Findings cast a spotlight on the growing pressures faced by information security workers and the need for more to be done to protect their mental health.
More than 40% of respondents in a Twitter poll run by Infosecurity Europe, Europe’s number one information security event, singled out human skill and expertise as the most important element of a successful cyber-resilience approach. The aim of the poll was to explore the importance of resilience in cybersecurity, that is the ability of an organisation and its cybersecurity professionals to prepare, respond and recover when cyberattacks happen.
With the number of cyberattacks faced by organisations growing on a daily basis and a projection that 146 billion records will have been exposed in the five-year period from 2018-2023, the pressure cybersecurity professionals are under has never been greater. Couple this with the threat of regulatory fines, reputational damage and the growing skills shortage – there are nearly 3 million unfilled cybersecurity positions at companies worldwide – it’s clear that protecting individuals and enhancing their resilience should be a key priority for organisations.
Human skill and expertise was the clear leader with 40.5% of respondents in answer to the question – ‘what is the most important element of a successful cyber-resilience approach?’. Next was implementing best practice at 22.5%, and 20.1% said governance and compliance. Implementing advanced technology was considered their lowest priority at 16.8%.
Paul McKay, Senior Analyst at Forrester Research, said: “Undoubtedly, human skill and expertise is the most important element of a cyber-resilience approach. You can have all of the technology and best practice approaches deployed in the world, but ultimately successful cybersecurity relies on the skills, ingenuity and cognitive ability of the human brain. Many of my clients have gaps in their security team caused by difficulties in finding enough people to fill open roles on their teams. This impacts them critically both in progressing their security programme, but more importantly, the mental, physical health and well-being of everyone else who are often doing heroic work making up for gaps in their teams. I don’t think I’ve ever seen security professionals under this much pressure.”
The poll examined the repercussions of the pressures faced by workers, asking information security workers the question, ‘have you ever made significant mistakes as a result of being overstretched or stressed at work?’ Over half said yes – 26.8% answered yes, significant errors, while a further 31.9% said yes, minor mistakes had been made. A quarter (25%) said no and 16.2% didn’t know. Unsurprisingly a recent report found that 65% of IT and security professionals considered quitting due to burnout.
Becky Pinkard, Chief Information Security Officer with Aldermore, said: “The average life span for CISOs is quite frightening. One of the last stats I’ve read it’s just 18-24 months. When you start to look at that and relate that back, literally anyone in cybersecurity will be able to tell you a time when they’ve made a mistake, whether that’s because they didn’t know what they were doing, were stressed out, or they felt under pressure from project management or timeline pressure, and we are constantly faced with the same constraints so it will always be an issue we need to recognise and deal with.”
Maxine Holt, Research at Ovum, said: “I haven’t witnessed anything directly but have heard of plenty of instances of security incidents and breaches that are accidental (don’t know doing wrong) or negligent (know circumventing procedures just to get the job done) in nature, and for sure some of these can be attributed to lack of time or stress. For example, having to follow a convoluted process to log a sale might be bypassed just because someone has a target that they must meet, it’s the last day of the sales period and a person’s job depends upon it. There is plenty of anecdotal evidence in both the private and public sectors.”
Employee mental health and well-being should be an essential consideration for all employers and none more so than those working in information security, but is enough being done? Responses to the question, ‘does your organisation provide mental health support to its employees who are responsible for dealing with a cybersecurity data breach or attack?’ were resounding with a staggering 45.5% answering no, 31.6% didn’t know and just over a fifth (22.8%) said they were being offered support.
Kevin Fielder, CISO at Just Eat believes organisations need to be doing more. He said: “It’s a high pressure, always-on role that can easily burn people out. Organisations need to really recognise this and provide support for their teams. As a manager I also try to make the team and working environment as flexible and supportive as possible.” He believes the best kind of support is an organisation that genuinely invests in it and makes support/counselling available to all, plus a team culture that is supportive.
Independent Researcher, Dave Edwards, said: “Security is a very stressful job, as risk decisions needs to be made. Good decisions are not always a popular choice, they can delay projects and cost revenue. Companies can do more, I have had a positive experience, although this is about company culture and organisational values; senior leaders such as CIOs, Directors, etc., need to lead and set an example.”
Nicole Mills, Senior Exhibition Director at Infosecurity Group, said: “We as Infosec professionals and leaders need to be resilient ourselves – developing new skills and on a personal level, being resilient to the stress and pressure facing people in our industry.
“Our poll clearly highlights that human skill and expertise is the most important aspect in building a strong cyber-resilience strategy and this is why organisations need to focus on providing a safe and supportive environment to protect their most important asset. By building the expertise of those involved at the sharp end of cyberattacks and taking measures to provide them mental health support will not only help to strengthen resilience, but it will attract and reassure those wanting to enter the industry.”