bypass authorization, access critical services, and cause a denial of service (DoS) condition. The vulnerability exist...
CVE-2019-1764
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. The vulnerability is due to insufficient CSRF protections for the ...
CVE-2019-1765
PUBLISHED: 2019-03-22
A vulnerability in the web-based management interface of Session Initiation Protocol (SIP) Software for Cisco IP Phone 8800 Series could allow an authenticated, remote attacker to write arbitrary files to the filesystem. The vulnerability is due to insufficient input validation and file-level permis...