No one should be surprised to learn that IT and cybersecurity jobs can be extremely stressful. Now, a convergence of trends has, in many cases, brought this stress to a breaking point.
Thanks to the explosion of the digital supply chain, organizations have more potential points of entry to their networks than ever before, each of which represents an added challenge for IT and security professionals. Cyber attacks and data breaches are becoming more common, with many organizations facing hundreds of intrusion attempts every day.
Meanwhile, new regulations designed to protect infrastructure and consumer data add to the list of rules and guidelines IT and cybersecurity professionals need to comply with. New tools designed to ease their burden can also contribute to alert fatigue and overall workloads. It’s no wonder there’s a skills shortage for many IT and security jobs.
Now, researchers are starting to quantify stress in jobs in information technology, and the numbers are shocking.
77% of U.S. corporate employees have experienced burnout at their current job.
That’s according to Deloitte’s Workplace Burnout Survey. In the same survey, almost 70% of professionals said their employers were not doing enough to prevent or alleviate burnout.
Burnout has become so widespread that it’s now an official medical diagnosis. The World Health Organization lists its symptoms as “feelings of energy depletion or exhaustion,” “increased mental distance from one's job, or feelings of negativism or cynicism related to one's job,” and “reduced professional efficacy.”
57% percent of workers in the tech industry are currently suffering from burnout.
That number comes from a survey of 11,000+ employees at technology firms conducted by Blind, an anonymous social network for tech workers.
The most burnout-prone firms on the list had numbers higher than 70% — that’s more than two thirds of the organization feeling burnt out at the same time.
65% of SOC professionals say stress has caused them to think about quitting.
In an age where it can be difficult to find enough skilled workers to fully staff a SOC, organizations can’t afford high turnover in these positions. And yet, almost two thirds of SOC professionals have thought about quitting their jobs due to stress, according to the Ponemon Institute.
Stress in the SOC could be partially due to alert fatigue. According to FireEye, most SOCs receive more than 10,000 alerts per day.
91% of CISOs say they suffer from moderate or high stress.
Stress in the cybersecurity department isn’t limited to analysts. CISOs and other cybersecurity executives face the combined stressors of day-to-day security and other business concerns, and more than nine out of ten CISOs are stressed as a result.
In the same survey from Nominet, 27.5% of CISOs said stress affects their ability to do their jobs. That raises another reason organizations should be concerned about IT burnout and cybersecurity burnout — stress in these departments could actually be increasing cyber risk.
63% of organizations are experiencing a shortage of IT staff dedicated to cybersecurity.
In addition, according to (ISC)2, nearly 60% of global organizations said their companies are at moderate or extreme risk of cyber attacks due to this skills shortage.
Why should employers care about burnout in the IT industry? Because if workers leave their positions due to stress, employers won’t necessarily be able to replace them. The skills shortage is acute, and filling job roles has never been more difficult.
Workplace stress is not an unsolvable problem.
So what can employers do to prevent IT and cybersecurity burnout?
They can start by implementing policies that help prevent burnout, like increased paid time off and flexible work-from-home policies. Workplace wellness programs that promote healthy eating, exercise, and meditation at work can also help.
In addition, employers can implement technology that makes employees’ work easier, using automation to reduce workloads or help with performance tracking.
Finally, Board members and executives must fundamentally change the way they look at their cybersecurity programs. Rather than a firefighting unit that’s charged with wiping out threats as they arise, the cybersecurity team must be a strategic part of the business, and cybersecurity goals should be aligned with business goals.
Using contextualized data to set reasonable goals and expectations for the cybersecurity program, while giving its leaders the resources they need to succeed, can help eliminate stress and improve security.