Maintaining mental well-being: The key to sustainable cybersecurity success

For many years, security analysts have consistently prioritized their jobs over their mental health. Now, the cracks are starting to show. Burnt-out, overwhelmed analysts are another silent cybersecurity epidemic organizations have to manage. According to Gartner, 50% of cybersecurity leaders will move to different roles by 2025 due to workplace stress and burnout. CISOs need to address the lack of importance given to mental health before it's too late.

The adverse effects of ignoring security burnout

Burnout is included as an "occupational phenomenon" in the 11th Revision of the International Classification of Diseases (ICD-11). It is defined by the World Health Organization as a syndrome caused by the unsuccessful management of workplace stress. Energy depletion, feelings of negativity or cynicism towards one's job, and decrease in personal efficacy are three listed symptoms of burnout.

Security burnout affects business outcomes as much as it does individual efficacy. In a survey by Enterprise Strategy Group and the Information Systems Security Association, two-thirds of IT security professionals described their job as "difficult" and nearly half of them are considering leaving their jobs. This could lead to continuous shrinkage in SOC teams on top of the existing demand-supply gap. A smaller SOC team could mean increased risk of data breaches and a higher possibility of financial and reputation loss.

Addressing mental health issues in SOC teams

CISOs have a tough row to hoe. Along with the primary responsibility of improving the security maturity of their organizations, they are also tasked with fostering highly productive security teams. This involves addressing the various issues affecting the mental health of security analysts, such as burnout, motivation levels, and lack of security automation.

Four ways in which CISOs can approach this include acknowledging burnout in security teams, providing in-house support and healthcare, implementing an effective backup plan, and investing in AI-based security tools.

Let us explore them in detail.

• Acknowledging burnout in security teams: Acknowledging burnout as a mental health issue in security teams is the first key step CISOs must take. The increasing shortage of skilled professionals has led to SOC teams handling tasks that go beyond their bandwidth and capacity. Security analysts and incident responders feel pressured to stay alert 24/7 as the constant threat of cyberattacks looms large. Acknowledging the existence of the issue on a large scale instead of brushing it under the rug can lead to the discussion of possible solutions and industry-wide best practices.
• Fostering an environment of open communication: CISOs must encourage employees to prioritize their mental health, normalize asking for help, and utilize the services provided by the organization. Providing mental health support in the form of work-life balance, adequate time off, and back up for the analysts in case of work overload are all a good start. Some organizations also provide internal healthcare facilities to their employees. For instance, Zoho Corporation offers employees access to in-house therapists and counselors to help them cope with workplace stress. Cybermindz, a non-profit organization championing the cause of mental wellbeing for security professionals, advises providing psychological downtime and an overall sense of safety and wellbeing at the workplace.
• Implementing an effective recovery plan: A lot of CISOs are aware that they are responsible for situations which may result in immense loss for the organization. Remedial measures like investing in cyber insurance and implementing a foolproof, customized incident response strategy will go a long way in ensuring there is a plan B in place. This will help decrease the stress and burnout incident responders and analysts go through while dealing with security incidents. In case of a data breach, insurance will help the organization recover from data or revenue loss.
• Investing in security analytics platforms: The advent of AI means organizations can now invest in security analytics solutions that automate menial tasks and free up time and resources for SOC teams. Analysts can prioritize issues that require their time as opposed to false positive alerts or less important incidents.

Every member at every level, whether it is a CISO, SOC manager, or analyst, may experience burnout. While analysts deal with an endless stream of alerts, CISOs and SOC managers have to confront the fear of being held responsible for any sudden cybersecurity incident as well as its repercussions.

There is a need for increased mental health awareness in security teams. Attackers continue to employ sophisticated techniques to breach enterprise networks and come up with new ways to deploy social engineering techniques. Foresight and proactive strategies are the need of the hour. Organizations have to prioritize creating an atmosphere of safety and mental well-being to ensure the best minds on the security team can perform to the fullest. This will not only address the issue of employee burnout but also enhance organizations' security posture and reduce the possibility of data breaches to a large extent.