Most cybersecurity pros took time off due to mental health issues

Cybersecurity and infosecurity professionals say that work-related stress, fatigue, and burnout are making them less productive, including taking extended sick leave – costing US enterprises almost $626 million in lost productivity every year, according to Hack The Box.

Cybersecurity has an essential role to play for businesses, clearly demonstrated by the inclusion of CISOs on the board. With increased numbers of threats rising 600% since the pandemic, the proliferation of criminal groups, and the emergence of new technologies, the industry is demanding elite performance professionals. However, the industry is facing a mental health crisis with 84% of workers experiencing stress, fatigue, and burnout.

The financial implications of burnout and stress

This poor mental well-being at work is costing the industry millions at a time when there is a rising skills shortage. 74% of cybersecurity professionals globally say that they have taken time off due to work-related mental well-being problems, with staff reporting taking an average of 3.4 sick days per year due to work-related mental well-being problems.

This is also translating into lost productivity with an average of 3.4 hours of work lost per month, or 5.1 working days per year to poor mental well-being. This lost productivity is costing the industry over $626 million per year for medium to large enterprises alone in the US.

Research also shows that there is a significant gap in understanding between the board and cyber teams. 90% of CISOs say they are concerned about the impact of stress, fatigue, and burnout on their workforce’s well-being, whereas only 47% of CEOs seem to be equally concerned about their cybersecurity teams’ stress, fatigue, and burnout on increased errors. This gap in understanding is not being prioritized across the board.

In addition, the gap is present in the reasons for burnout too. 66% of business leaders globally say that the top reasons why cybersecurity professionals are working over their contracted hours are due to increased numbers of cybersecurity threats and unpredictable threats after work hours.

Insufficient staffing and training fuel cyber burnout

In contrast, 89% of cybersecurity professionals say the workload, volume of projects to deliver, and the time needed to deliver tasks are the key causes of burnout. In addition, they are experiencing pressure to perform outside their skillset, which ranks as a second key cause of burnout with 66%.

This gap is causing an issue where businesses are trying to provide disconnected solutions. For the workload issue, only 44% of businesses are investing in additional temporary staff when teams are stretched to avoid burnout and stress. In addition, cybersecurity professionals are calling for a skillset-based solution yet only 47% of businesses are outsourcing upskilling platforms and providers to ensure employees have the latest training and tools to deliver against their roles.

“Cybersecurity professionals are at the forefront of a battle they know they are going to lose at some point, it is just a matter of time. It’s a challenging industry and businesses need to recognize that without motivation, cybersecurity professionals won’t be at the top of their game. We’ve worked with both cybersecurity and business leaders to understand the challenges the industry faces. What we’ve discovered shows just how difficult the job is and that there is a significant gap of understanding between the board and the professionals,” said Haris Pylarinos, CEO at Hack The Box.

“We’re calling for business leaders to work more closely with cybersecurity professionals to make mental well-being a priority and actually provide the solutions they need to succeed. It’s not just the right thing to do, it makes business sense,” concluded Pylarinos.

“Stress, burnout and mental health in cybersecurity is at an all-time high. It’s also not just the junior members of the team, but right up to the CISO level too,” said Sarb Sembhi, CTO at Virtually Informed.

“It’s a difficult topic to navigate as it’s so personal to the individual, but building in the right support and processes has so many advantages for the people and the enterprise. We need to equip cybersecurity professionals with the tools to effectively manage the stressful situation of a cyber crisis. We’ve seen how a cybersecurity crisis can have the same effect as serious trauma on an individual’s body. It’s shocking. The profession needs to work together on this, or the most experienced professionals will leave with no way to defend our essential enterprise services and departments,” added Sembhi.