Careers & People

5/23/2018
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Growing Job Pressures Increase Risk of Burnout for Cybersecurity Professionals

A new Trustwave survey shows information security executives and practitioners are under increasing pressure from trying to keep up with threats and compliance mandates.

The task of constantly keeping up with new threats and regulatory requirements has made cybersecurity something of a high-pressure career field for technology professionals in recent years. There are no signs that will change anytime soon.

A global survey of 1,600 IT professionals by Trustwave shows that a majority of cybersecurity executives and practitioners believed they were under more pressure at their jobs in 2017 compared with the year before. They expect 2018 to be no different.

Trustwave has conducted the same survey for five consecutive years, and each time survey respondents have reported increased pressure over the previous year. If the trend persists, expect one of two things to happen, says Chris Schueler, senior vice president of managed security services at Trustwave.

Either the pressure will push people to improved performance or it is going to cause them to crash. "Pressure to perform creates an overwhelming feeling that causes people to turtle up or become burned out quickly," Schueler says.

In the latest survey, 54% of the respondents reported experiencing more security pressures in 2017 compared to 2016, and 55% expect 2018 to be worse than last year. More cybersecurity professionals in the US (61%) feel that way than professionals in any other country, the Trustwave survey showed.

Advanced malware and zero-day vulnerabilities are the top cause for the pressure that security people feel on the operational side of things, with 26% citing that as a reason. Other top concerns include budget constraints at 17% and a lack of security skills at 16%.

The Trustwave survey also showed that phishing attacks and social engineering became more of a pressure-inducer last year, with 13% identifying that as a stressor compared with 8% who said the same in 2016. Somewhat surprisingly (considering all the concern over data breaches and attacker dwell time), only 11% of the respondents in Trustwave's survey identified malicious activity detection and compromise detection as contributing to their stress levels.

For cybersecurity professionals, a lot of the pressure comes from the constant reminder that peer industries and major brands are being breached daily and that they need to improve to stay ahead, Schueler says. "It's the only job in IT where there are people who are constantly trying to make your day bad," he notes. It's daunting to wake up every day with the constant worry of not knowing if your efforts have been enough, he says.

Adding to the pressure is the fact that many organizations are moving to a governance model that puts more pressure on security leaders and measures their effectiveness at reducing organizational risk, Schueler says.

One welcome result from the survey is the relatively bigger role that those closest to the security function appear to be playing these days. Thirty-nine percent identified board members, directors, the CEO, the CIO and other C-level executives as putting the most pressure on them. But that proportion is actually smaller than the 46% who said the same in 2017 and the 69% in 2016.

At the same time, a bigger proportion of respondents (27%) in Trustwave's most recent survey said pressure from direct managers had increased compared with 2016 (18%). "This is a very positive view because it indicates that the board has made cybersecurity a priority year over year and has shifted the ownership more to the people who are closest" to the function, Schueler says.

A 2017 survey by Enterprise Strategy Group (ESG) and the Information Security Systems Association (ISSA) shows that burnout is becoming a problem in the cybersecurity field. The perpetual battle to keep the enterprise safe against a constant barrage of attacks using suboptimal resources is wearing security professionals down, according to the report.

ESG and ISSA surveyed a total of 343 cybersecurity professionals. Sixty-eight percent strongly agreed that a cybersecurity career could be taxing on the balance between an individual's professional and personal life. Thirty-eight percent said the skill shortage in the industry had resulted in high employee attrition rates and burnout. The situation is made worse by the fact that there are far more security jobs than there are people to take them, according to the ESG-ISSA report.

"If you're a C-level executive, you should be thinking about the pressures on your security team and how you are managing that pressure," Schueler notes. Among the things you need to consider is your security maturity level, the partners that you might have on board to help you, and how effective that help might be.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ShelleyWestman
50%
50%
ShelleyWestman,
User Rank: Author
5/24/2018 | 1:29:26 PM
Cybersecurity Burnout and the Talent Gap
Thanks for sharing, Jai! Given the seriousness of the talent gap in cyber, the industry needs to work to ensure these critical employees don't feel burned out. Another layer to this is working to specifically retain female employees in the field. A recent study found that women represent more than 50% of college graduates in the U.S., but only 10% of cybersecurity professionals. If we're going to close that talent gap and retain employees, women should be a part of the solution. Making sure all employees have visibility, mentorship and support can hopefully prevent some of the burnout you mentioned.
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-0291
PUBLISHED: 2018-06-20
A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly. The vulnerability is due to improper validation of SNMP protocol ...
CVE-2018-0292
PUBLISHED: 2018-06-20
A vulnerability in the Internet Group Management Protocol (IGMP) Snooping feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code and gain full control of an affected system. The attacker could also cause an affected system to reload, resulting in ...
CVE-2018-0293
PUBLISHED: 2018-06-20
A vulnerability in role-based access control (RBAC) for Cisco NX-OS Software could allow an authenticated, remote attacker to execute CLI commands that should be restricted for a nonadministrative user. The attacker would have to possess valid user credentials for the device. The vulnerability is du...
CVE-2018-0294
PUBLISHED: 2018-06-20
A vulnerability in the write-erase feature of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to configure an unauthorized administrator account for an affected device. The vulnerability exists because the affected software does not properly delete sensitive...
CVE-2018-0295
PUBLISHED: 2018-06-20
A vulnerability in the Border Gateway Protocol (BGP) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the device unexpectedly reloading. The vulnerability is due to incomplete input validation of the BGP update...