Building resilience: How security leaders can protect their teams from burnout

Cyber threats don’t sleep. There’s a constant stream of new tactics, techniques, and procedures (TTPs) and Advanced Persistent Threats (APTs) for cybersecurity professionals to be aware of and defend against. 

The continuous monitoring of systems and the looming threat of a devastating cyber attack puts a huge amount of pressure on the shoulders of cyber teams. 

Coupled with the extreme shortage of talent and skills in the cybersecurity sector, burnout is a growing problem in the industry. 

We spoke to several cybersecurity leaders to learn more about cyber burnout and what can be done to reduce its impact. 

Why is burnout rife in cybersecurity?

The cybersecurity environment is primed to create high levels of burnout, with some of these key factors causing high levels of stress in the workplace:

• Increased threats: as technology develops, threat actors get better at attacking organizations. This constant vigilance can be exhausting as attackers only need to get it right once, whereas defenders must be right all of the time to prevent a breach.

• Lack of control: predicting when and how an attack will happen is difficult. So responders need to be ready for a real breach. This lack of control adds to the stress of cybersecurity roles. 

• Unrealistic expectations: many stakeholders don’t understand the technicalities of cybersecurity, which can lead to unrealistic deadlines and expectations.

• Long working hours: cyber threats are a 24/7 concern, meaning there’s plenty of overtime, especially during or after a breach.

Husam Shbib, Information Security Consultant at TrustLink, shared his experience of burnout in cybersecurity:

The cybersecurity domain is a very stressful career to pursue, requiring strong decision-making skills in various aspects. Additionally, mistakes in this field can be catastrophic, especially considering the 24/7 on-call responsibilities throughout the year. High workload, pressure, continuous on-call duties, high stakes, and accountability are a few causes of burnout.

The constant vigilance and “always-on” expectations of cybersecurity teams can take their toll.

Andrea Succi, CISO at Ferrari Group, also shares this sentiment:

Burnout is particularly prevalent in the cybersecurity industry due to the high stakes and constant pressure professionals face. 

 

Cybersecurity teams often deal with a high volume of threats, tight deadlines, and the ever-present knowledge that a single oversight could lead to significant breaches. The “always-on” nature of the job, coupled with a global shortage of skilled cybersecurity professionals, means many are working long hours under intense scrutiny. 

 

This relentless pace without sufficient downtime can lead to burnout.

Reducing burnout in cybersecurity teams

Invest in employee career development 

It’s easy to burn out when your career requires you to be “always on” but doesn’t provide any opportunities to advance or learn new skills. This is simply exhausting and unsustainable.

Cybersecurity leaders need to take the time to clearly define their employee’s goals and work with them to produce development and upskilling programs.

For example, a SOC analyst may want to learn more about penetration testing. So, they could perform a purple team activity with a penetration tester to see how they exploit system weaknesses. 

It’s proven that learning new skills can tackle burnout. In our cyber attack readiness report, we found that 62% of managers rated “opportunities to learn new skills” as the best way to prevent burnout amongst security staff.

 

It takes a proactive and caring leader to dedicate time to an employee’s career development. However, there is also a benefit for the organization with loyal cybersecurity teams that are better and more engaged with their roles:

I had the privilege of being able to implement several initiatives to combat burnout. For instance, I encouraged team members to schedule “no meeting” blocks dedicated to deep work or personal time. 

 

I also planned regular check-ins with my team to discuss workloads, motivations, and personal development goals. 

 

These measures had a significant positive impact on team morale and productivity. It’s a commitment I believe should be carried out in any approach to team management, reflecting a sustainable and supportive work environment.

 

Andrea Succi, CISO at Ferrari Group.

Adopt a human-centered approach to cybersecurity

We are only as secure as our cybersecurity team. It takes a human approach to facilitate seamless cybersecurity practices across an organization.

According to Statista research, 78% of UK CISOs agree that human error is their organization's biggest cyber vulnerability. This alarming figure shows the importance of having a human-centered approach, and less of a reliance on tools but an emphasis on techniques. 

Andrea Succi, CISO at Ferrari Group, suggests the following human-centered initiatives to combat burnout:

• Encouraging regular breaks and time off: Team members need to take regular breaks throughout the day and use their vacation time. This helps to prevent fatigue and maintain productivity.

• Promoting professional development: By investing in the growth and development of team members, we not only enhance their skills but also increase their engagement and job satisfaction.

• Implementing flexible work arrangements: Flexible work schedules can help team members manage their personal and professional responsibilities more effectively, reducing stress.

• Fostering a supportive culture: Creating an environment where team members feel comfortable discussing stress and workload openly can help in identifying burnout symptoms early and addressing them before they escalate.

• Leveraging automation and tools: Automating repetitive tasks and using tools to streamline workflows can significantly reduce the pressure on cybersecurity teams.

Boost employee engagement with CTFs

Providing employees with opportunities to showcase their skills and compete with one another in Capture the Flag (CTF) events can be incredibly rewarding. 

In our cyber attack readiness report, more than 70% of managers viewed team events like CTFs as a viable way to boost employee engagement.

Not only is it a great way for cybersecurity teams to bond and practice their career development. But it’s also an opportunity for managers to benchmark their team’s skills and identify areas for improvement, alleviating the pressures of tackling unknown issues. 

Make cybersecurity team's lives easier with awareness training

As we touched on earlier, human error can add a great deal more stress and vulnerabilities for cybersecurity teams to handle. Something that can lighten the load and help prevent teams from burning out is making cybersecurity awareness training compulsory company-wide. 

Here are some key ways to encourage good cyber hygiene at your organization:

• Have password strength requirements and change passwords frequently. 

• Teach your employees to avoid opening suspicious emails.

• Avoid downloading unknown content. 

• Encourage managers to limit access to data with strict administrative privileges. 

• Make it easy for employees to ask questions and know who to contact with any cybersecurity concerns. 

• Don’t push the blame onto users or implement phishing “tests” to catch employees out. Instead, encourage a culture of awareness. 

By eliminating common security risks at the source, cybersecurity teams can focus on more pressing threats, rather than fixing another successful phishing attack.

How individuals can tackle cybersecurity burnout 

While leaders can have a significant positive impact on lessening burnout within their cybersecurity teams, individuals also need to look after themselves. 

Cybersecurity is demanding, and there’s always something new to learn. However, taking the time to relax is not optional but is required to avoid burnout. 

I engage in activities unrelated to computers and digital devices at specific times every day. This practice keeps me away from digital screens, allowing me to focus on things like physical activities, reading books, playing chess, and learning new skills. 

 

Additionally, spending time with my family significantly reduces the possibility of experiencing burnout.

 

Husam Shbib, Information Security Consultant at TrustLink

There’s also the issue of FOMO when it comes to constant upskilling, but taking breaks will only make you better at what you do:

In my opinion, there's no one size fits all, but for me what works is making sure you take breaks when you need them. You're not going to fall behind if you give yourself a day or two where you don't think about cybersecurity to focus on what makes you happy.

 

Chrisostomos Kollaras, Penetration Tester at EY

Self-care and a solid routine can massively reduce the risk of burnout, as our very own ippsec, Cybersecurity Trainer at Hack The Box shares:

1. Establish some type of routine you do before you work. The best thing you can probably do is some type of low-impact aerobic exercise (bike, rower, elliptical) for 30 min. This will help your health, wake you up, and give time to think before starting any activity. However, if this doesn't work for you it can be as simple as taking a vitamin or something and saying once I take this I am going to start a task.

2. At the end of your productive day (ex: quitting time). Take 10 minutes to write down your wins for the day, I prefer physically writing them down, as you spend more time on the positives. Dont write down anything negative, spend this time on positivity. Not only will it help you become a more positive person but also lets you privately know what you can accomplish. There are plenty of times when I realize I didn't flip a page a single time in the week and catch myself before my discipline to start things slips.

3. Put your phone on DND Mode. If you require notifications from someone allow them, but mute everything else. Even work emails. For me, it is very easy to be focused on something, to have my phone go off and I don't know if it's important or not so I look at it. Often it's not important but then I look at other things and my productivity is killed. The 5 seconds it took me to see the notification ends up easily costing me 30 minutes and that's if I even return to the task.

Don’t underestimate the consequences of cybersecurity burnout

Cybersecurity burnout is a very real and present danger for CISOs and managers. The implications cannot be taken lightly which is why the above initiatives must be baked into your organization’s culture. 

Here are just a few consequences of burnout:

• Poor security posture: human error is one of the leading causes of security breaches. Burned-out employees = more mistakes. 

• Decreased productivity: to keep up with the demands of the job, cybersecurity employees can’t be stressed and burnt out. 

• High turnover: employees who aren’t looked after and engaged may seek a role at a company that has better well-being initiatives or less workload. With a talent shortage in cybersecurity, organizations simply can’t afford to lose employees.

• Legal consequences: if employees make mistakes that lead to data breaches, this could have legal liabilities. 

Be a proactive leader and stop burnout before it has serious consequences by investing in your employees and encouraging them to adopt a healthy work-life balance. 

Dan Magnotta (Mags22), HTB Federal Business Development & Capture Manager, Hack The Box Dan Magnotta is an accomplished professional in cybersecurity and intelligence operations with more than a decade of experience in the military and private sectors. His career began with dedicated service to the U.S Department of Defense, where he played critical roles in the U.S. European Command and U.S. Special Operations Command Europe, contributing significantly to cutting-edge cyber strategies. In addition to his civilian role, he serves as an LCDR in the U.S. Navy Reserve, showcasing his leadership and dedication as an Executive Officer for a Navy Reserve Unit. His expertise in cybersecurity, operational analysis, and strategic planning is extensive. At Hack The Box, he tailors solutions to meet the unique requirements of government agencies and organizations worldwide, leveraging his deep understanding of both military and civilian cybersecurity needs.