- Cybersecurity pros are burning out faster than ever, with security teams facing increasing turnover.
- A rise in threats and blurring of boundaries between home and life amid the pandemic hasn’t helped.
- Insider spoke to activists trying to push cyber-pros and employers to prioritize mental health.
- See more stories on Insider’s business page.
Cybersecurity workers are facing growing challenges, leading to industry-wide burnout – and now they’re leaving their jobs at an unprecedented rate.
Security teams, often chronically understaffed and overburdened, faced a stark increase in job duties in the past year as organizations went remote during the COVID-19 pandemic. More recently, the piecemeal reopening of offices has opened companies up to even more cyber threats as employees’ location and devices become harder to predict.
Those challenges have compounded with an explosion in cyberattacks across the globe, with cybercriminals deploying a slew of new methods to hold companies’ data for ransom, infect software supply chains, and disrupt critical infrastructure.
The result is growing burnout and turnover across the cybersecurity industry. The average time a cybersecurity analyst spends in one role shrank to 26 months in 2020, a decrease of over a month from the year prior, according to a recent study by the Ponemon Institute and FireEye. Over 80% of survey respondents cited the pain of an increased workload as a primary reason for burnout.
The stress is compounded by the fact that cyber teams often have to work in secrecy, according to Rachael Cornejo, an analyst with the security nonprofit Global Cyber Alliance.
“The mark of a good cyber department that’s doing its job well is is that you don’t even know they’re there. They’re only thrust into the spotlight when something goes wrong,” Cornejo told Insider. “That’s a really stressful state to constantly be in.”
Now, some digital activists including Cornejo are pushing for security professionals and their employers to better prioritize mental health, an initiative they say is far overdue.
Cornejo teamed up with Lili Siri Spira, who works for the anti-harassment nonprofit OnlineSOS, to develop a set of guiding principles for cyber workers to maintain “psychosocial resilience.” They say cyber workers should prioritize their own mental health and draw clear work-life boundaries despite the round-the-clock demands of cybersecurity. Professionals’ “mental security” is just as crucial as an organization’s digital and physical security,” they argue.
“In the cybersecurity field, the whole point is that you’re always supposed to be on high alert,” Siri Spira told Insider. “Your fight or flight response is just constantly activated and that can be really corrosive. Not only is it bad for you as an individual, but your work is going to get worse.”
High turnover driven by burnout is worsening a perennial cybersecurity skills gap, where the demand for cyber workers outpaces the amount of available talent. According to the Ponemon study, the average company hired five cybersecurity professionals in 2020, but saw three professionals quit or get fired during the same time frame.
Cornejo and Siri Spira say the most surefire long-term solution to burnout in the cyber industry is for companies to invest more in security teams, which have long been deprioritized.
“When you work cyber, you’re not increasing an organization’s profitability. You’re kind of playing the bad cop,” Cornejo said. “An executive- and board-wide understanding of why cyber teams are important and why cyber teams need to be resourced could take some of the pressure off.”