There are many examples of high Cybersecurity risk tolerance – which show the executives not paying attention to Cybersecurity professionals until it is too late.
Darkreading has another article on Cybersecurity burnout.
The issue is the long hours many Security professionals have to perform and the general thankless jobs as they try to convince executives and users to pay attention to Cybersecurity.
If the initial vulnerabilities which were increasing risk were paid attention with resources then maybe the Cybersecurity professionals would not have to work 50 hours or more per week.
(from article):
94% of American CISOs and 95% of UK CISOs reported working more than their contracted hours – on average, 10 hours per week more. In addition, 83% of American C-suite execs and 73% of UK execs confirmed they do, indeed, expect security teams to work longer hours.
The problem is that the people in charge have a large cyber-risk appetite, since the reality is the business will continue over the long term.
More Cybersecurity staffing issues are that someone has to fix and bring everything back to normal. Which is why the Cybersecurity professional is always working many hours, both proactively, during a breach, and after a breach.
So the Cyber IT professionals get burned out quicker than other professions. A psychological problem is also that the ‘problem’ of cybersecurity never ends.
From Bitsight – article 63% of organizations are experiencing a shortage of IT staff dedicated to Cybersecurity, and Workplace stress is not an unsolvable problem (or workplace stress can be solved).
The COVID-19 pandemic has shut down the country due to an additional couple of percentage points in deathrate , whereas a few percentage points in risk within Cybersecurity doesn’t make anyone more likely to pay attention. Admittedly “death” is a higher shock factor. But there are some hospitals that had lax cybersecurity which did not make necessary adjustments. (until too late)
So… how can we move in a general direction of solving this – since Cybersecurity will never equal the shock value of “death”.
How can burnout be solved? One needs a systematic method of helping the IT staff to reduce the number of “firedrills” that occur. How can that be done? the only way is to help the IT staff by prioritizing the tasks to be done – communicate with them that what they are doing is important and is very much needed in the organization. Overtime hours should be reduced to only when ‘absolutely’ necessary. more of a balance of life attitude should be undertaken.
The Obvious solution is to control Cybersecurity even when there is none by hiring an independent thinking person that will review the overall setup with this goal in mind (one must also be able to talk to executives). Remember one reason executives do not take cybersecurity seriously is due to their misunderstanding of some risks.
Contact Us to review your situation.