“Cybersecurity stress is an industry wide epidemic among security professions. Burnout is a hard conversation, but it’s necessary for CISOs to face workplace stress before it compromises productivity, talent retention or individual well-being” (Henry, 2020).
Long work hours. Constantly changing priorities. Insufficient resources. High turnover. These are just some of the factors that a recent survey of Cyber Security professionals identified as the most stressful work factors that can lead to burnout.
In Cyber Security, there is a high-volume stream of information and tasks while there is a shortage of overall personnel. A recent worldwide survey of 1,400 IT and IT security practitioners, 73% said they believe their organization's IT security functions are typically understaffed due to difficulty attracting and retaining qualified candidates. (Ponemon Institute, 2019)
The shortage of cyber-personpower has significant impact not only on organizations, which struggle to fill the ranks, but also security professionals, who have to cope with the pressures brought by under staffing. (Gutman, Y. 2020). This increases the need for sustainable performance strategies.
Part of the recovery from job burnout is psychological or physical removal from the source of the stressors. In other words, workers will either disengage through apathetic presenteeism or voluntarily leave their jobs (Puleo, 2019).
The primary reason that 65% of IT and security professionals quit is burnout (Ponemon Institute report in Boyer, 2019).
The Study
Frank Angiolelli (partner and VP of Security Operations and Analytics at Indellible, LLC) and Dr. Geri Puleo (president/CEO of Change Management Solutions, Inc. and creator of the Burnout During Organizational Change Model, B‑DOC) conducted a survey in order to explore the underlying causes of burnout in Cyber Security professionals.
The 14-question survey of 38 Cyber Security professionals focused on understanding their perceptions of work-related stress as well as the specific workplace factors that contribute to the high rate of burnout in the field.
For how many of your current projects are you serving as a subject matter expert or stakeholder?
Do you believe you can complete the workload for your current activity or projects within 60 hours or less per week?
How many hours would you realistically need to complete all your weekly work tasks?
What types of external interruptions undermine your ability to complete tasks? (Check all that apply)
What percentage of tasks or projects do you feel you fully complete on time?
Are you proud of the quality of work that you routinely complete?
Do you believe you are given sufficient time and resources to meet performance expectations and time frames?
How many years have you worked in the Cyber Security industry?
How many more years are you planning to remain in the Cyber Security industry?
How many people report to you?
Of the total number of people who report to you, how many are direct reports?
Does your current workload support sustainable performance?
On a scale of 1 (least) to 10 (most), how stressed out do you feel in your current work situation?
What is the most stressful aspect of your job? (Open-ended question)
Cyber Security Workload
It was not surprising that participants routinely worked significantly longer hours than the standard 40-hour work week. According to the U.S. Bureau of Labor Statistics, the average number of hours worked per week by a full-time employee is 42.5.
Although the participants in our study stated that their weekly workloads required at least 64.5 hours to effectively manage projects, in practice the median number of hours worked weekly was closer to 73.5.
55% felt that their workload “rarely” or “never” supported a level of performance that was sustainable.
68% believed that their organizations provided them with insufficient time and resources to ensure that performance expectations and time frames were met.
As a result, nearly half (47.4%) admitted that at least half of their projects failed or missed timelines.
Only 15.7% said that they completed their projects on a timely basis.
Part of the problem may arise from their role as either a subject matter expert or stakeholder on an average of 15 projects simultaneously – some participants served in either capacity on as many as 30 projects. But as the number of projects escalated, participants’ belief that the work could be completed within a 60-hour work week plummeted.
"In its simplest form context switching is jumping between various, unrelated tasks.” This context switching has a negative effect on productivity (Gopher et al, 2000). In addition to the productivity impact, excessive task switching can affect memory (Mayr et al, 2000).
Cyber Security Tipping Point into Burnout
Of particular interest in this research was the perceived level of stress experienced by Cyber Security professionals. On a scale of 1 (low stress) to 10 (high stress), the average self-reported stress level was 6.3 – which is somewhere in the upper-middle range of the scale.
On a scale of 1-10, a score of “7” was identified as the self-reported stress level that indicated the onset of burnout.
To have practical implications in the industry, we also wanted to determine what triggered movement into this “tipping point” into burnout. In other words, what specific workplace stressor was most often identified as contributing to scores associated with feeling highly stressed out?
Participants were asked to select each external interruption (workplace stressor) that they believed undermined their ability to complete tasks. The list of common interruptions included security incidents, leadership inquiries, scheduled or unscheduled meetings and conference calls, Cyber Security news, urgent email requests, instant messages, status reports, and technical issues.
The volume and numerous directions by which interruptions and information may flow can cause an excessive level of polychromic communications. This in turn may reduce employee productivity (Garret & Danziger, 2007).
In the final question on the survey, we offered participants the opportunity to describe in their own words what they believed was the most stressful aspect of their jobs.
In order to identify the “tipping point” into burnout, we compared the participants’ stress levels, specific external interruptions, and most stressful aspects of their jobs.
We discovered that leadership negatively affected the descent into burnout more profoundly than any other variable.
Leadership behavior contributing to this overall experience were reported as:
Shifting priorities (see more on Context Switching here-https://socology.org/wiki/index.php?title=Context_Switching)
Inadequate organizational planning (see also Organizational Thrashing https://socology.org/wiki/index.php?title=Organizational_Thrashing)
Paperwork, bureaucracy, or politics
Organizational processes that are obstacles to performance
Insufficient resources in relation to needs and expectations
Failure to share long-term plans with the Cyber Security team
Demands for “instant gratification” in Cyber Security projects
Unrealistic, conflicting expectations and directives
Lack of caring, conviction, responsibility, and accountability for proactive prevention controls
Incompetence
A recent study found that Cyber Security and IT professionals were attracted to the field not only due to the technical challenges, but also due to the moral implications associated with security work (DeNisco Rayome, 2019). This feels significant.
The participants in our survey also took pride in their work and, despite the prevalence of poor organizational leadership practices, strive to complete projects efficiently and effectively. But as leadership driven obstacles increased, their ability to complete all of their projects in a timely manner decreased –a chronic gap that frustrated and increased their stress levels.
Therefore, there is a correlation between the Cyber Security professional’s pride in work, organizational leadership practices, percentage of work completed, and stress level.
Burnout’s Impact on Creating Sustainable Performance in Cyber Security
Cyber Security requires 24/7/365 diligence. These professionals are motivated by the technical challenges of effectively responding to increasingly sophisticated threats as well as the moral responsibility inherent in their work. But the continuing skills gap and high turnover require them to dedicate more time and energy to offset these shortages. Accordingly, a recent study (Henry, 2020) comparing the work experiences of security workers with that of the “average” American employee found that they:
· Are more than twice as likely to report poor work-life balance (44% vs. 20%)
· Are more than 5 times as likely to worry about job security (32% vs. 6%)
· And are more than 3 times as likely to NOT take full vacation days (89% vs. 28%)
In addition, 71% of participants in a Ponemon study (Henry, 2020) self-reported that they were on call 24/7/365. In a recent survey commissioned by Nominet, 60% admitted to “rarely” disconnecting from their work role (Collett, 2019). Burnout is, therefore, a constant challenge for Cyber Security professionals.
In our study, a stress level of 7 was seen as the “tipping point” into burnout. Based on our analysis, we believe that this “tipping point” arises from the added strain of dealing with unrealistic deadlines and other demands associated with poor leadership.
Because our participants’ average self-reported stress level was 6.3, this indicates that they are dangerously close to experiencing a debilitating burnout (level 7).
This echoes additional findings in the Nominet survey of CISOs, in which 91% identified as being “moderately” or “highly” stressed – of which 26% admitted that their feelings of stress had manifested in physical or mental impairment (Vijayan, 2019).
A 2017 survey by Enterprise Strategy Group and the Information Security found that Cyber Security professionals are involved in a perpetual battle to keep their enterprises safe from the constant onslaught of attacks – but the continual lack of resources and support to perform this essential function is leading to a high rate of burnout (Vijayan, 2018).
The American Institute of Stress identified these characteristics of the job and work environment as precipitating factors to higher employee turnover, decreased productivity, and absenteeism – all warning signs of burnout. Burnout cognitively impairs its victims, reducing their ability to effectively solve problems and make decisions. In other words, burnout reduces their ability to efficiently ward off a Cyber Security threat.
As more Cyber Security professionals operate at their limit, the probability of burnout significantly increases.
Behaviors to Avoid
Based on our findings, it is not the workload per se that is the primary workplace stressor contributing to burnout. Nor is it the rapidly changing technology or cyber threats.
The “tipping point” into burnout for Cyber Security professionals appears to be the lack of respect, poor planning, and unrealistic demands made by organizational leaders.
Our study reinforced the findings of the Burnout During Organizational Change Model, or B‑DOC (Puleo): it is the quality of organizational leadership that most profoundly influences the emergence of burnout. Using a grounded theory methodology, B‑DOC’s qualitative research identified 10 workplace stressors most frequently self-reported by participants as contributing to the onset or “tipping point” of burnout:
Top 10 List of Workplace Stressors Associated with Burnout
1. Leadership
2. Lack of organizational caring
3. Role of other workers
4. Politics or sabotage
5. Lack of resources
6. Overemphasis on ROI
7. Work overload
8. Poor communication
9. Unethical or illegal requests
10. No vision or direction
Despite decades of leadership training, the findings in the B‑DOC Model and our study into the causes of Cyber Security burnout reveal that effective leadership remains elusive.
Cyber Security professionals thrive in their ability to effectively thwart increasingly sophisticated attacks on their enterprises. They gladly toil longer work hours than the average American worker in order to meet these demands. But they are frustrated by what they perceive as organizational impediments that prevent them from doing their jobs to their utmost ability: the lack of resources, poor planning, and conflicting directives issued by organizational leaders.
In other words, it is not the inherent pressure required to perform the tasks of the job that lead to burnout. Rather, it is the actions of managers and leaders who profoundly influence the degree of stress experienced by workers.
Recommendations
Based on our study, we recommend the following actions be implemented by organizational leaders. We believe that these steps will minimize the emergence of burnout, which impedes effective responses to Cyber Security challenges and threatens the daily operations and survival of the organization.
Include Cyber Security professionals in the planning of initiatives that may expose the organization to technological threats.
Formally and informally recognize the Cyber Security staff’s energy and commitment that routinely extends their work week beyond 40-60 hours.
Create project intake process in order to prioritize workloads. Ideally, sufficiently staff the department so that no employee is required to work longer than a 60-hour work week – work with local universities to ensure that a supply of potential junior level Cyber Security experts is available.
Schedule regular two-way communication with all stakeholders to identify the resources that are necessary to complete projects on time and on budget.
To create sustainable performance, encourage Cyber Security workers to take time off as needed – without time to recover after the completion of a grueling project, the likelihood of an effective response to an attack is compromised because they are emotionally and physically exhausted.
During exit interviews, ask about workload and other organizational stressors that may have contributed to their decision to leave the organization.
Identify burnout as a potential threat to the survival of your organization – it is more costly to replace highly skilled workers than to take the necessary steps to create a culture of trust, engagement, and sustainability.
References
Boyer, S. (2019). We’re all at risk when 65% of stressed-out cybersecurity and IT workers are thinking about quitting, tech exec warns. CNBC.com.
Collett, S. (2019). 5 ways to curb cybersecurity burnout. CSOonline.com.
DeNisco, Rayome, A. (2019). Cybersecurity burnout: 10 most stressful parts of the job. Techrepublic.com.
Garrett, R. K., & Danziger, J. N. (2007) IM=Interruption Management? Instant Messaging and Disruption in the Workplace. Available at: http://jcmc.indiana.edu/vol13/issue1/garrett.html (Accessed: 04 November 2010)
Gopher, Daniel & Armony, Lilach & Greenshpan, Yaakov. (2000). Switching tasks and attention policies. Journal of experimental psychology. General. 129. 308-39. 10.1037/0096-3445.129.3.308.
Gutman, Y. (2020, March 13). How to keep your cybersecurity personnel. Retrieved from https://www.itproportal.com/features/how-to-keep-your-cybersecurity-personnel/
Henry, J. (2020). 9 reasons why cybersecurity stress is an industry epidemic. Securityintelligence.com.
Mayr, Ulrich & Kliegl, Reinhold. (2000). Task-Set Switching and Long-Term Memory Retrieval. Journal of experimental psychology. Learning, memory, and cognition. 26. 1124-40. 10.1037//0278-7393.26.5.1124.
Oltsik, J. (2018). Analysis: The most stressful aspects of being a cybersecurity professional. Cybersecurity Snippets.
Oltsik, J. (2019). Is the cybersecurity skills shortage getting worse? ESG Blogs.
Palmer, D. (2019). Cybersecurity staff burnout risks leaving organisations vulnerable to cyberattacks. Zdnet.com.
Ponemon Institute, (2019, April). Staffing the IT Security Function in the Age of Automation: A Study of Organizations in the United States, United Kingdom and APAC .
Rayome, A. D. N. (2019, April 16). 73% of IT security teams are understaffed, and CISOs are turning to automation for help. Retrieved from https://www.techrepublic.com/article/73-of-it-security-teams-are-understaffed-and-cisos-are-turning-to-automation-for-help/
Schueler, C. (2019). Why cybersecurity burnout is real (and what to do about it). Darkreading.com.
U.S. Bureau of Labor Statistics. https://www.bls.gov/charts/american-time-use/emp-by-ftpt-job-edu-h.htm.
Vaynberg, B. (2019). Dealing with cybersecurity stress. Mimecast Blog.
Vijayan, J. (2018). Growing job pressures increase risk of burnout for cybersecurity professionals. Darkreading.com.
Vijayan, J. (2019). High stress levels impacting CISOs physically, mentally. Darkreading.com.
About the Study Authors:
Dr. Geri Puleo, President/CEO - Change Management Solutions, Inc.
Dr. Geri Puleo is the creator of the Burnout During Organizational Change (B-DOC) Model, a research-based solution that defines the descent and recovery of workplace burnout. A frequent and popular keynote speaker, her TEDx Talk on Burnout v. PTSD: More Similar Than You Think has been viewed over 430,000 times on YouTube (https://www.youtube.com/watch?v=hFkI69zJzLI).
She is the President/CEO of Change Management Solutions, an eLearning and coaching company dedicated to eradicating workplace burnout in order to build employee resiliency. Holding both SPHR and SHRM-SCP senior HR certifications, she has been an entrepreneur for over 25 years, an author, blogger, career coach, university professor, and researcher.
Frank Angiolelli, VP of Security Operations and Analytics, Indelible, LLC
Frank Angiolelli is a veteran Cyber Security professional leading Security Operations, Threat Intelligence and Threat Hunting on a global scale for some of a largest financials and government entities in the world. A Patented inventor, copyrighted author, Snort rule author and creator of "Judo Threat Intelligence", Frank has presented original content security research at some of the top industry and government forums.
Architect and creator of machine learning systems for identifying large scale malfeasence online.
Creator of SocologyTM @ socology.org - The Empirical Study of Security Operations
Presenter - Wreck SIEM Noise, Judo Threat Intelligence, Society of Skeptics
Author of: Pioneering Criminal Online Sociometry, Dimensions of Evolving and Managing Security Operations, Several papers on Facebook Social Media Abuse by Malfeasant Enterprises and Counterfeiting Enterprises.
Creator of Three Principles of Judo Threat Intelligence:
1. Use the attackers energy against them
2. Maximum effect, minimum effort
3. Break their posture, execute the throw
This article presents a study with participants only from Cyber Security conducted by Dr. Geri Puleo and Frank Angiolelli. The study was conducted in Oct 2019 and followed up by interviews and discussions with Industry Professionals.