Feeling stressed? Burnt out? Overwhelmed by the perfect storm of regulation, new threat vectors, well-funded adversaries, rapid technological change and the growing complexity of a sprawling IT estate? Well, you’re not alone. Burnout runs rampant in the cyber security industry.
Symantec, in partnership with psychologist and academic Dr. Chris Brauer, the Director of Innovation at Goldsmiths, University of London, has issued new research based on the experiences of over 3,000 cyber security decision makers. And it tells a harrowing tale.
Four in five are burnt-out and just under two thirds think about quitting their job or leaving the industry - and no wonder: When two thirds say they feel ‘set up for failure’, it’s evident that cyber security professionals face a battle they feel is difficult to win.
The full report is available here.
Looking around at the industry, this comes as no real surprise. The profession has always had acute moments of pressure, but it is becoming clear that the everyday role is reaching a state of chronic overload.
The problem isn’t that security staff aren’t good at their jobs, but that the job itself has become immensely challenging. The sources of stress are myriad:
- The threat of multi-million-pound data protection fines
- Matching wits with an increasingly well-resourced adversary
- Plugging a widening skills gap
- Being accountable for the security of an increasingly complex and sprawling IT estate, whilst not having meaningful control of said estate
- Having to fight to retain your already insufficient budget
- Taking on responsibility for increasing regulatory requirements
- Or knowing as you go home at night that you might already have been breached and you just don’t know it yet
Two in five reported concerns that they would be held personally liable for a data breach. Just over half feared dismissal if a breach happened on their watch. One of the most disconcerting findings of the report was that a third said the volume of threat alerts - the very thing aimed at helping them do their job - was making it harder to keep their organisation safe. Two thirds said they’d felt ‘paralyzed’ by the overwhelming volume of threat alerts. Four in five said that having ‘too many threat alerts to deal with’ was increasing stress.
There’s a cruel irony to the fact that tools and systems designed to help protect the enterprise are increasing stress. And it’s clear that this is already impacting the security of organisations. Most of the people we questioned (67%) said their cyber security teams left work at the end of the day with threat alerts left unreviewed. A third said their organisation is currently vulnerable to avoidable cyber security incidents. 41% expect a breach to be inevitable while a quarter acknowledge that they’ve already been hit by a cyber security incident that could have been avoided.
Sensory overload, fatigue and stress impair memory, disrupt rational thinking and negatively impact every cognitive function we have. We just don’t make very good decisions when we feel under siege by these stress-inducing factors. Yet the workflow of the average cyber security professional is more like spaghetti junction than a blank slate. Highly stressed workers are far more likely to be disengaged and ultimately quit. In an industry already suffering a skills shortage, this kind of stress can present a significant risk.
A Better Approach
If we maintain the status quo, the battle against hackers becomes a war of attrition that we will ultimately lose. They’re getting smarter, more determined, better funded and are working together to build more powerful tools. We must therefore do things differently.
It’s clear that the current patchwork approach to security tooling and strategy is creating more problems than it solves. Over the years, as each new vulnerability and technology emerged, so too did a new security bolt-on to protect it. The result is a patchwork of toolsets, telemetry and protection that increases overheads, bogs down technical talent, slows down digital transformation and fails to correlate information effectively. Each tool has its own corner of the universe to deal with, and there’s not enough oversight of enterprise risk.
There’s too much complexity, too many distractions, too much noise. To enable security staff to protect our businesses, we must reduce the chaos. Leaders must consolidate, automate and build long term strategic cyber-security plans to lift themselves out of this reactive state.
It’s clear that the current patchwork approach to security tooling and strategy is creating more problems than it solves.
This tension is underpinning a push towards simplicity and integration across the industry: fewer vendors, less complexity, and more centralized management. With this transformation the cyber security industry is entering the platform era.
Symantec’s own Integrated Cyber Defense platform is a response to the fragmentation, complexity and talent gap that we currently see within the industry. It’s already received widespread recognition, not just from the companies using it, but also from the likes of analysts IDC and Forrester.
We’re bullish that the cyber security profession can turn-around this state of overload with the right talent, processes and tools. Our High Alert series, based on this research, will explore the key themes of cyber security overload and provide helpful guidance on how to overcome its challenges.
A mature, well-integrated cyber security function has the power to enable a business to take advantage of the wide-spread transformation taking place in technology today. Companies must address the complexity within their own cyber defense structures if they are to adopt a more strategic approach and protect cyber security talent from overload.