The mental health of security analysts: a challenge that organizations must address. How burnout and other issues can impact employee effectiveness
For many years, security analysts prioritized their work above their mental health. However, cracks are beginning to appear. The exhausted and overwhelmed analysts are another silent cybersecurity epidemic that organizations will have to manage.
According to Gartner, 50% of cybersecurity leaders will change positions by 2025 due to work stress and exhaustion. Jinan Budge, an analyst at Forrester, assures that managing the exhaustion and the mental health is a priority for the security team. The CISO (Information Security Officers) must address the lack of importance that is given to mental health before it is too late.
The professional burnout is included as an “occupational phenomenon” in the 11th Revision of the International Classification of Diseases (CIE-11). The World Health Organization (WHO) defines it as a syndrome caused by inadequate management of work stress. The energy depletion, feelings of negativity, or cynicism towards one’s own work, and decreased personal effectiveness are three listed symptoms of job burnout.
When it comes to safety, burnout affects both business results and individual effectiveness. In a survey conducted by Enterprise Strategy Group and ISSA, two-thirds of cybersecurity professionals rated their work as “difficult”, with almost half of them considering leaving their jobs. This could cause a continued reduction of SOC equipment (Security Operations Centers), in addition to the existing gap between supply and demand.
In addition to the primary responsibility of improving security maturity in their organizations, CISOs are tasked with fostering highly productive security teams. This involves addressing the various problems that affect the mental health of security analysts, such as exhaustion, levels of motivation, and the lack of security automation.
CISOs can approach it in four ways:
1. Recognize burnout in security teams by acknowledging the existence of the problem and discussing possible solutions and best practices.
2. Foster an environment of open communication and encourage employees to prioritize their mental health and ask for help.
3. Implementation of an effective recovery plan by investing in cyber insurance and implementing a customized, error-free incident response strategy.
4. Invest in security analysis platforms that automate secondary and repetitive tasks and free up time and resources for SOC teams to prioritize issues that require their time.
As analysts grapple with endless alerts, CISOs and SOC managers have to face the fear of being held responsible for any sudden incident of cybersecurity and its repercussions. It is necessary an increased awareness about mental health in security equipment.
Attackers continue to use sophisticated techniques to penetrate company networks and devise new ways to deploy social engineering techniques.
By Ram Vaidyanathan, IT Security Evangelist at ManageEngine.