Black Hat USA 2022: Burnout, a significant issue

Discussion of the resourcing issues within the cybersecurity sector is not a new phenomenon; according to Cybersecurity Ventures, the number of unfilled cybersecurity positions worldwide grew 350% between 2013 and 2021, from 1 million to 3.5 million. The article breaks this number down further, estimating that there are 1 million cybersecurity workers in the US and as of November 2021 around 715,000 additional, unfilled positions. These numbers tell the story of a resourcing issue; they also tell the story of an industry that is currently running on about two-thirds of the resource it needs.

A presentation in the Black Hat US 2022 schedule by Stacy Rioux, Ph. D. Clinical and Organizational/Business Psychology caught my eye –Trying to Be Everything to Everyone: Let’s Talk About Burnout. When there is such a huge shortage of talent in the cybersecurity industry, those who are on the frontline are potentially prone to suffering burnout. My assumption was that the presentation would take a deep dive into the stresses that cybersecurity teams are suffering using case studies and specific examples, and then how to recognize the existence of the issue and the steps that can help alleviate the pain someone if suffering. Unfortunately, the presentation was light on example, and was more a presentation on the issue of burnout, rather than identifying and mitigating it in cybersecurity settings.

The signs of burnout are extremely important to spot, and some of the telltale signs presented included tiredness, cynicism, not enjoying work and possibly drinking or eating too much, not necessarily to the point of addiction but as a comfort measure. Two –maybe three– of the four are probably identifiable in nearly all Black Hat attendees: tiredness due to the Vegas party culture, drinking too much, it’s Vegas, and lastly, cynicism, appears to be a job requirement in the cybersecurity industry – we are conditioned to trust nothing and to verify everything.

On a more serious note, this is an extremely important issue, and something that all companies large and small, need to be aware of and address. The definition of burnout presented by Stacy is “Occupational burnout is clinically defined as a psychological syndrome that occurs due to chronic emotional and interpersonal stressors on the job” with “interpersonal” explained as “relating to relationships or communication between people”.

Burnout identifiers covered in the presentation and that relate specifically to cybersecurity, were:

• High levels of mental workload
• Anticipation of cyberattacks
• Shortages in staffing and increases in workload
• Struggles to find one’s place within an organization
• Work is often not appreciated in the organization

There are strategies that can help deal with burnout, and I recommend taking the time to research them to get a greater understanding. A competent human resources department or professional should be able to set employees on the right track or provide some sound reading material on the topic.

The issue, in my opinion, is a combination due to the lack of experienced talented people, the accelerated digital transformation we have witnessed in the past two-plus years and the never-ending barrage of cyberattacks that cybersecurity teams are required to deal with. The end to this shortage is in sight; if only that were true! Many companies require candidates to be educated to degree level, hold an industry recognized cybersecurity qualification such as CISSP and to have 3–5 years’ experience. These requirements are potentially, at least a contributor, to blame for the unfilled cybersecurity positions.

Employers need to lower their credential or education requirements for cybersecurity jobs and get some of the less experienced but interested and keen into the workplace for them to gain that experience and to become the expert talent needed to defend against the attacks of the future. It’s also imperative, in my opinion, that cybersecurity becomes baked into all curriculum topics in the education system at high school or younger. We talk about the need for cybersecurity to be considered in all parts of product design, in every part of a business process and such like, so it probably belongs in every topic taught in the classroom. Even lessons in creative talents such as art would benefit by providing an understanding of how to secure an NFT: there are very few topics that would not benefit from a cybersecurity understanding and appreciation.

Normalizing cybersecurity in this way would, hopefully, avoid the shortage of talent tomorrow,  and importantly the burnout of those who choose a career in cybersecurity.