Cybersecurity professionals tasked with responding to attacks experience stress, burnout, and mental health issues that are exacerbated by a lack of breach preparedness and sufficient incident response practice in their organizations.
A new IBM Security-sponsored survey published this week found that two-thirds (67%) of incident responders suffer stress and anxiety during at least some of their engagements, while 44% have sacrificed the well-being of their relationships, and 42% have suffered burnout, according to the survey conducted by Morning Consult. In addition, 68% of incidents responders often have to work on two or more incidents at the same time, increasing their stress, according to the survey's results.
Companies that plan and practice responding to a variety of incidents can lower the stress levels of their incident responders, employees, and executives, says John Dwyer, head of research for IBM Security's X-Force response team.
"Organizations are not effectively establishing their response strategies with the responders in mind — it does not need to be as stressful as it is," he says. "There is a lot of time when the responders are managing organizations during an incident, because those organizations were not prepared for the crisis that occurs these attacks happen every day."
The IBM Security-funded study underscores why the cybersecurity community has focused increasingly on the mental health of its members. About half (51%) of cybersecurity defenders have suffered burnout or extreme stress in the past year, according to a VMware survey released in August 2021. Cybersecurity executives have also spotlighted the issue as one that affects the community and companies' ability to retain skilled workers.
The IBM survey found that 62% of US-based incident responders sought mental health support as a result of their job, but that 82% US companies had an adequate program and services in place to help their workers.
"I've worked some really big incidents in the past with some clients that were very prepared, and I found that was really fulfilling work to do," Dwyer says. "I have had other incidents, where the company's incident response process was not ready, and that was very stressful."
Incident response professionals have three main reasons for pursuing the profession, the survey found. Thirty-six percent cited a sense of duty to protect others and the business as their top reason, 19% pointed to their interest in problem solving, and another 19% cited the continuous opportunities to learn.
However, some of those reasons are also the causes of stress for incident response professionals. Half of those surveyed cited managing expectations from multiple stakeholders as a top-three stressor, while 48% cited their sense of responsibility toward their client or business as a top-three stressor. Incident responders are very dedicated to their work, with a third (34%) working 13 or more hours a day during the most stressful periods of the incident response process, the survey found.
"The general public is probably not aware of how much these men and women are working long hours to make sure that people's lives and businesses are not impacted," Dwyer says.
Practice, Practice, Practice
The survey looked at incident responders in 10 different countries: Australia, Brazil, Canada, France, Germany, India, Japan, Spain, the United Kingdom, and the United States. Spain had the highest rate of burnout (69%), India saw the most significant impact on relationships, and Brazil had the most cases of insomnia, according to the survey data.
The largest group (39%) found the most stressful period of responding to a cybersecurity incident to be the first three days; 29% found the first 24 hours to be the most stressful; and some (20%) considered the entire first week to be the most demanding.
Companies need not only to be prepared to respond to an incident, but also have practiced the response and have playbooks to make response-focused activity second nature and remove the stress from incident responders, says IBM Security's Dwyer.
"If I went to an organization and asked them to run a script on every system with 24 hours — how many could do that?" he says. "Organizations need to practice, practice, practice. Not just tabletop, but practice with purpose. Ask, 'What would happen if my business went offline for 24 hours and how do we deal with that?'"
Incident response is a firehose of experience that professionals have to be able to handle, and companies need to support the team as much as possible, Dwyer says. Mental health support is a good start, he says, but having a process in place to handle the early hours and days of an incident is better.
"Will every incident we respond to be a walk in the park? Probably not," he says. "However, we can make this life manageable. There is nothing like being a responder, but you grow as a person in ways like no other discipline."