For the fourth year of our “The Future of Cybersecurity in Asia Pacific and Japan” survey, Sophos commissioned Tech Research Asia to ask questions about another somewhat taboo topic: the effects of mental health issues within the cybersecurity field. The results were astonishing: More than four out of five survey respondents reported some degree of burnout or fatigue, with one contributing factor (lack of resources/overwhelming workload) cited in nearly half of all responses.

The simple process of asking our respondents how they (and their organization) are doing, specifically how developed their cybersecurity culture is and whether fatigue or burnout has become an issue, led to some interesting conversations. Ironically, perhaps the most interesting of those conversations was about the lack of conversation between cybersecurity professionals and their leadership or board of directors. This gap suggests a set of endemic problems that have a direct impact on maintaining a good institutional security posture – not to mention an impact on the beleaguered teams tasked with the task.

What we have learned

Eighty-five percent (85%) of respondents said their employees were experiencing fatigue and burnout (two halves of a whole, as the survey put it). The sheer complexity of the cybersecurity industry and the findings in this report dramatically underscore the impact that endemic stress has on the individuals who make up the teams we expect to defend us. Again, that’s endemic stress, even before an incident has occurred. (Situational stress is probably an unavoidable byproduct of crisis situations, but when the crisis is endless, the stress becomes endemic.)

Digging deeper into the report, some of the top reasons for these overwhelming levels of fatigue and burnout wouldn’t come as a surprise to most: 48 percent said their burnout and fatigue were caused by a lack of resources, while 41 percent cited the monotony of routine activities. Overall, respondents perceived that the time lost to fatigue or burnout per employee, per week, averaged 4.1 hours—one-tenth of the “normal” workweek, if such a thing can truly be said in cybersecurity.

Surveys measure perception, and while having over 900 individual respondents to our survey is a reasonable statistical basis, perception can be difficult to translate into facts. Still, statistics like these should raise a level of concern that at the very least instills a sense of duty of care — to check in on those who may be feeling particularly stressed and struggling to keep up with the daily workload. The sheer volume of data and incidents is certainly a source of stress and concern, but one of the most disturbing findings from the survey is that it’s not just about the stress caused by attackers and the technology itself. In short, the call may very well be coming from within.

As mentioned above, lack of resources and job apathy are major issues surrounding cyber fatigue among our defenders. A significant portion of both of these issues can stem from poor hiring practices. When we listen to news outlets, governments, policy makers and organizations, we hear a common theme that many struggle to find and retain ‘talent’ in our vast industry. It is also far too common to hear of candidates working to penetrate ‘cyber’ only to find that the role they fill is not what they expected. But were they consulted, prescriptively, about what their roles would be? How many published job descriptions truly represent the job that awaits the successful applicant? Detection engineering, threat hunting, forensic analysis – these are all deeply entrenched technical specializations within our industry. But when we need someone urgently, are we clearly defining these roles and responsibilities?

I don’t think we do that as an industry, and that’s a problem. Mishiring cyber specialists for roles that don’t match their skills or career goals is a surefire way to set people up for failure. At best, they have to work their way up quickly into a new specialization; at worst, you’ve set them up to fail, with all the fatigue and burnout that will come not only to them but to the colleagues who will inevitably be affected.

In the final, worst case scenario, apathy starts to set in: “This is boring. I didn’t sign up for this.” It’s easy to infer that this could be one of the reasons why a practicing cybersecurity professional starts to resist their new role — they’ve been thrown in at the deep end and are expected to swim without coaching or guidance, since they’re now the one responsible for that role, whether or not it actually fits with their broader career goals and interests. This lack of support and resources creates more friction and prevents smooth operational defense against threats — to the point where 19% of respondents said such issues contributed to a breach.

Why aren’t we encouraging our cyber defense teams to do more of what they love and mentoring them to acquire better skills?

What needs to be done?

This sector urgently needs a better attitude towards a healthier cyber culture, and this needs to flow from the top of the food chain down to the individual practitioners. Overall, forty-nine percent (49%) of respondents said their company’s board members did not fully understand the requirements around cyber resilience; 46% said the same of their C-suite. This is worrying, because these are the people who should be held accountable. Risk begins and ends with them. They have the power to listen. They have the power to prioritize the company’s efforts to address the problem, either by leveraging existing staff skills and budgets or, if necessary, by reallocating resources to make the necessary changes.

Unfortunately, survey respondents reported that lip service and non-binding indicators from On High are the norm—and that their lack of understanding of their accountability obligations leads to an inaccurate expectation of how secure the company is overall. (And the lack of understanding at that level isn’t for lack of information; overall, 73% of companies brief their boards on cybersecurity matters at least monthly, with 66% of C-suites briefed at least that often.)

This staff crisis is, frankly, a matter of good risk management. It may be that making that case at the executive committee and board level will help to bring the picture into sharper focus: stress –> fatigue and burnout –> staff turnover, or worse. We’ve all read stories of how businesses large and small have fallen victim to cyber breaches due to employee error (or, again, worse). Let’s use these experiences as a starting point to help educate and drive attitude change around cyber resilience.

In fact, where regulatory fines from governing bodies have been levied on directors, board members, and C-level executives, it can be helpful to view this kind of legal and regulatory impact as a way to shift stress from the rank and file to the top of the organizational chart. Framing it that way can make leadership much more accountable and effect change. (Respondents would certainly agree; when we asked whether legislation and regulatory changes mandating board-level cybersecurity responsibilities and obligations increased a company’s focus on cybersecurity at its board or executive level, 51% said it had helped a little — and another 44% said it had helped a lot.)

Team leaders and middle management are crucial in identifying where employees are overly stressed and, at the very least, initiating conversations about relieving and avoiding stress. Be warned, however, that sophisticated management skills are required, as simply walking in and asking “what’s the problem?” will only further stress the employee.

There’s no quick fix for pervasive workplace stress. Attitudes toward better stress management, and indeed toward improving other problematic cultural issues in cybersecurity, have traditionally moved at a snail’s pace. But at least they’re moving, and tech leaders can move the needle in individual organizations even if they’re not at the top of the corporate food chain. Even relatively small steps can strengthen your cyber defender teams. Think about the most basic building blocks of their daily work: If your people are equipped with the right technology to minimize noise and repetitive tasks, and are empowered with processes to help them identify risks and communicate, they have a great foundation to build on.

Maintain a regular rhythm of communication with your team members, and understand the slightest signs of fatigue or burnout. It can be hard for managers to see these little stressors individually, especially since so many advocates pride themselves on their ability to “get through” bad work situations, but the cumulative effects of stress are a real vulnerability. (And learn to recognize the signs of stress in yourself and your colleagues. Management roles can be uniquely stressful, especially for those whose current roles involve less technology and more administration than they’d like.)

Managing stress and the human vulnerability that potentially leads to it for each of us is a skill that many organizations lack. Acknowledging stress and taking corrective action to minimize or mitigate it is a solid foundation for building a great cybersecurity culture. We hope that the simple act of asking how our colleagues are doing—and of normalizing conversations about a topic that is often avoided, celebrated as a sign of seriousness about the job, or even treated as taboo—can help infosec leaders achieve positive results in cyber resilience.