A relatively small army of cybersecurity professionals, about 700,000 in total, is all that’s protecting America and beyond from a tsunami of cyber attacks and cybercrime.
And that army is beginning to break, mentally, overwhelmed by chronic stress and burnout that according to some reports, has the majority of them considering quitting the job and the industry entirely.
And then what? Who will replace them? Even before Covid the world was experiencing a critical shortage of security experts. And even more are needed as more than half of all employees in America have switched to working from home and in doing so, creating a host of new security challenges. And in turn further worsening the skills shortage.
This army of cyber first responders is being stretched to breaking point. Yet because so many security bosses are either too busy putting out fires, or too uncomfortable talking about mental health and feelings, the fractures will continue until it’s too late.
The Consequences of Ignoring Security Mental Health
- Security team members will simply quit, leaving the organization and the country even more vulnerable and potentially increasing the number and severity of cyber attacks.
- Even more dangerous, chronically stressed employees experience a significant impact on the cognitive functions essential to fighting cyber attacks – focus, attention, concentration, critical thinking, decision making, memory, engagement, commitment to the mission.
- Many security professionals already struggle with mental illness, especially anxiety, depression and PTSD. Chronic stress could be a tipping point for them.
- Cyber crooks are already recognizing how the mental exhaustion of security teams can create vulnerabilities, weaknesses, and opportunities.
- Which means stress is now creating an entirely new type of insider threat, not just any employees, but the security team itself.
- As the issue becomes more publicized, it could persuade others to reconsider a career in security, further increasing the critical global shortage of security professionals.
- There have been massive increases in security attacks because of Covid, with one security firm reporting a 23,000% increase in certain types of attacks.
- With more than 60% of the working population working from home, security risks and workloads are surging, yet security budgets and hiring are not.
Endless Waves of Attacks
Security professionals are overwhelmed by the number, variety, and sophistication of daily attacks. According to a 2018 study from security firm Imperva:
- More than half of respondents report around 10,000 security alerts every day.
- 27% reported receiving more than one million threats daily.
- 30% admitted to simply ignoring certain categories of alerts.
- More than half reported being increasingly stressed because of the alert overload.
Other studies have suggested nearly 90% of alerts are completely ignored, and instead of reducing stress, increase it.
A 2019 Ponemon study found that 65% of SOC (Security Operations Center) professionals say stress has caused them to think about quitting.
A 2019 Symantec study of nearly 3,000 security professionals found that almost two thirds of cybersecurity professionals have considered quitting their jobs or leaving the industry altogether specifically because of stress and burnout.
A 2020 survey by Nominet of 800 CISOs in the U.S. and the U.K. found that the vast majority of CISOs (88%) remain moderately or tremendously stressed.
- Nearly half of CISOs, 48%, said work stress has had a detrimental impact on their mental health. That was almost twice the previous year.
- Nearly a third of CISOs, 31%, reported that their stress had impacted their physical health.
The average tenure of a CISO is just 26 months due to high stress and burnout.
About the PsyberResilience Project
Launched in February 2020 as a survey to measure the extent and impact of stress, burnout, and mental illness amongst cybersecurity professionals.
Survey halted a few weeks later as Covid hit and security stress levels were driven even higher and thus not providing usable data.
The project is now focused on raising awareness, providing support, encouraging CISOs to recognize PsyberResilience as an urgently important part of their security strategy, and to give their team members the recognition and support they need.
About Neal O’Farrell, founder of the PsyberResilience Project
One of the longest serving security professionals, and there at the birth of the security industry.
50 years struggling with mental health issues, nearly 40 years in security, 30 years struggling with chronic stress, and finally quit because of burnout.
As one of Europe’s youngest security professionals, while still in his twenties won the first contract to encrypt Ireland’s entire national ATM network, and got into trouble with the NSA for challenging America’s global resistance to unbreakable encryption.
Looking for Quotes and Commentary?
We have a comprehensive and growing list of security professionals who are willing to share their personal experience and perspectives.
We also have a list of mental health experts who can talk about how long-term stress can seriously impact mental and physical health and result in death.