By Aaron Bugal
The impacts of cyber threats are becoming more and more understood. Individuals are aware of the reputational, operational, and financial consequences of a cyberattack, however there is one more risk flying under the radar.
Sophos recently published the Future of Cybersecurity in APJ 2024 report, which uncovered worrying truths about the mental health of cybersecurity professionals. Burnout, fatigue, and disconnection to board directors dominated headspaces – and with cyber threats becoming increasingly prevalent, the industry must find a way to address this detrimental sentiment.
A deteriorating disposition: the state of cybersecurity professionals’ headspace
The Future of Cybersecurity in APJ 2024 report found that, in Malaysia, 91 percent of respondents declared their employees had suffered, or were currently suffering from, fatigue and burnout. The two leading reasons cited for these overwhelming levels aren’t surprising: 58 percent said their burnout and fatigue were caused by a lack of resources, while 44 percent cited their burnout is due to increased pressure from executive or board management.
Both of these contributing factors could be put down to poor hiring practices. It is now quite common to hear of candidates looking to break into ‘cyber’ and then find out that the position they’re filling isn’t what they expected it to be. But were they consulted, prescriptively, on what their roles would be?
Mis-hiring cyber specialists into roles that don’t match their skill sets or career goals is a sure way to put employees on the back foot. Furthermore, a lack of support and resourcing breeds more friction, preventing smooth operational defences against threats — to the point where 19 percent of respondents stated that such issues contributed to a breach.
To help improve cybersecurity professionals’ mental health, organisations should support cyber-defenders to do more of what they do like to do best, guiding them towards acquiring greater skills and knowledge.
Addressing culture from the top down
This industry desperately needs a better attitude toward fostering a healthier cyberculture, and it must begin from the top of the food chain. Overall, 49 percent of respondents said their company’s board members didn’t fully understand requirements around cyber resiliency; 46 percent believing the same thing about their C-suite. This is disturbing, as leaders of organisations play a vital role in improving cyberculture. They have the power to listen and address the problem, either using current staff skills and budgets or, if necessary, choosing to re-allocate resources to make the necessary changes.
However, this change must stem further than only talking the talk. Survey respondents reported that lip-service and non-committal indicators are the norm – and that leadership’s lack of understanding of their accountability leads to an incorrect expectation of how overall secure the business is.
This personnel crisis is, frankly, an issue of proper risk management. It may be that making that case at executive committee and board levels will bring the issue into focus: stress causes fatigue and burnout, fatigue and burnout cause staff turnover, or something potentially worse. Everyone is aware of how small and large businesses have fallen to cyber breaches due to employee error. These lived experiences should be used as a starting point to help educate and bootstrap a change in attitude towards cyber resilience.
It is also useful to highlight the legal and regulatory impact of cyberattacks on boards – phrasing it in a way that resets leadership’s expected level of accountability and drives change. Sophos’ report found that, in Malaysia, 98 percent of respondents believe legislation and regulatory changes mandating cybersecurity board-level responsibilities and liabilities increase the focus on cybersecurity at a company board or director level.
Finding a path forward
There isn’t a quick fix to reducing pervasive workplace stress. Attitudes toward better stress management and improving other problematic cultural issues in cybersecurity have traditionally moved at a glacial pace. But at least they’re moving, and tech leaders can move the needle in individual organisations even if they’re not at the top of the corporate food chain. This can take place by:
- Considering the most basic building blocks of their day-to-day work: If employees are equipped with the right technology to help minimise noise and repetitive tasks and empowered with processes that guide them through risk identification and communication, they’ll have a great foundation to build on.
- Keeping a regular cadence of communication: It can be hard for managers to see those small stressors individually, but the cumulative effects of stress are a genuine vulnerability. Learn to recognise the signs of stress in yourself and your peers as well.
Ultimately, acknowledging stress and taking corrective action to minimise or mitigate it is a solid base for building a great cybersecurity culture. It’s our hope that the simple fact of asking how our colleagues are doing – and of normalising conversations around a topic that is often avoided – can help organisations to better drive positive outcomes around cyber resiliency.
The author is a Field CTO APJ for Sophos
