This article is part of our Essential Guide: Information security in 2022 – managing constant change

How can I avoid an exodus of cyber talent linked to stress and burnout?

Cyber security professionals have played a crucial role during the pandemic, yet many feel like their employers aren’t providing adequate mental health support and have considered quitting their jobs as a result. What can employers do to help them?

IT security teams have seen unprecedented mental health challenges since the Covid-19 outbreak two years ago and the subsequent increase in cyber attacks. In fact, research from VMWare shows that 51% of cyber security professionals have felt extremely stressed and burnt out during these tough times.

Because of increased levels of pressure, stress and other mental health struggles, a staggering 65% of cyber security professionals have thought about quitting their jobs altogether.

With cyber security playing a vital role in today’s highly digitised society and the industry plagued by severe talent shortages, organisations must avoid an exodus of IT security professionals. But experts believe they can only do this by improving mental health in their cyber security teams.

Many cyber security professionals experience burnout as they need to complete high-pressure, timely tasks on a daily basis, explains Therese Schachner, a cyber security consultant and technical writer at VPN Brains.

But over the past two years, their mental health has been put to the test due to growing workloads associated with the rise of remote working. Schachner tells Computer Weekly: “For example, the widespread shift to remote working has resulted in increased stress and higher workloads for cyber security professionals, who have had limited time to implement cyber security protections that accommodate remote workers’ new technology needs.”

“Remote working has resulted in the increased usage of technologies, such as VPNs and remote access, with significant vulnerabilities that attackers have leveraged to initiate cyber attacks, and cyber security teams have been working hard to prevent and mitigate these attacks.”

While the importance of cyber security has increased in the pandemic, there is already a significant lack of talent in the sector. According to Schachner, this means cyber security teams have been understaffed despite organisations increasingly relying on them to thwart serious attacks. “As a result, many cyber security professionals feel overworked and eventually experience burnout,” she says.

Read more about IT and mental health

Schachner believes cyber security leaders can tackle burnout in their teams by creating a working environment where employees feel able to voice their concerns and provide feedback on how the workplace can be improved. 

“In a supportive work environment, employees are more willing to voice suggestions for more flexible scheduling, additional guidance and other needs, which can help them better manage their workloads and avoid burnout,” she says. 

“Cyber security leaders can also make sure their employees have sufficient breaks during the workday and enough time off from work to allow them to rest and recharge. Workplaces can also offer mental health and well-being resources that help cyber security professionals manage their stressful jobs and maintain a work-life balance.”

Preventing burnout 

Due to the critical nature of identifying and mitigating cyber attacks, security professionals are very serious about their roles and often find it difficult to unwind in their free time. Karen Worstell, senior cyber security strategist at VMware, says: “Safeguarding organisations is a mission and a mindset more than it is a job. 

“This inevitably leads to a sense of intense responsibility, and when people are extremely passionate about their work, they begin to ignore the signals their bodies are sending when they’re run down. Once you find yourself ‘powering through’, that is when things start to break down, and it can be hard to address without the right support.”

When it comes to supporting cyber security professionals, Worstell urges employers to take steps to identify and prevent burnout among staff always on high alert. A key part of this is fostering a workplace where cyber security professionals feel comfortable asking for support and identifying common warning signs of burnout. 

Such signs may include employees taking regular sick days or failing to engage with tasks, and cyber security leaders should respond by asking why these things are happening and how they can better support their employees.

“Businesses need to remember that showing empathy and advising self-care goes a long way, but organisations should also look to invest in building the resilience of their team through dedicated training and coaching initiatives,” she says. “If firms lead by example from the top, teams will appreciate feeling that it’s okay to slow down.”

But responsibility doesn’t just fall on cyber security leaders. Individuals must also understand the physical and mental causes of burnout and how to solve them, says Worstell. “If you find yourself feeling cynical and think other team members are making careless decisions because they don’t care about their job, that’s a big indication that burnout is right at your heels,” she says.

“Don’t let it become too late until you put things into perspective. Instead, take some preventative steps, such as identifying what you really want out of a cyber role, carve out time every week on something you enjoy personally to focus on separate goals, and surround yourself with people who’ve got your back – cyber security can be a rewarding job, albeit a fast-paced and lonely one.”

Senior leaders must act

Although a significant number of cyber security professionals are suffering from burnout and mental health challenges, they often lack appropriate support from their employers. ​​Shamla Naidoo, head of cloud strategy and innovation at Netskope, says: “Unfortunately, most organisations lack the support structure necessary to help their security functions through high-stress situations.”

Her view is that senior leaders need increased awareness of the stresses and pressures their cyber security teams experience daily. “Many security professionals don’t feel comfortable admitting that they are struggling because the personal and career penalties can be high,” says Naidoo. “Surveys tell us that many turn to self-medication or alcohol to cope. It is therefore on those of us who are fortunate enough, or senior enough, not to be afraid to speak out; to take responsibility for educating executive teams.”

If cyber security teams are to function as effectively as possible and contribute to long-term business success, she calls on companies to address the cyber security mental health crisis. “Professionals will not be able to perform at their best if their mental health is suffering, and, in a sector where talent is always in high demand, failure to properly support employees will make it far harder to attract and retain the best people.”

For businesses to improve mental health in their cyber security teams, the C-suite ultimately needs to take this issue seriously. But, according to Naidoo, security teams can help themselves by working to improve their work-life balance, and shouldn’t be afraid to ask for help if they need it. She also recommends that organisations invest in programmes and tools that can help security professionals handle stress.

“The role of a cyber security professional is both complicated and critical, and so we will always be under pressure,” says Naidoo. “It is an industry-wide issue, and the most important thing we can do is talk openly about it and be there for our colleagues, whether they express the need or not.”

Lack of support

Jinan Budge, principal analyst at Forrester, agrees that cyber security professionals don’t get enough support for their mental health. She says security professionals also exhibit poor mental health due to team toxicity, poor communication skills and stress caused by the pandemic. 

Budge tells Computer Weekly: “Business’s lack of support, understanding and commitment for cyber security issues makes it very difficult for cyber security employees to be happy, and part of an organisation where security is perceived as a tax. This culture will always be difficult for team members.”

She believes that security leaders need to be more conscious of their own mental health while encouraging their teams to manage productivity, lead with purpose, focus on the good of the business and maintain out-of-work priorities.

“Communicate at the appropriate frequency, with empathy, clarity and vulnerability,” says Budge. “Consider what it means to work in a new, borderless and stressful, normal.

“Some chief information security officers we spoke to coached their teams to work to their individual productivity rhythms, versus number of hours. The servant-leader model of leadership was widely discussed in our research.”

Other steps organisations can take to boost the mental wellbeing of cyber security teams include running employee surveys, offering professional mental health support, implementing a code of ethics, providing leadership training, asking employees to assess their managers, investing in training about issues such as bullying and sexual harassment, and increasing mental health budgets.

Feeling increasingly isolated 

Like many other industries, cyber security teams had to leave physical offices in favour of remote working when lockdown restrictions were introduced in early 2020. Sean Wright, application security lead at Immersive Labs, says this made many cyber security professionals feel isolated and resulted in poor mental health in security teams. 

“No longer could people simply reach out to others, in a face-to-face manner, and offload some of their frustrations and emotions with others, and while virtual calls did help, they can never replace the face-to-face interactions,” he says. 

But now that lockdown restrictions are easing and offices are reopening globally, cyber security professionals should hopefully feel less isolated and experience better mental health as a result.

“Thankfully, as things start to get back to somewhat of a normal, these face-to-face interactions are becoming a possibility again,” says Wright.

“It should never be underestimated how powerful these interactions can be, which is why I recommend periodic in-person meet-ups and team-building exercises. This will allow people to feel like part of the team and help prevent them from feeling so isolated.”

A lack of clearly defined roles and responsibilities could also be affecting the mental health of cyber security professionals. “Without having these clear expectations set, you will likely face employees placing unnecessary stress and extra burdens upon themselves,” he says.

As cyber security risks continue to increase, businesses can’t afford for cyber security professionals to leave their roles due to increased stress and poor mental health. Consequently, security leaders must take mental health more seriously, create an open workplace and provide their employees with all the support they require.

Read more on Data breach incident management and recovery