Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

5/23/2018
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Growing Job Pressures Increase Risk of Burnout for Cybersecurity Professionals

A new Trustwave survey shows information security executives and practitioners are under increasing pressure from trying to keep up with threats and compliance mandates.

The task of constantly keeping up with new threats and regulatory requirements has made cybersecurity something of a high-pressure career field for technology professionals in recent years. There are no signs that will change anytime soon.

A global survey of 1,600 IT professionals by Trustwave shows that a majority of cybersecurity executives and practitioners believed they were under more pressure at their jobs in 2017 compared with the year before. They expect 2018 to be no different.

Trustwave has conducted the same survey for five consecutive years, and each time survey respondents have reported increased pressure over the previous year. If the trend persists, expect one of two things to happen, says Chris Schueler, senior vice president of managed security services at Trustwave.

Either the pressure will push people to improved performance or it is going to cause them to crash. "Pressure to perform creates an overwhelming feeling that causes people to turtle up or become burned out quickly," Schueler says.

In the latest survey, 54% of the respondents reported experiencing more security pressures in 2017 compared to 2016, and 55% expect 2018 to be worse than last year. More cybersecurity professionals in the US (61%) feel that way than professionals in any other country, the Trustwave survey showed.

Advanced malware and zero-day vulnerabilities are the top cause for the pressure that security people feel on the operational side of things, with 26% citing that as a reason. Other top concerns include budget constraints at 17% and a lack of security skills at 16%.

The Trustwave survey also showed that phishing attacks and social engineering became more of a pressure-inducer last year, with 13% identifying that as a stressor compared with 8% who said the same in 2016. Somewhat surprisingly (considering all the concern over data breaches and attacker dwell time), only 11% of the respondents in Trustwave's survey identified malicious activity detection and compromise detection as contributing to their stress levels.

For cybersecurity professionals, a lot of the pressure comes from the constant reminder that peer industries and major brands are being breached daily and that they need to improve to stay ahead, Schueler says. "It's the only job in IT where there are people who are constantly trying to make your day bad," he notes. It's daunting to wake up every day with the constant worry of not knowing if your efforts have been enough, he says.

Adding to the pressure is the fact that many organizations are moving to a governance model that puts more pressure on security leaders and measures their effectiveness at reducing organizational risk, Schueler says.

One welcome result from the survey is the relatively bigger role that those closest to the security function appear to be playing these days. Thirty-nine percent identified board members, directors, the CEO, the CIO and other C-level executives as putting the most pressure on them. But that proportion is actually smaller than the 46% who said the same in 2017 and the 69% in 2016.

At the same time, a bigger proportion of respondents (27%) in Trustwave's most recent survey said pressure from direct managers had increased compared with 2016 (18%). "This is a very positive view because it indicates that the board has made cybersecurity a priority year over year and has shifted the ownership more to the people who are closest" to the function, Schueler says.

A 2017 survey by Enterprise Strategy Group (ESG) and the Information Security Systems Association (ISSA) shows that burnout is becoming a problem in the cybersecurity field. The perpetual battle to keep the enterprise safe against a constant barrage of attacks using suboptimal resources is wearing security professionals down, according to the report.

ESG and ISSA surveyed a total of 343 cybersecurity professionals. Sixty-eight percent strongly agreed that a cybersecurity career could be taxing on the balance between an individual's professional and personal life. Thirty-eight percent said the skill shortage in the industry had resulted in high employee attrition rates and burnout. The situation is made worse by the fact that there are far more security jobs than there are people to take them, according to the ESG-ISSA report.

"If you're a C-level executive, you should be thinking about the pressures on your security team and how you are managing that pressure," Schueler notes. Among the things you need to consider is your security maturity level, the partners that you might have on board to help you, and how effective that help might be.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ShelleyWestman
50%
50%
ShelleyWestman,
User Rank: Author
5/24/2018 | 1:29:26 PM
Cybersecurity Burnout and the Talent Gap
Thanks for sharing, Jai! Given the seriousness of the talent gap in cyber, the industry needs to work to ensure these critical employees don't feel burned out. Another layer to this is working to specifically retain female employees in the field. A recent study found that women represent more than 50% of college graduates in the U.S., but only 10% of cybersecurity professionals. If we're going to close that talent gap and retain employees, women should be a part of the solution. Making sure all employees have visibility, mentorship and support can hopefully prevent some of the burnout you mentioned.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...