Your flexible work policies are overlooking burned-out cybersecurity teams

As organizations continue to grow their digital footprint in the wake of the pandemic, they need to start taking care of the employees who make it possible.

Forty-two percent of chief information security officers — more commonly referred to as CISOs — have missed major holidays like Thanksgiving due to work demands, according to data from software company Tessian. But it’s not just holidays: 44% have missed a doctor’s appointment in the past year due to work, and 40% have missed a family vacation due to professional obligations.

These employees are responsible for developing and implementing information security programs, which include procedures and policies designed to protect company communication, systems and assets from both internal and external threats. Because of their importance to day-to-day operations, these work-life imbalances aren't necessarily linked to the pandemic, says Josh Yavor, CISO at Tessian.

“The problem has always been there,” Yavor says. “Part of our job is to anticipate and be prepared for unpredictable situations where we have to have timely and immediate responses that are also sustainable. And that's one of the takeaways from this, it’s that we're not doing a great job as an industry in achieving that sustainable part.”

Read more: COVID isn’t the only virus employees could be bringing back into the office

A quarter of CISOs have not taken any time off work in the past 12 months, working on average 11 more hours than they’re contracted to each week, while one in 10 works 20 to 24 hours extra a week. Twenty-five percent of security leaders said they spend 9 to 12 hours per month investigating and remediating each threat caused by human error — which includes when employees click the wrong link, install malware or give up a password — and more than one-third of CISOs reported spending excessive time on triaging and investigation, the report found.

The solution, according to Yavor, lies in creating balance between what a company needs and what an employee needs — and not letting the scale tip too much either way. 

“First and foremost, it's about recognizing that we can't control or predict everything,” Yavor says. “We know that [crises] are going to happen to someone in the security space. And the most important thing for us to do is not pretend that this isn't. We [should] start with the expectation that we must be prepared for this and focus instead on what are the outcomes and experiences that actually matter.”

Although the safety and cybersecurity of a company is critical and often demands that CISOs and their team work extended hours, the consequences of a burned-out security department are much more serious. This demographic of workers already experiences higher-than-average turnover rates, with an average tenure of 18 to 24 months, Yavor says.

Read more: How to protect your organization from internal and external threats to cybersecurity 

Additionally, a recent case study conducted by software company Burning Glass found that the annual turnover rate for federal cybersecurity jobs is 18%, compared to 14% of all federal IT workers. These statistics aren't going to get better if the industry can’t manage it’s burnout rates, with more than half of CISOs struggling to switch off from work post-shift, Tessian found.

“This level of burnout cascades down to the [whole] team,” Yavor says. “When they leave, it leaves the organization in a really bad situation because they cannot sustain their work in an effective manner.”

These pain points will become more prominent and potentially permanent if not addressed, Yavor says. Employers and employees alike need to ensure that as offices progress and adapt to remote and hybrid arrangements, the way they’re caring for employees does too.

“[Burnout] is not unique to security,” Yavor says. “That's true in customer support roles, it's true in engineering — we can actually learn and mature as an industry and follow their lead.”