After a year of high-profile cyberattacks, including ransomware campaigns on organizations such as JBS, Colonial Pipeline, Kaseya and more, the need for organizations to prioritize cybersecurity holds more weight than ever before.
However, what often gets lost in conversations about the rise of sophisticated attacks is the human element and acknowledging the defenders who have been working tirelessly to protect organizations from these attacks.
Rick McElroy is the Principal Cybersecurity Strategist at VMware
Being a part of the security community for more than two decades, it’s clear that the pressure on cybersecurity professionals is increasing in parallel with the threats they’re defending against.
This can and has led to burnout, especially as we continue to operate in remote and understaffed environments.
Defenders under stress
A recent report found that 51% of cybersecurity professionals are feeling symptoms of extreme stress or burnout, and of that group, 65% have considered leaving their jobs because of it.
In August, the Biden Administration also highlighted that there are 500,000 open cybersecurity roles across the country.
This talent gap is putting a strain on defenders and leaving most spread thin and their organizations vulnerable to destructive cyberattacks.
Opportunity in disguise
CISOs [Chief Information Security Officer] and business leaders have an opportunity to learn from these attacks and take advantage of this moment in time to educate employees and stakeholders about the importance of cybersecurity.
But they should also leverage this opportunity to acknowledge the burnout facing security professionals and ensure these defenders are supported and empowered.
As part of my role, I have many conversations with CISOs and security leaders about the challenges they’re currently facing.
Many are concerned about how best to build resilient security teams that can manage the high stress that a career in cybersecurity brings.
Tackling burnout
Here are four best practices for CISOs and security leaders working to break the burnout cycle:
1. Spot burnout from the start
It is important to spot the early signs of burnout. There are telltale warning signs like disengagement and cynicism that can happen before outright exhaustion sets in.
Create an open environment where employees can feel comfortable expressing that they are experiencing the symptoms of burnout without it being seen as a fault or weakness.
2. Empower your team with the right tech
Encourage and train your teams to use efficient processes and technology. There is too much to do in a day to waste any time on inefficiencies.
At the same time, a company can invest all the money in the world on automation technology and tools but without proper training, it can create unnecessary complexity and confusion.
Arming teams with the proper tools and training will allow for them to effectively do their jobs, leading to a decrease in stress.
3. Encourage self-care
From my experience, cybersecurity professionals are extremely driven, tactical people. I find that often, they’re so engrossed in what their work needs from them that they forget what they need from themselves.
As a leader, it’s important to urge your teams to take mental health days and PTO. Unplugging is crucial for people to reset and recharge, coming back feeling motivated and ready.
Another idea would be to offer non-standard working hours based on the needs of your employees. Feeling respected and valued enough to create schedules that work for their lives leaves employees feeling in control and able to balance more.
4. Build anti-burnout activities into the day-to-day
Zoom fatigue and too much screen time can leave people feeling drained at the end of the day.
Switch your team’s meetings to walking meetings, provide weekly mindfulness training, and encourage call-free Fridays.
Remember as the leader, you should practice what you preach here and lead by example with these suggestions.
It’s time for security leaders to take a step back and not only examine their organization’s security posture but also take inventory of whether employees are feeling supported and empowered.
The future of cybersecurity depends on it.
