A new report published by CREST looks for solutions to the increasing problems of stress and burnout among many cyber security professionals, many of whom are often working remotely in high-pressure and under-resourced environments. CREST – the not-for-profit body that represents the technical security industry including vulnerability assessment, penetration testing, incident response, threat intelligence and Security Operations Centres – highlights its concerns and suggests that more needs to be done to identify the early stages of stress and provide more worker support.
Recent statistics show that 30% of security team members experience tremendous stress, while 27% of CISOs admit stress levels greatly affect their ability to do their jobs. In addition, 23% state that stress adversely affects relationships outside of the workplace.*
“While most security professionals are passionate about what they do and thrive well under bouts of pressure, it’s important to recognise when this healthy and positive stress becomes unhealthy and detrimental to performance and well-being and, where people are working remotely, as many are, it can be really difficult to spot because of a lack of support and communication,” explained Ian Glover, president of CREST. “The problem can sometimes be compounded by the rise in complex attacks, long hours spent under a constant ‘state of alert’, the shortage of skills and pressure from senior management and regulators. Reported breaches are a frequent reminder of the business and reputational consequences if mistakes are made or malicious activity is missed.”
Main stress warning signs
David Slade, a psychotherapist and author of the new report, points to the main stress warning signs to look out for, which include anxiety, lack of confidence, making erratic decisions, irritability, a reduction in concentration, poor time-keeping and generally feeling overwhelmed. These factors can lead to bouts of insomnia, a decline in performance, the increasing use of drugs or alcohol, over or under-eating, taking more sick days, withdrawal, a loss of motivation and even actual physical and mental exhaustion.
“As is the case in many high-pressure professions, it’s very rare for people in cyber security to seek professional help when feeling stressed or overwhelmed,” continued Slade. “We need to instil a culture of better communication and peer-to peer support as well as encouraging practical measures such as taking regular breaks, exercise and holidays as well as introducing relaxation techniques such as mindfulness and having time set aside to discuss individual worries and concerns.”
The CREST report urges businesses and organisations to accept responsibility to ease staff stress levels by creating an organisational culture of openness at all levels and building a flexible environment in which individuals receive encouragement, advice and support. This includes access to sources of advice on mental health issues, training tools and workshops, along with stress and burnout self-help videos.
Given the increasingly acute skills shortage in cyber security, CREST also believes that more automation can play a part in taking the strain away from overworked staff, while the use of DevSecOps can help to move from a reactive approach towards cyber security to a ‘security by design’-style model.
“Management’s urgent task is to ensure that the organisation flourishes in a way that serves both the people outside and the people inside with a way of assessing how well the psychological needs of both groups are taken into account,” urged Slade. “This would ensure that any change of structure or practice doesn’t impinge on these needs.”
The CREST report was borne out of research conducted among its members and an open Access to Cyber Day that included stress and burnout workshops. “The level of interest and engagement in putting the report together was a clear demonstration of both the growing concern around stress and burnout in the industry, and the willingness to do something about it,” said Ian Glover. “If we want to retain the skills and experience we already have while also encouraging the best new talent into the cyber security industry, we need to recognise the problems and face up to the challenges to create exciting and stimulating careers, while providing the right environment and support.”
To download the full report visit: https://www.crest-approved.org/knowledge-sharing/research-reports-position-papers/index.html
*Nominet -Life Inside the Perimeter Understanding the Modern CISO https://media.nominet.uk/wp-content/uploads/2019/02/12130924/Nominet-Cyber_CISO-report_FINAL-130219.pdf
*Symantec – Cyber Security in 2019, Chapter 1: Perfect Storm https://resource.elq.symantec.com/LP=7134?CID=70138000001J2pHAAS