Helping Cybersecurity Teams Maintain Mental Health

A seemingly endless stream of ransomware, phishing, and other cyberattacks is taking a mental toll on cybersecurity professionals. 

The situation is so bad, according to an Australian non-profit support network for those in the field, that cybersecurity professionals are experiencing burnout at rates even higher than frontline healthcare workers.[1] Mimecast’s State of Ransomware survey found that 56% of cybersecurity workers are experiencing increased work stress every year, and 54% of respondents say that ransomware threats are having a negative impact on their mental health. 

Addressing mental health in cybersecurity requires a multi-pronged approach. Hiring additional cybersecurity staff can help to decrease workloads for teams short on talent, while adopting technology tools such as integrated detection and orchestrated response can reduce the time cybersecurity professionals spend determining when and how to respond to incidents. Above all, the key is an organization-wide effort to both understand the problems that team members are facing and work together to find the right solutions.

What’s Impacting Mental Health in Cybersecurity 

The stress of working in cybersecurity, with the combination of long hours and little time to recharge in between security incidents, has pushed many security pros to their breaking point. According to Mimecast’s State of Ransomware survey, 42% of cybersecurity professionals are considering leaving their role in the next two years due to stress or burnout. Separate surveys have put the figure even higher, suggesting nearly two-thirds of cybersecurity professionals are thinking about leaving their jobs.[2] 

Why do so many cybersecurity professionals feel this way? A recent report from Tines, entitled Voice of the SOC Analyst, offers some clues.[3]

• Staffing: Less than one-third of cybersecurity professionals say their teams are fully staffed.
• Workloads: Six in 10 professionals report having “more work than ever,” compared to only 14% who said they were working less.
• Tedious tasks: Nearly two-thirds of cybersecurity professionals say they spend at least half their time on manual tasks. Conversely, roughly the same number said at least half their work could be fully automated.
• Workflows: While low staffing and heavy workloads were the top day-to-day challenges, limited visibility into the overall threat landscape and poor processes also hindered job satisfaction.

Tellingly, cybersecurity professionals experiencing stress on the job don’t always get the help they need. According to a second report from Tines, State of Mental Health in Cybersecurity, only 57% of cybersecurity professionals say their workplaces provide mental health support, and just 54% say their employers prioritize mental health. [4] (It’s worth noting that workers based in the United States are more likely to receive support from their employer compared to those based in Europe.)

How Cybersecurity Burnout Hurts Organizations

Not surprisingly, organizations as a whole suffer in these situations. When cybersecurity professionals experience mental health issues, their motivation can diminish. That makes them less likely to comply with security protocols and best practices.[5] In turn, their companies become more vulnerable to cyberattacks — especially spear phishing attacks that are now specifically designed to target workers during the so-called “afternoon slump” when individuals are more likely to be distracted.[6] The more attacks, the greater the pressure on the cybersecurity team. It’s a vicious cycle.

Even if organizations can successfully stave off threats, working cybersecurity staff to the point of burning out or cutting corners can backfire in other ways. In August 2022, Twitter’s former head of security made headlines with a whistleblower lawsuit against the company for “extreme, egregious deficiencies” in its cybersecurity program and for misleading its board of directors and regulators about cybersecurity vulnerabilities.[7] 

Granted, Twitter is a unique company, but there’s still a cautionary tale here for other organizations, according to a Forrester blog.[8] Cybersecurity professionals are often hired with one mission in mind: to improve an organization’s overall security posture. If they feel they’re unable to do so — either because the daily grind of work no longer brings them joy or because their efforts to make improvements are stopped in their tracks — they’re less likely to go quietly. Organizations can expect these employees to take their talents elsewhere and not be shy about sharing the reasons they left, say Forrester analysts. 

5 Steps to Rebuilding Mental Health

Addressing the mental health of cybersecurity professionals can have a profound impact for workers and their employers. Research from workplace mental health resource provider Mind Share Partners found that employees who feel supported by their employers are more than twice as likely to stay at their company for more than two years, more than five times as likely to trust corporate leaders, and half as likely to report negative mental health symptoms lasting five to 12 months.[9] 

This support can take many forms and includes a combination of cultural changes, recruiting processes, and prudent uses of technology. Here are five tips to help organizations improve mental health among cybersecurity professionals.

• Encourage High-Level Conversations: Normalizing conversations about mental health can help to overcome the natural reticence among employees to betray vulnerability. Shamla Naidoo, the CISO at Mimecast partner Netskope, noted that security professionals rarely talk about their mental health because they fear “professional repercussions.” [10] The C-suite as well as the executive board need to know that cybersecurity professionals are facing pressure that puts the organization at risk.
• Recruit Efficiently: Naidoo added that, amid a cybersecurity skills shortage, organizations can ill afford to wait months to fill open positions with candidates who have the perfect resume. Exploring opportunities for non-traditional candidates and training employees in other departments with an eye for security are two ways to close the skills gap so teams don’t stay shorthanded.
• Boost Budgets: The Mimecast State of Ransomware survey found that 90% of organizations need more funding to combat ransomware, and they would benefit from an average budget increase of 28%. This may be a hard sell for companies looking to limit spending, but another figure helps cybersecurity teams make the case: For half of survey respondents, a single ransomware attack is enough to deplete 20% of the entire annual cybersecurity budget. An ounce of prevention may be worth a pound of cure.
• Train All Employees in Cybersecurity: Mimecast’s State of Email Security 2023 report indicates that employee mistakes — such as using weak passwords or using collaboration tools carelessly or inappropriately — continue to add to cybersecurity risks. Attacks that quickly spread from one employee to another are at near all-time highs, according to the report. Helping employees in all roles and levels of seniority identify and avoid these types of attacks and coupling training with advanced email security tools that automatically detect and isolate potential attacks, can ease some of the pressure on cybersecurity personnel.
• Reduce Cybersecurity Technology Sprawl: Most organizations use roughly 30 security monitoring tools, and cybersecurity teams receive thousands of alerts each day.[11] With few of these tools integrated, cybersecurity professionals stare down manual reporting, monitoring, and detection work that contributes to burnout. Here, integrated detection capabilities and orchestrated responses are well positioned to bring together best-of-breed products to streamline tasks, better use existing resources, and provide stronger protection across the organization. 

The Bottom Line

Burnout and other mental health issues are clearly impacting cybersecurity teams, and this is, in turn, leaving organizations even more vulnerable to cyberattacks. Hiring additional staff and promoting a workplace culture that encourages employees to talk about their mental health are two key steps in addressing the issue. It’s also important for organizations to invest in cybersecurity tools that work with each other to give their cybersecurity professionals better insight into the risks their organizations face and to significantly reduce the manual tasks that make the job tedious, inefficient, and difficult. Read more about how Mimecast’s platform of fully integrated services can help alleviate the strain on your cybersecurity staff.

[1] “Cybersecurity professionals may be burning out at a faster rate than frontline health care workers,” Cybermindz

[2] “Security professionals are burned out. Here are 5 ways to help them.” Cybersecurity Dive

[3] “Voice of the SOC Analyst,” Tines

[4] “State of Mental Health in Cybersecurity,” Tines

[5] “State of Access Report 2021,” 1Password

[6] “Cybersecurity burnout is real. And it's going to be a problem for all of us,” ZDNet 

[7] “Former security chief claims Twitter buried ‘egregious deficiencies,’” The Washington Post

[8] “Forget Quiet Quitting — Tech Whistleblowers Go Out With A Bang,” Forrester

[9] “2021 Mental Health at Work Report,” Mind Share Partners 

[10] “Strategies for Addressing Burnout in Cybersecurity,” Netskope

[11] “Cybersecurity Tool Sprawl Drives Plans to Outsource Detection and Response,” Trend Micro