Cybersecurity professionals make our world safer and more secure every day, shouldering responsibility for the potentially catastrophic consequences that can follow a cyberattack. But behind the scenes, the demands of their jobs pose a threat of their own.
These professionals have long been focused on keeping the ball away from the goalie. Now, the balls are coming faster, from multiple directions, and with enough power to end a game. Like the businesses they work to protect, cybersecurity professionals are vulnerable to this changing threat landscape. And as threats compound and legal expectations multiply, too many organizations still employ security approaches akin to layering on individual bandages, rather than healing root problems.
The resulting wave of burnout is too obvious to ignore. Job stress continues to be the most common response to what keeps security teams up at night. Impacts from breaches are often immediate and tangible, as is the case with ransomware attacks that leave enterprises at risk of being unable to deliver mission-critical services.
There are clear steps technology leaders can take to alleviate some of the daily stress faced by enterprise safety's essential workers. But solving the problem will require prioritizing more than just cybersecurity. It must start by taking a hard look at technical landscapes that have grown overwhelmingly complex.
Keep It Simple
The pandemic accelerated digital transformation, essentially packing more than a decade of change into just a few years. This digital sprint increased the potential cyberattack surface and the number of skilled security professionals needed to protect a growing threat zone. Rapid advancement often occurred in environments with legacy assets purchased unsystematically, operated in silos, and incompatible with broader tech stacks. The compounding complexity multiplied risk, and remediating that risk multiplied the expertise required to manage it. With a limited number of experts dealing with all of the excess, exhaustion fueled human error and led to burnout.
There's one essential step IT leaders can take now to lessen the burden carried by today's cybersecurity professionals: simplify.
Leaders can start by identifying their organization's most critical business services and, if possible, moving them to the cloud. They can refactor applications to build in security and resiliency — a step that often fell to the wayside in the pandemic rush to modernize. They can retire every point solution they're able to, getting rid of the excess that contributes to a fragmented environment. Instead, they can work toward an integrated, interoperable infrastructure that gets back to the basics, including patching and vulnerability management solutions that are years old but get the job done.
In the end, technology tools don't singlehandedly solve security problems. The bigger-picture solutions depend on people and the choices they make. Embracing simplicity can not only cut costs and increase operational efficiency, but it ensures more manageable workloads for cybersecurity professionals, which reduces burnout.
If an organization has done everything possible to anticipate, protect, withstand, and recover from an incident, damage — including psychological damage to employees — can be minimized.
Following a resilient approach — proactively planning for cyber events instead of waiting to react — involves a mix of forethought and technology investment.
Organizations should put incident response plans in writing and make sure they're accessible in physical form outside of computer storage, which can be compromised. The next step is to practice the plan, and then practice some more, so that teams know exactly what needs to be done and who's doing what in the case of an incident. A carefully practiced plan combined with recovery automation, when feasible, can speed up what can otherwise turn into a 24/7 recovery effort.
Active Directory servers, a common target of malicious users, must be protected, as well as backup servers to ensure recovery isn't delayed. Using cyber vaults can also help organizations quickly bounce back from attacks. A faster recovery can ultimately help alleviate the grind that leads security teams to burn out.
To better support cybersecurity professionals, leaders can also ensure cybersecurity is a priority shared across the entire organization. Cyber-risk management should be a collective responsibility; incident responders shouldn't be the only first line of defense. A top-down approach is necessary. Security, resiliency, and recovery must be a boardroom priority. Among the C-suite's many responsibilities, they must insist on updating and testing business continuity and recovery plans on an annual basis, regularly conducting assessments to measure preparedness for risks and prioritizing vulnerabilities. They also must be confident that they can recover their systems and data from disasters and security breaches in a manner that meets their documented recovery time and recovery point objectives to protect their business.
Enterprises must adopt a secure-by-design culture, flipping the script on the historical approach of considering security as an afterthought and instead embedding security each step along the way to create software, architecture, and networks as impervious as possible to attacks.
Without a thoughtful approach that empowers security professionals, the initiators of burnout may continue to thrive. The strategy for avoiding burnout should be the same as our overall approach to security — a team effort focused on resilience and with a shared understanding that the more we can simplify, the better chance we'll have of getting ahead of challenges.