You are currently viewing Cybersecurity teams are exhausted and miss vacations

Cybersecurity teams are exhausted and miss vacations

As organizations continue to grow their digital footprint in the wake of the pandemic, they need to start caring for the employees who make this possible.

According to data from software company Tessian, 42% of information security officers – more commonly known as CISOs – missed important holidays like Thanksgiving due to work demands. But it’s not just vacations: 44% have missed a doctor’s appointment in the past year because of work, and 40% have missed a family vacation because of work obligations.

These employees are responsible for developing and implementing information security programs, which include procedures and policies designed to protect business communication, systems and assets against internal and external threats. Because of their importance to day-to-day operations, these work-life imbalances are not necessarily related to the pandemic, explains Josh Yavor, CISO at Tessian.

“The problem has always been there,” says Yavor. “Part of our job is to anticipate and prepare for unpredictable situations where we need to have timely and immediate responses that are also sustainable. And that’s one of the takeaways from that is that we’re not doing a great job as an industry of getting to that sustainable part.

Read more: COVID isn’t the only virus employees could bring back to the office

A quarter of CISOs have have not taken any leave in the past 12 months, working an average of 11 hours more than they are required to each week, while one in 10 works 20 to 24 hours more per week. Twenty-five percent of security managers said they spend 9-12 hours a month investigating and remediating every threat caused by human error, including when employees click the wrong link, install malware, or quit a password, and more than a third of CISOs reported spending too much time on triage and investigations, according to the report.

The solution, according to Yavor, is to create a balance between what a company needs and what an employee needs — and not let the balance tip too much one way or the other..

“First and foremost, it’s about recognizing that we can’t control everything or predict everything,” Yavor says. “We know that [crises] are going to happen to someone in the safe space. And the most important thing for us to do is not to pretend it’s not. We [should] start with the expectation that we need to be prepared for this and instead focus on the results and experiences that really matter.

Although the business security and cybersecurity are critical and often requires CISOs and their team to work long hours, the consequences of an exhausted security department are far more serious. This demographic of workers is already experiencing above-average turnover rates, with an average tenure of 18 to 24 months, Yavor says.

Read more: How to protect your organization against internal and external cybersecurity threats

Additionally, a recent case study conducted by software company Burning Glass found that the annual turnover rate for federal cybersecurity jobs is 18%, compared to 14% for all federal IT workers. These statistics will not improve if the industry can’t handle its burnout rates, with more than half of CISOs struggling to log off from work after the shift, Tessian found.

“This level of burnout carries over [whole] team,” says Yavor. “When they leave, it leaves the organization in a very bad situation because they cannot carry on their work effectively.”

These pain points will become more important and potentially permanent if not addressed, says Yavor. Employers and employees need to ensure that as offices progress and adapt to remote and hybrid arrangements, so does the way they deal with employees.

“[Burnout] is not security-specific,” Yavor says. “It’s true in customer support roles, it’s true in engineering – we can actually learn and mature as an industry and follow their lead.”

Leave a Reply