Why burnout is a growing problem in cybersecurity
60 minutes ago Share Save Joe Fay Technology Reporter Share Save
Getty Images UK retailers have been severely disrupted by cyber attacks this year
When Tony was signed off for burnout from his cybersecurity awareness role at a major UK ecommerce company last year, it had been a long time coming. "Many of us in cyber, we put our hearts into our job. There's a lot of passion involved." He had found it progressively harder to sleep, and to go into the office. Tony, who did not want his real name used, recalls the Wannacry ransomware attack in 2017. "It was a Friday and something came up on BBC News." The security team got on a call that evening and the decision was taken to remove every single device from the network. "And it was Sunday afternoon that I came offline," he says. The firm hadn't been hit by the bug, he says. "It was all preparatory work." Tony said this pattern is currently being repeated across organizations trying to protect themselves against the Scattered Spider attacks that hit retailers and other businesses this year. And, he says, "I can't even imagine what the folks at Co-op and M&S have gone through."
Andrew Tillman Cyber security can be "the best job in the world" says Andrew Tillman
"If you think you might be burning out, you're already on your way there," says Andrew Tillman, former head of cyber risk and assurance for the UK's Health Security Agency. He says cyber security can, at times, be "the best job in the world". But when things get bad "it can be a bit of a dangerous place to be". Mr Tillman has suffered bouts of "burnout" himself through his four years at the agency. That stress is revealing itself in data collected by ISC2, the membership organisation for cybersecurity professionals. Its annual Workforce Study showed a 66% favourable job satisfaction rate in 2024, down four percentage points from the previous year. Burnout is a "major issue" for the sector, ISC2's chief information security officer Jon France says. He says professionals in the industry are increasingly being asked "to do more with less" which only increases stress and job dissatisfaction. "Cyber professionals rarely work nine to five", he adds, "Even if they do, they remain on call because threat actors don't adhere to office hours."
Part of the issue is that hackers have become more aggressive, prepared to target critical national infrastructure, or cripple health organizations with ransomware. Also, hackers backed by nation states are also accounting for more attacks, whether to carry out espionage, steal IP, spread misinformation, or cause disruption, or even seek financial gain on their own account. North Korean hackers, for example have become more active and adept at using cybercrime. Earlier this year hackers, thought to be working for the North Korean regime, stole $1.5bn (£1.1bn) worth of digital tokens from crypto exchange ByBit. US officials estimate that half of North Korea's foreign currency acquisition comes from cyber theft.
Getty Images Crypto exchange ByBit lost $1.5bn of digital tokens in a hack this year
As private and public sector organizations have digitized more of their operations, the ramifications of a cyber attack or data breach are more severe. Mr Tillman says: "There's always that conscious thought about 'if it goes wrong, how could this impact the individuals on the street? How could it affect their jobs, their livelihoods?'." Staff turnover is particularly pronounced in entry level roles, says Lisa Ackerman, former deputy chief information security officer (CISO) at GSK, and CISO Council strategic lead at Cybermindz, a non-profit targeting burnout in cyber security. Constant alerts from warning systems might compound the problem, presenting professionals with a barrage of data they have to make sense of. This could be a particular issue for the younger professionals in frontline roles and security operations centres. But non-frontline roles are not immune, says Mr Tillman. Managing risk and ensuring organisations meet compliance and regulatory obligations can be a challenge when other teams are desperate to get new applications or services live without considering all the security angles.
Cybermindz Lisa Ackerman says burnout is particularly common in entry level roles