Burnout in cybersecurity is on the rise. The increasing demands of the job to build systems resilient to attacks have created increasing demands on IT departments. At the same time, the skill gap between employer needs and available employees has left many departments short-staffed. Add a blame culture and a general disconnect between companies and their IT departments, and we get the toxic culture many professionals struggle with today.
For Stress Awareness Month, join me in a mini-series exploring cybersecurity burnout, its causes, the needed culture changes, and what boards must change in their organizations. Let’s get started by looking back at how we got here.
IT within Organizations
In today’s workplace, computers are just a necessary evil. They are a requirement for us to perform our jobs efficiently, but they aren’t any more helpful than the stapler or pen on our desks. Yet, they are also expensive and tend to break at the worst possible moment.
Many office workers share this view on IT. Technology is making their lives harder than needed, and everything was better before computers came. Few see the benefits and strategic advantages computers have given us, especially those who interact with them daily.
Consequently, there is a divide between most companies and their IT departments. Many companies treat their IT department as a mere service provider. They provide IT as a service to the company and don’t contribute anything significant to its bottom line.
In the other direction, IT often sees the rest of the company as inept. They are unwilling to learn, and we must beat them into submission with remedial training.
Thus, Employees see IT as a combination of service providers and teachers sending them to detention. In the other direction, IT considers the rest of the company useless idiots who break IT systems and resist any “sensible” improvements.
Cybersecurity Incidents Response
Yet, even within the IT department, the atmosphere quickly turns toxic following a cybersecurity incident. The blame game is persistent in post-incident analysis, and rather than learning from an incident and finding ways to improve the responses, blame gets shifted around.
Significantly, war-room-style meetings have evolved from a guilt-free, forward-looking strategy discussion into shouting matches. After a cybersecurity incident, 29% of IT employees quit to avoid the war room.
This misuse of the war-room-style meeting is appalling, as it perverts its original purpose. The war-room-style meeting is meant for effective communication and decision-making during an ongoing crisis. We shouldn’t use short-handed communication and quick back-and-forth for a post-mortem.
Leadership and Guidance in Cybersecurity
Yet, lacking training is the underlying issue for most cultural and leadership problems. Many companies regard IT as a back-office task, so leadership development and guidance for new managers are often spotty. Consequently, managers are untrained and unhappy. Many are also underpaid and underappreciated.
This combination has led to cybersecurity managers quitting after ultra-short tenures. The average tenure for a cybersecurity or IT operations manager is now 18 months. In people management, this is not enough to make an impact.
Consequently, little mentoring or mentorship is available, which compounds the problem of disconnected and unhappy managers and employees. It also closes growth avenues for the remaining team members. They neither experience great leaders nor get the training to grow into these roles.
The issue is most apparent at the top. When the SEC proposed a new rule to have a cybersecurity expert on each board, there was an outcry that too few were available. At the same time, companies don’t invest in cybersecurity leaders to make strategic decisions and receive the training needed to become board members.
A New Cybersecurity Culture
If we want to reduce the burnout rate in cybersecurity, we need to change the culture many of us are experiencing. We cannot continue to see IT as a pack office service provider and expect them to provide first-class customer service on a shoestring budget. We cannot deny IT employees and leaders training and mentoring. We must stop blaming each other for incidents.
Currently, thousands of cybersecurity positions are unfilled. Let’s stop making the situation worse by burning out the few people who work in the industry.