Careers & People

5/23/2018
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Growing Job Pressures Increase Risk of Burnout for Cybersecurity Professionals

A new Trustwave survey shows information security executives and practitioners are under increasing pressure from trying to keep up with threats and compliance mandates.

The task of constantly keeping up with new threats and regulatory requirements has made cybersecurity something of a high-pressure career field for technology professionals in recent years. There are no signs that will change anytime soon.

A global survey of 1,600 IT professionals by Trustwave shows that a majority of cybersecurity executives and practitioners believed they were under more pressure at their jobs in 2017 compared with the year before. They expect 2018 to be no different.

Trustwave has conducted the same survey for five consecutive years, and each time survey respondents have reported increased pressure over the previous year. If the trend persists, expect one of two things to happen, says Chris Schueler, senior vice president of managed security services at Trustwave.

Either the pressure will push people to improved performance or it is going to cause them to crash. "Pressure to perform creates an overwhelming feeling that causes people to turtle up or become burned out quickly," Schueler says.

In the latest survey, 54% of the respondents reported experiencing more security pressures in 2017 compared to 2016, and 55% expect 2018 to be worse than last year. More cybersecurity professionals in the US (61%) feel that way than professionals in any other country, the Trustwave survey showed.

Advanced malware and zero-day vulnerabilities are the top cause for the pressure that security people feel on the operational side of things, with 26% citing that as a reason. Other top concerns include budget constraints at 17% and a lack of security skills at 16%.

The Trustwave survey also showed that phishing attacks and social engineering became more of a pressure-inducer last year, with 13% identifying that as a stressor compared with 8% who said the same in 2016. Somewhat surprisingly (considering all the concern over data breaches and attacker dwell time), only 11% of the respondents in Trustwave's survey identified malicious activity detection and compromise detection as contributing to their stress levels.

For cybersecurity professionals, a lot of the pressure comes from the constant reminder that peer industries and major brands are being breached daily and that they need to improve to stay ahead, Schueler says. "It's the only job in IT where there are people who are constantly trying to make your day bad," he notes. It's daunting to wake up every day with the constant worry of not knowing if your efforts have been enough, he says.

Adding to the pressure is the fact that many organizations are moving to a governance model that puts more pressure on security leaders and measures their effectiveness at reducing organizational risk, Schueler says.

One welcome result from the survey is the relatively bigger role that those closest to the security function appear to be playing these days. Thirty-nine percent identified board members, directors, the CEO, the CIO and other C-level executives as putting the most pressure on them. But that proportion is actually smaller than the 46% who said the same in 2017 and the 69% in 2016.

At the same time, a bigger proportion of respondents (27%) in Trustwave's most recent survey said pressure from direct managers had increased compared with 2016 (18%). "This is a very positive view because it indicates that the board has made cybersecurity a priority year over year and has shifted the ownership more to the people who are closest" to the function, Schueler says.

A 2017 survey by Enterprise Strategy Group (ESG) and the Information Security Systems Association (ISSA) shows that burnout is becoming a problem in the cybersecurity field. The perpetual battle to keep the enterprise safe against a constant barrage of attacks using suboptimal resources is wearing security professionals down, according to the report.

ESG and ISSA surveyed a total of 343 cybersecurity professionals. Sixty-eight percent strongly agreed that a cybersecurity career could be taxing on the balance between an individual's professional and personal life. Thirty-eight percent said the skill shortage in the industry had resulted in high employee attrition rates and burnout. The situation is made worse by the fact that there are far more security jobs than there are people to take them, according to the ESG-ISSA report.

"If you're a C-level executive, you should be thinking about the pressures on your security team and how you are managing that pressure," Schueler notes. Among the things you need to consider is your security maturity level, the partners that you might have on board to help you, and how effective that help might be.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ShelleyWestman
50%
50%
ShelleyWestman,
User Rank: Author
5/24/2018 | 1:29:26 PM
Cybersecurity Burnout and the Talent Gap
Thanks for sharing, Jai! Given the seriousness of the talent gap in cyber, the industry needs to work to ensure these critical employees don't feel burned out. Another layer to this is working to specifically retain female employees in the field. A recent study found that women represent more than 50% of college graduates in the U.S., but only 10% of cybersecurity professionals. If we're going to close that talent gap and retain employees, women should be a part of the solution. Making sure all employees have visibility, mentorship and support can hopefully prevent some of the burnout you mentioned.
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14373
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. In TIFFFindField in tif_dirinfo.c, the structure tif is being dereferenced without first checking that the structure is not empty and has the requested fields (tif_foundfield). In the call sequences following from the affected library functions (TIFFVGetFiel...
CVE-2018-14374
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. A buffer overflow can occur via an empty fmt argument to unixErrorHandler in tif_unix.c, and it can be exploited (at a minimum) via the following high-level library API functions: TIFFClientOpen, TIFFFdOpen, TIFFRawStripSize, TIFFCheckTile, TIFFComputeStrip,...
CVE-2018-14375
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. A buffer overflow vulnerability can occur via an invalid or empty tif argument to TIFFRGBAImageOK in tif_getimage.c, and it can be exploited (at a minimum) via the following high-level library API functions: TIFFReadRGBAImage, TIFFRGBAImageOK, and TIFFRGBAIm...
CVE-2018-14378
PUBLISHED: 2018-07-17
An issue was discovered in LibTIFF 4.0.9. A buffer overflow can occur via an invalid or empty tif argument to TIFFWriteBufferSetup in tif_write.c, and it can be exploited (at a minimum) via the following high-level library API function: TIFFWriteTile.
CVE-2018-14363
PUBLISHED: 2018-07-17
An issue was discovered in NeoMutt before 2018-07-16. newsrc.c does not properly restrict '/' characters that may have unsafe interaction with cache pathnames.