The impact of cybersecurity can no longer be underestimated in most companies. When you know that cybercriminals make more money than drug cartels these days, you understand that there is a lot of pressure on the shoulders of cybersecurity teams, leading to an increased risk of burnout. Companies must therefore review their strategy and focus on the human factor in cybersecurity. Ultimately, hackers are not concerned with the type of firewall an organization has installed, but rather with the people who work there, what rights they have, and how they can be deceived.

Although cybersecurity is not a new field, we are still studying its scope and impact. Simply because the importance of cybersecurity is increasing every year. One development we need to watch is the increasing number of burnouts among security professionals. According to a survey by ISC2, 67% of security leaders report staffing shortages and another 66% say they are under a lot of stress. Meanwhile, workloads are increasing, attacks are becoming more intense and complex, and the impact of a breach on the business can be huge.

As if that weren’t enough, security professionals must ensure that their organization is compliant with all regulations and that employees can do their work anytime and anywhere despite the security measures. In other words, the pressure is coming from all sides and it is therefore not surprising that many security forces are suffering from burnout. Not only is this bad for the individual, the organization shouldn’t just ignore it either. On the one hand, a colleague will perform worse under pressure, but on the other hand, an ethical dilemma arises. Professionals who are already drowning in work may stop reporting certain vulnerabilities, incidents or problems for fear of adding more workload, which of course has a detrimental effect on the company.

Talk about burnout

There is no concrete solution to cybersecurity burnout. Artificial intelligence and automation can play a role in this by taking over certain activities and reducing the amount of work. But if you really want to make a difference, you need to pay more attention to humanizing your security. Every organization has invested most of its budget in technological control and yet incidents continue to occur. It is therefore clear that technology alone will not be enough.

If you really want to make a difference, do you need to care more about humanizing your security?

Andrew Rose, CSO SoSafe

It is important to discuss problems first. All too often we see that burnout is stigmatized and people do not want to admit that they are suffering from negative stress. That’s why it’s important that leaders talk about the issue and leave space to address the issue. In addition, most people are not aware that they are heading towards burnout, and colleagues also have to have the courage to point out stress symptoms to each other. Compare it to a frog in boiling water. As soon as the animal feels the hot water, it jumps out of the pot. However, if you warm cold water gradually, the frog will not notice the increasing difference and the animal will stay there until it is too late. The same thing happens with stress: we are not aware of it until we get to the point where it overwhelms us.

Invest in training that goes beyond awareness

The human side of cybersecurity deserves more attention in the rest of the organization, too. There is a human element to most successful cyberattacks. According to the World Economic Forum, up to 95% of all cybersecurity problems are due to human error. Forrester also claims that a human hand can be detected in 90% of incidents. And yet companies have so far only spent a fraction of their cyber budget on training and further education.

This is often due to employee training not having the positive impact that CISOs desire. They often emphasize creating awareness, but what we really need first and foremost is behavior change. Creating a PowerPoint presentation every year about phishing will have little impact. If you want people to really learn something, you need to create a consistent message and repeat it regularly across different channels and media

Additionally, you need to ensure that people understand the consequences of a potential security breach, both in their business and in their personal lives. Once employees understand and recognize that a security breach can lead to real disruption, they will take it much more seriously. Once employees get on board, the workload on the security team’s shoulders is significantly reduced – with fewer incidents, better reporting rates, and issues reported in time for security to resolve.

From cybersecurity to cyber resilience

Finally, security teams also need to divide the pie better to reduce the risk of burnout. Everything is developing so quickly that today it is simply no longer possible to give the job to a single person or even to a small team. By dividing responsibilities and workload across different teams (IT, vendor management, risk, human resources, facilities, product development, etc.), you can better integrate security into the fabric of the organization.

The coming years will in no way reduce the challenges. We can safely say that a company’s success largely depends on its cybersecurity strategy. Most companies today are still in the information security or cybersecurity phase. In the next step, they must develop towards “cyber resilience”. This is the ability of a company to provide its customers with seamless service even in the event of a cyber attack. If one part of the company is attacked, the rest of the company should continue to operate.

To take this next step, a strong human focus is essential, both in terms of users and an organization’s security teams. Companies must withstand the waves of attacks on their employees, and their cybersecurity experts need time and space to plan, coordinate and orchestrate security and repel any attack.

This is a post from Andrew Rose, CSO at SoSafe. Andrew Rose is a speaker at Cybersec 2024, May 29th and 30th. In his keynote, he highlights the 8 trends we should keep an eye on in cybercrime.