Today, new research from Adarma has revealed that organisations believe that they are at significant risk of cyberattacks due to stressed and exhausted staff. The report, entitled “A False Sense of Cybersecurity: How Feeling Safe Can Sabotage Your Business,” highlights the worry faced by cybersecurity professionals when it comes to security, the skills shortage, and poor wellbeing. Additionally, the report highlights how diversifying the talent pool can be instrumental in closing the skills gap and driving innovation.
The report highlights how wellbeing continues to be front and centre of many conversations in cybersecurity. Burnout continues to pose a significant risk, with presenteeism (showing up to work when you shouldn’t) proving a costly problem. But when security (and bottom lines) hang in the balance, it’s vital that leaders take action – and now.
The Adarma survey spoke to 500 cybersecurity professionals from UK organisations with over 2000 employees, Adarma found that over half (51%) of organisations believe their security operations staff are challenged, stressed, frustrated and/or exhausted, so it’s only a matter of time before mistakes are made, and some are burnt out and ready to quit. At a time when the cybersecurity industry already struggles significantly with talent acquisition and retention, it goes without saying that organisations cannot afford to lose staff to burnout.
Yvonne Eskenzi, Co-Founder of Mindful Security wellbeing and productivity app The Zensory explains: “It’s no secret that cybersecurity professionals are burnt out and likely to encounter mental health issues. Statistics (like these Adarma ones) show the reality of this. The industry itself attracts highly skilled professionals who are willing to dedicate their lives to protecting others, as well as the businesses they work for, at any cost.”
“This often means working long hours at less than convenient times and often making sacrifices for the greater good. The harsh reality of the industry is that cybercriminals don’t sleep, and threats are constantly evolving – it’s enough to keep anyone up at night. But poor mental health in such a high stakes industry can have huge (and costly) effects. We know that employees who are stressed are more likely to make silly mistakes and honest accidents, like falling for phishing emails, putting further pressure on leaders and their businesses,” Eskenzi continues.
John Maynard, Adarma’s CEO, echoes Eskenzi’s point: “Cybersecurity professionals are typically highly passionate people, who feel a strong personal sense of duty to protect their organisation and they’ll often go above and beyond in their roles. But, without the right support and access to resources in place, it’s easy to see how they can quickly become victims of their own passion. The pressure is high and security teams are often understaffed, so it is understandable that many cybersecurity professionals are reporting frustration, burnout, and unsustainable stress. As a result, the potential for mistakes being made that will negatively impact an organisation increases. Business leaders should identify opportunities to ease these gaps, so that their teams can focus on the main task at hand, protecting the organisation.”
So what do security professionals believe is the solution? While there’s certainly no quick or easy fix, but the findings revealed the importance and value of diversity in cybersecurity recruitment. Optimistically, two-thirds (66%) of professionals believe recruiting from a wider, more diverse talent pool would offer significant help with the cybersecurity skills shortage. Additionally, 35% would consider working with a third-party provider for diversity strategies and to benefit from a more diverse team of talent. In fact, nearly two-thirds (61%) of cybersecurity professionals believe that a lack of different perspectives and diverse representation is holding them back.
Elliott Wilkes, CTO at Advanced Cyber Defence Systems (ACDS), highlights the importance of diversity of thought in teams: “It’s a fact that there are currently more men than women working in tech and cybersecurity. As such, the industry has cruised on a culture of ‘machismo’ for too long… What we need, as people in positions of influence and majority (as men, but specifically white men), is to know when it’s time to step back and let others speak. We cannot innovate without a diversity of voices and tech (and cybersecurity), after all, is all about innovation and the future.”
As part of a recent interview with the IT Security Guru, Jack Chapman, VP of Threat Intelligence at Egress, said: “Diversity of thought is paramount. You see attackers coming from all backgrounds, all walks of life, targeting employees, especially in a social engineering firm, so it’s important to have that across your business.”
The security risk posed by a lack of skills, diversity, and the prevalence of poor mental health among cybersecurity teams exemplifies the real-world effects of burnout and talent shortages. The research revealed that over 40% of cybersecurity leaders feel like they have limited capabilities and expertise to fully understand the threats they face, while a further 43% say that they have some, little or no capabilities or expertise to detect and respond to potential threats in their IT environments. Concerningly, one in four (25%) respondents stated that they have limited capability or expertise to respond effectively to an incident at all.
John Maynard, Adarma’s CEO, continues: “One of the best things that can be done for team capability and performance is to fill it with diverse and thoughtful individuals. By diversifying the talent pool, new ideas flow and various perspectives can pave the way for innovation. Exploring non-traditional recruitment paths will help to further widen that talent pool by making careers in cybersecurity more accessible to a broader range of candidates. This could go a long way to easing the burden on overworked security teams while also providing opportunity for growth. Indeed, the well-being of the entire workforce, including the security department, must be prioritised and requires the right balance of reliance on technology and people. Ultimately, we want to see organisations strengthen their security defences, optimise resource allocation and invest in people’s capabilities. This will produce a strong overall security posture that can effectively protect against the evolving threat landscape.”
Based on these findings, Adarma’s report concludes with recommendations for security leaders and teams to enhance an organisation’s overall cybersecurity posture. The survey revealed that 28% of cybersecurity professionals believe their capacity for innovation is limited, with 60% attributing a major reason for being held back to the skills shortage. However, there are actionable ways for security teams to strengthen themselves. These include consolidating the security stack to improve efficiency, regularly reviewing security tool configurations, leveraging automation and AI and investing in the support of cybersecurity professionals’ wellbeing.