A mental health minefield: the increasing pressure on cyber security teams

The weight of stress and anxiety on cyber security professionals is mounting, it is therefore no wonder that many security leaders have experienced negative emotions at work, including depression, anger, and anxiety. Steve Cottrell explores the issue.

Anxiety and stress can have a corrosive effect on performance, decision-making, and workplace culture. They often stem from situations where we face problems that we don’t have clarity on. Unfortunately, that’s life in cyber security - where environments are complex, and sophisticated attackers frequently change their approach. The challenge is compounded by industry skills shortages and mounting pressure from the board. It not only threatens to imperil corporate IT systems and data, but also the mental health of security professionals. Finding a way through the storm should be a priority for IT and business leaders.

There’s no silver bullet solution. It will require offering help and support to staff where needed and taking more proactive steps to break the vicious cycle of overload and burnout. That means educating business executives and IT staff, in addition to finding the right tools to take the pressure off security teams.

A ticking time bomb

Even before the Great Resignation became a trending topic for business execs across the globe, the cyber security sector was deep in a skills crisis. In 2021 the global cyber security skills shortfall stood at 2.7 million workers globally, including nearly 200,000 in Europe and 33,000 in the UK. It’s especially tough on security operations (SecOps) teams working through mounting challenges in the security operations centre / center (SOC). Research shows that over two-thirds (67 percent) of security leaders feel they don’t have enough talent on their team. This puts them in a vicious circle of continuous firefighting, which in turn increases the strain on mental health.

This comes amidst unprecedented investment in digital and cloud systems with a shift to the new hybrid workplace - initiatives which have increased IT complexity and the corporate cyber attack surface. Supply chains are opaque and poorly managed, offering yet another avenue of attack for threat actors. But many security teams are labouring with multiple point solutions that do nothing to improve productivity. In fact, 92 percent are worried about their ability to spot legitimate threats amidst a growing volume of security alerts. They’re right to be. A third (32 percent) claim their organization suffered a ‘significant security incident’ over the past year.

As if this wasn’t enough pressure, additional hard facts remain lurking in the minds of security teams. The average cost of a data breach today stands at over $4.2m per incident, yet a recent ransomware compromise cost one global outsourcer over $40m. Unsurprisingly, most (94 percent) security leaders have felt increased pressure to keep their company safe in the past year. Yet often, CISOs and their teams are saddled with unrealistic expectations. Boards should remember that security is a shared responsibility, and this collective responsibility is only going to grow when considering 87 percent of security leaders believe recent high-profile attacks have meant the board is starting to take proper notice of cyber security.

Why mental health matters in security

The resulting impact on security professionals is increasingly severe. Research shows that over half have experienced negative emotions because of excessive work, including depression, anger and anxiety. A similar number have had sleepless nights over the past year, and over two-fifths have dreaded going into work. Half feel ready to throw in the towel.

This is unsustainable. A security function where half of the team is on the verge of quitting and many others are calling in sick creates an inevitable cycle of stress, staff shortages and greater risk exposure. Unmanaged anxiety and stress can also negatively impact memory retention and decision making. And it’s unlikely that the brightest and best young talent - a generation where work-life balance is of primary importance - will want to join this type of strained working environment.

Relieving the pressure

The good news is that there’s plenty we can do as an industry to help alleviate these pressures. But at the same time there’s no quick fix. Start with skills shortages. By widening the net and encouraging more neuro diverse talent into the SOC area, employers can help to alleviate hiring challenges. More thought should also be put into making the SOC a career destination in its own right, rather than a jumping-off point. That will help encourage greater retention, and a blend of experienced SecOps professionals and new blood.

Next, follow a threat-led test and learn model to move the organization to a more proactive, strategic approach with clearly defined security priorities. AI and better automation can also help eliminate repetitive, manual processes and prioritising alerts for analysts. This will enhance productivity and free-up analyst time to focus on more rewarding, high-value work.

Finally, organizations need to think about cultural change. Security is still viewed myopically as the sole responsibility of the CISO. Yet what happens if a board fails to sign-off on new tools or process changes per the CISO’s request, leading to a breach? Who is responsible then? The reality in this situation is that the Board themselves are accepting the risks outlined by the CISO and ultimately accountable for any breach as a result of failing to invest. The truth is that every staff member across the organization should come to see themselves as a quasi-security professional—invested in the benefits of getting security right and aware of the dangers of doing it poorly. This would elevate the role of the security function within the organization and, perhaps in time, lead to earlier engagement in business initiatives. When security is addressed in projects early on, it minimises the chances of reactive firefighting later down the line.

It's likely to be a long road ahead. But with the mental and physical wellbeing of hard-working security professionals at risk, the journey must start now.