CREST report highlights problems of stress and burnout among cyber security professionals

A new report published by CREST looks for solutions to the increasing problems of stress and burnout among many cyber security professionals, many of whom are often working remotely in high-pressure and under-resourced environments. CREST – the not-for-profit body that represents the technical security industry including vulnerability assessment, penetration testing, incident response, threat intelligence and Security Operations Centres – highlights its concerns and suggests that more needs to be done to identify the early stages of stress and provide more worker support.

Recent statistics show that 30% of security team members experience tremendous stress, while 27% of CISOs admit stress levels greatly affect their ability to do their jobs. In addition, 23% state that stress adversely affects relationships outside of the workplace.*

“While most security professionals are passionate about what they do and thrive well under bouts of pressure, it’s important to recognise when this healthy and positive stress becomes unhealthy and detrimental to performance and well-being and, where people are working remotely, as many are, it can be really difficult to spot because of a lack of support and communication,” explained Ian Glover, president of CREST. “The problem can sometimes be compounded by the rise in complex attacks, long hours spent under a constant ‘state of alert’, the shortage of skills and pressure from senior management and regulators. Reported breaches are a frequent reminder of the business and reputational consequences if mistakes are made or malicious activity is missed.”

Main stress warning signs

David Slade, a psychotherapist and author of the new report, points to the main stress warning signs to look out for, which include anxiety, lack of confidence, making erratic decisions, irritability, a reduction in concentration, poor time-keeping and generally feeling overwhelmed. These factors can lead to bouts of insomnia, a decline in performance, the increasing use of drugs or alcohol, over or under-eating, taking more sick days, withdrawal, a loss of motivation and even actual physical and mental exhaustion. 

“As is the case in many high-pressure professions, it’s very rare for people in cyber security to seek professional help when feeling stressed or overwhelmed,” continued Slade. “We need to instil a culture of better communication and peer-to peer support as well as encouraging practical measures such as taking regular breaks, exercise and holidays as well as introducing relaxation techniques such as mindfulness and having time set aside to discuss individual worries and concerns.” 

The CREST report urges businesses and organisations to accept responsibility to ease staff stress levels by creating an organisational culture of openness at all levels and building a flexible environment in which individuals receive encouragement, advice and support. This includes access to sources of advice on mental health issues, training tools and workshops, along with stress and burnout self-help videos.

Given the increasingly acute skills shortage in cyber security, CREST also believes that more automation can play a part in taking the strain away from overworked staff, while the use of DevSecOps can help to move from a reactive approach towards cyber security to a ‘security by design’-style model.

Psychological needs

“Management’s urgent task is to ensure that the organisation flourishes in a way that serves both the people outside and the people inside with a way of assessing how well the psychological needs of both groups are taken into account,” urged Slade. “This would ensure that any change of structure or practice doesn’t impinge on these needs.”

The CREST report was borne out of research conducted among its members and an open Access to Cyber Day that included stress and burnout workshops. “The level of interest and engagement in putting the report together was a clear demonstration of both the growing concern around stress and burnout in the industry, and the willingness to do something about it,” said Ian Glover. “If we want to retain the skills and experience we already have while also encouraging the best new talent into the cyber security industry, we need to recognise the problems and face up to the challenges to create exciting and stimulating careers, while providing the right environment and support.”

To download the full report visit: https://www.crest-approved.org/knowledge-sharing/research-reports-position-papers/index.html

*Nominet -Life Inside the Perimeter Understanding the Modern CISO https://media.nominet.uk/wp-content/uploads/2019/02/12130924/Nominet-Cyber_CISO-report_FINAL-130219.pdf

*Symantec – Cyber Security in 2019, Chapter 1: Perfect Storm https://resource.elq.symantec.com/LP=7134?CID=70138000001J2pHAAS

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts