Author: Chad Loder, VP of Security Solutions at CyberSN
I’m not going to hit you with stats on how burnout is a huge crisis in cybersecurity.
OK, that’s not entirely true. But I think people in our industry already know we have a massive cybersecurity burnout problem. For the last few years the studies, the headlines, and the conference keynotes all sing the same refrain:
By almost every measure, burnout in cybersecurity is endemic and it’s getting worse. A 2023 study from Cybermindz found that cybersecurity professionals scored much higher on the burnout scale than the general population and, in some cases, higher than frontline health workers.The explosion of ransomware since 2022 has taken a particular toll on cybersecurity and IT professionals alike. Ransomware is particularly cruel, because it attacks both Availability and Confidentiality at the same time, plunging staff into a hellish scenario where they must try to contain a data breach while also struggling to restore business operations from a major, destructive systems disruption.
A recent survey found that 54% of cyber professionals report worsening mental health status due to ransomware alone.
“The only thing that literally wakes me up at night causing acute anxiety is thinking about the impact of a wide scale ransomware outbreak in our environment jeopardizing delivery of care to patients." - Healthcare CISO
Instead of continuing with statistics, I’m going to start with some surprising insights from the research to help clarify what burnout actually is (hint: burnout is not what you think).
Let’s dive right in. The research shows us:
Each of these points honestly deserves its own article, but I’m going to touch on just a couple of the salient ones for this article.
When you ask people to define burnout, most of them respond with something along the lines of “fatigue” or “exhaustion”. The widespread thinking goes something like this:
“Working too hard causes exhaustion, then your exhaustion begins to affect your performance, then you need to take time off so you’re not as burned out any more.”
This common misunderstanding of “burnout as fatigue” causes many leaders to fail at solving burnout with “comp time” – giving people extra time off then expecting them to return, burnout-free, to the same environment.
Fatigue is just one of several symptoms of a larger syndrome we call “burnout” that develops gradually in response to chronic work stressors. Professor Christina Maslach, one of the world’s leading researchers of occupational burnout, describes burnout as:
“[A] psychological syndrome emerging as a prolonged response to chronic interpersonal stressors on the job. The three key dimensions of this response are an overwhelming exhaustion, feelings of cynicism and detachment from the job, and a sense of ineffectiveness and lack of accomplishment.”
Burnout encompasses a person’s feelings about their future at work, their ability to affect meaningful change, their sense of professional pride, and their commitment to the team.
In her groundbreaking book “The Truth About Burnout: How Organizations Cause Personal Stress and What to Do About It”, Maslach breaks down the top six reasons for burnout.
They are:
When I say that burnout is not primarily an individual mental health issue, I’m not suggesting that burnout has nothing to do with mental health. Burnout clearly can have major effects on a person’s physical and mental well-being.
That said, conceptualizing burnout as purely an individual mental health issue overlooks the organizational root causes by placing the burden on individuals to become ever-more “resilient” as a way of coping with unsolved structural issues.
In their recent article “Resilience is an Adverse Event: A Critical Discussion of Resilience Theory in Health Services Research and Public Health”, researchers Brianna Suslovic and Elle Lett write about the resilience-as-treatment paradigm:
“We argue that this represents a fundamental mismatch of intervention and problem; offering an individual-level solution to a structural toxin. In doing so, we re-contextualize resilience as an adverse event, more analogous to scar tissue than a reliable treatment paradigm.”
This point is key to understanding cybersecurity burnout and its relationship to diversity, equity, and inclusion. Hyper-individualistic approaches to "resilience", without emphasis on organizational and community aspects, will often be felt first (and acutely) by team members who have one or more marginalized identities - because burdens tend to accrue intersectionally.
I’ve been studying the twin problems of burnout and attrition in cybersecurity organizations for some time. It's a subject that I'm interested in, through both personal experience (having experienced burnout), and as a company founder, former CISO, and team manager.
I’ve interviewed countless CISOs and practitioners, pored over data from dozens of surveys, studied research from other industries, and talked at length with organizational psychologists who specialize in burnout.
The good news is that burnout is not inevitable. Not all orgs have the same problems with burnout. Some do much better than others, consistently - and we can learn from what they do and apply it to other orgs.
The bad news, for my studies, is that the research on burnout in cybersecurity has been mostly survey-based, with all the limitations that entails. In addition, the academic research was centered on the fields of patient care, maritime shipping, and aviation – understandable given that mistakes due to burnout in those fields can cause catastrophic loss of life.
CyberSN’s research suggests that cybersecurity professionals don’t leave companies for money alone. While an employee who leaves may ultimately end up taking more money elsewhere, the number one reason employees start looking for another job is because they feel “stuck” in their current role – unappreciated, with limited opportunity for growth, and limited ability to change the outcome.
This feeling “stuck” is often burnout in another guise, and it does not happen overnight.. This finding is borne out by the results of an ISACA study that reveals that the top non-pay reason cybersecurity employees quit their job is "Limited promotion and development opportunities". The number two reason? "High stress levels", with "Lack of management support" coming in at number three.
Cybersecurity burnout leads directly to attrition of key staff. In a 2023 (ISC)² study, nearly half of security leaders reported struggling to retain people with key skills. One in three leaders reported that at least one key security employee had "recently quit and had not been replaced".
It is far cheaper to retain talent than to re-hire it. The cost to replace a skilled employee is typically between 6-9 months of that employee's salary, according to SHRM, the world's largest HR association. This includes retraining, and lost productivity during the transition, but also causes feedback loops where other employees miss their targets due to unexpected attrition or slower-than-expected hiring, which then compounds the burnout problem on remaining employees.
Research from the fields of aviation and patient care show that burnout is a major contributing factor to catastrophic events leading to loss of life. Repetitive tasks carried out by human beings in complex systems with low fault tolerance, when combined with burnout, spells disaster. This begins to sound like most cybersecurity organizations.
Human error was cited by 74% of CISOs as THE most significant vulnerability facing their organization. Anyone who has participated in an RCA (root cause analysis) exercise knows that the so-called "simple mistake" is never simple - it is always a combination of organizational and technical factors which were left untreated (and unmeasured) until they exceeded the tolerance of the system.
In already-overworked teams, burnout and turnover quickly create a cascading effect, with remaining employees stuck with increased workloads while struggling to compensate for key knowledge leaving the organization.
Security operations teams rarely have the capacity to absorb extra work for long without experiencing this cascading performance and morale problem.
Burnout spreads quickly, but it spreads quietly. As a security leader, if you're not proactively managing your workforce to avoid burnout, you're courting unpredictability in precisely the area where the business needs predictability.
But how do we do this? How do we take occupational psychology research from other fields and apply it to cybersecurity? We start by looking at a large number of cybersecurity organizations and evaluating what the orgs with the best outcomes do better than the rest.
Feeling stuck in my research, I ended up having a series of deeper conversations with Deidre Diamond, my former business partner at Rapid7 and now the Founder and CEO of CyberSN.
It was these early conversations with Deidre about burnout, its relation to data breach risk, and what we need to do as an industry to solve the problems that ultimately led to me joining the CyberSN team.
Deidre and I both saw that burnout was a major issue that caused not only increased turnover, but increased data breach risk. What I hadn't realized is that CyberSN had a decade’s worth of data showing that not all cybersecurity organizations were suffering from burnout to the same degree.
This data shows that some cybersecurity organizations do markedly better at burnout than others; they do better at attracting, developing, and retaining talent; their people report being happier and more productive; and – importantly, the successful organizations all tend to share similar practices in how they manage their cybersecurity workforce.
In fact, CyberSN was already putting its expertise to use helping their clients optimize their security workforce using these practices.
Deidre and her team spent the last ten years building CyberSN into the nation’s leading cybersecurity talent firm. Because they had such a laser focus on cybersecurity and diversity from the start, they were able to take an extraordinarily analytical approach, going deep on a taxonomy framework to describe cybersecurity roles in detail.
CyberSN, just as a byproduct of being good at what they do, systematically recorded the factors that motivate tens of thousands of people to either stay at or leave cybersecurity organizations.
This led to CyberSN applying their insights to help clients implement the practices required to attract and retain top talent in a competitive industry. Once I started to understand CyberSN’s platform and their approach, I was super excited at the prospect of joining the team and working with clients to applying these insights to optimize their security teams and reduce their breach risk.
As part of their business model, CyberSN has developed a structured taxonomy for describing cybersecurity jobs that spans 45 functional roles. The taxonomy is aligned with NIST’s NICE framework but allows a far more granular and detailed breakdown to include specific technologies and vendor experience, with an optional percentage breakdown of how the person spends their time.
CyberSN's taxonomy is really impressive and it gets updated frequently. If you're a hiring manager trying to fill a role, go give CyberSN's job builder a try - it will help you think more clearly about the job!
Over the years, CyberSN refined their taxonomy and leveraged it across many thousands of cybersecurity job-seekers, across many thousands of interviews (both successful and not), and analyzed all those countless Hire/No-Hire decisions made across companies who CyberSN helped fill cybersecurity roles.
With this anonymized data, our taxonomy and gives CyberSN some really useful insights into questions like:
We will be doing more research using this data over the next few months, and we've got some interesting collaborations coming up that I can't wait to share with you.
What do the best security orgs do well, and consistently?
Building on CyberSN's expertise and research across hundreds of companies, we now offer a comprehensive Cyber Workforce Risk Management solution for select clients. The feedback from customers has been absolutely incredible.
The organizations who do the best job at attracting and retaining cybersecurity talent tend to do the following practices consistently, and well. This is not a complete list, and there's no one-size-fits-all approach. Each practice has to be considered and applied in its own unique organizational context, aligned to the organization's security strategy.
If you're interested in learning more about my upcoming research on burnout and breach risk, or if you want to see whether we can help your organization improve its cyber workforce optimization, get in touch.