Every day, people who work in cybersecurity make our world better and more secure. They are responsible for the terrible things that could happen after a cyberattack. But the expectations of their jobs are a threat in and of themselves.
These pros have been trying to keep the ball away from the goalie for a long time. Now, the balls are coming faster, from more places, and with enough force to end a game. Cybersecurity experts are vulnerable, just like the businesses they work to protect, because the threats they face are always changing. And even though there are more dangers and more legal requirements, too many organisations still use security methods that are like adding more and more bandages instead of fixing the real problems.
The result is a wave of burnout that is hard to miss. When asked what keeps security teams up at night, most people still say job stress. In the case of ransomware attacks, which put businesses at risk of not being able to provide mission-critical services, the effects of a breach are often rapid and clear.
There are clear steps that people in charge of technology can take to help ease some of the stress that important workers in enterprise safety face every day. But fixing the problem will take more than just putting safety first. It has to start by taking a close look at the technical settings, which have become too complicated.
Keep it easy.
The outbreak sped up the transition to digital technology, squeezing more than a decade’s worth of changes into just a few years. This digital sprint made it easier for hackers to attack and made it so that more skilled security pros are needed to protect a growing threat zone. In settings where legacy assets were bought and used in silos and weren’t compatible with other tech stacks, rapid progress often happened. As complexity grew, so did the number of risks, and fixing those risks needed more and more expertise. Since there were not enough experts to handle all the extra work, people got tired and made mistakes, which led to burnout.
IT leaders can take one important step right now to make the job of cybersecurity experts easier: they can simplify.
Leaders can start by figuring out which business services are most important to their organisation and, if possible, moving them to the cloud. They can modify applications to make them more secure and reliable, which is a step that was often skipped in the rush to modernise. They can get rid of as many point solutions as they can, which will help make the world less fragmented. Instead, they can work towards an integrated, interoperable infrastructure that gets back to basics, like patching and risk management solutions that have been around for years but still work.
In the end, technology tools can’t solve security problems on their own. The big-picture answers rest on what people do and what they choose. Embracing simplicity can not only cut costs and improve operational efficiency, but it can also make sure that cybersecurity workers have more manageable workloads, which can help them avoid burnout.
Prioritise Resiliency
If a company has done everything it can to plan for, protect against, handle, and recover from an event, the damage, including psychological damage to workers, can be kept to a minimum.
To take a resilient approach, which means planning ahead for hacking events instead of waiting to react, you need to think ahead and invest in technology.
Organisations should write down their plans for responding to incidents and make sure they can access them in a way that isn’t tied to computers, which can be hacked. The next step is to practise the plan, and then practise it again, so that teams know exactly what needs to be done and who should do what in case of an emergency. When possible, a well-thought-out plan and recovery software can speed up what could otherwise be a 24/7 recovery effort.
Active Directory systems, which are often attacked by bad users, need to be protected, along with backup servers, so that recovery doesn’t take too long. Organisations can also quickly recover from threats when they use cyber vaults. In the end, a faster recovery can help ease the daily grind that wears out security teams.
Leaders can also make sure that cybersecurity is a top priority for the whole organisation to better support cybersecurity experts. Cyber-risk management should be everyone’s job; incident rescuers shouldn’t be the only ones who can stop an attack in its tracks. There needs to be a plan from the top down. Security, adaptability, and recovery must be a top concern in the boardroom. The C-suite has a lot of responsibilities, but one of them is to make sure that business continuity and recovery plans are updated and tested every year. They also need to make sure that assessments are done regularly to see how prepared the company is for risks and to figure out which weaknesses are the most important. To protect their business, they must also be sure that they can recover their systems and data after a disaster or security breach in a way that meets their written recovery time and recovery point goals.
Enterprises need to adopt a “secure-by-design” attitude, which is the opposite of the old way of thinking about security as an afterthought. Instead, security needs to be built in at every step to make software, architecture, and networks as hard to hack as possible.
Without a well-thought-out plan that gives security workers more power, the people who cause burnout may continue to do well. Our plan to avoid burnout should be the same as our overall plan for security: a team effort focused on resilience and a shared idea that the more we can simplify, the better chance we’ll have of getting ahead of problems.