Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

66% of Cybersecurity Analysts Experienced Burnout This Year, Report Finds (venturebeat.com) 31

Today, application security provider Promon released the results of a survey of 311 cybersecurity professionals taken at this year's Black Hat Europe expo earlier this month. Sixty-six percent of the respondents claim to have experienced burnout this year. The survey also found that 51% reported working more than four hours per week over their contracted hours. VentureBeat reports: Over 50% responded that workload was the biggest source of stress in their positions, followed by 19% who cited management issues, 12% pointing to difficult relationships with colleagues, and 11% suggesting it was due to inadequate access to the required tools. Just 7% attributed stress to being underpaid. Above all, the research highlights that cybersecurity analysts are expected to manage an unmanageable workload to keep up with threat actors, which forces them to work overtime and adversely effects their mental health.

This research comes not only as the cyber skills gap continues to grow, but also as organizations continue to single out individuals and teams as responsible for breaches. Most (88%) security professionals report they believe a blame culture exists somewhat in the industry, with 38% in the U.S. seeing such a culture as "heavily prevalent." With so many security professionals being held responsible for breaches, it's no surprise that many resort to working overtime to try and keep their organizations safe -- at great cost to their own mental health.

This discussion has been archived. No new comments can be posted.

66% of Cybersecurity Analysts Experienced Burnout This Year, Report Finds

Comments Filter:
  • Only 66%? Those are pretty low numbers, especially being tossed out in December. Don't poll retail workers.
    • My experience is that cybersecurity folks spend more time trying to get out of doing actual work instead of just doing their job. I guess it must take a mental toll on the chronic slackers.
    • The difference is the impact. If a retail worker gets burnout, throwing it away and replacing it with a working model is trivial.

      Way harder to find a working security analyst these days that isn't already in use.

  • by Junta ( 36770 ) on Friday December 16, 2022 @05:53PM (#63136790)

    The volume of simply crap CVEs that come through make things a tedious nightmare (95% of CVEs are frankly low/no-risk garbage that serve no practical purpose and only is a feather in the cap of some researcher).

    Since a lot of flows demand tedious reconciliation of CVEs versus deployments, and developers frequently just grab a fixed 'latest' copy of a dependency and never look back.... Lots of tedious crap....

    • The volume of simply crap CVEs that come through make things a tedious nightmare (95% of CVEs are frankly low/no-risk garbage that serve no practical purpose and only is a feather in the cap of some researcher)

      I have had more than a few choice word with those theoretical dick heads. Just about most CybeSecurity "auditors" (that just know enough to check a box on some stpid list) need to take a very long walk off of a very short pier. smh.

      • The volume of simply crap CVEs that come through make things a tedious nightmare (95% of CVEs are frankly low/no-risk garbage that serve no practical purpose and only is a feather in the cap of some researcher)

        I have had more than a few choice word with those theoretical dick heads. Just about most CybeSecurity "auditors" (that just know enough to check a box on some stpid list) need to take a very long walk off of a very short pier. smh.

        Wouldn't work. They'd just go around in circles ...

  • Must be why some security researchers recently tried to argue, stupid, uninformed, nonsense recently.
  • by TomGreenhaw ( 929233 ) on Friday December 16, 2022 @06:05PM (#63136850)
    Much of the Cybersecurity business is a scam. Many certifications are barely more than a shakedown to extract tons of money for certifications that are often rubber stamps or nonsense paperwork.
    • Re: (Score:3, Interesting)

      by Black Parrot ( 19622 )

      Much of the Cybersecurity business is a scam. Many certifications are barely more than a shakedown to extract tons of money for certifications that are often rubber stamps or nonsense paperwork

      See also: IT

    • Gauging the value of security is also not trivial: You only know whether your security is worth a damn when the shit hits the fan.

      It's like thinking you have the second-best army on the planet, going to a war and then finding out your army is a paper tiger.

    • Mod up. Effective delegation in the security area is appalling. If overtime, then you are not a professional. There is a reason why their actions are invisible - box ticking is just that. The real need is well rehearsed restore ability, which is sorely lacking, usually by many teams that hate each other. Even fewer of their ilk will revise risk assessments when budget supplementation does not arrive asap. Now with Ftx, their risk plan will be worth framing, up there with Deep-water Horizon. Budgets follow
      • I completely agree with your mention of restoring backups. Not one of my on site security audits has required demonstrating a restore from backup.
  • Because. You can't complain about wanting perpetually less regulation while putting every user's pop culture needs first (remember routing being decleared unnecessary?) while complaining about a lack of security?

  • by Bruce66423 ( 1678196 ) on Friday December 16, 2022 @07:25PM (#63137016)

    Real burnout leaves you unable to cope with life - like real depression. But like depression it's a term that is chucked about loosely when it's not justified. Yes, there is quite possibly a problem with overwork, but to describe this as 'burnout' is unfair to those who really collapse into being burnt out.

  • by hdyoung ( 5182939 ) on Friday December 16, 2022 @08:52PM (#63137160)
    over the standard 40? Those poor, suffering, overworked, stressed-out cybersecurity experts. How on earth will they ever find the time to spend their 300k/yr salaries?

    Sorry, not sorry. No sympathy. Grow a pair, suck it up, and learn to live with a high workload, just like EVERY OTHER WELL-PAID WHITE-COLLAR PROFESSION.

    If you dont like it, there are plenty of lower-paid jobs out there.
  • by devslash0 ( 4203435 ) on Friday December 16, 2022 @10:17PM (#63137260)

    I used to be a dev for most of my life but cybersecurity has always been the foundation of my work and it is what got me into software development in the first place. So, having done OSCP, CEH and pwned a lot of boxes for bounties on my free time, as a hobby, I decided to change my careers and go cybersec full time.

    It was a big mistake, and I very quickly went back into a dev role again.

    Here's why:
    - Cybersecurity engagements are plagued by delays. Teams are never ready on the first day of an engagement. Yet, when they eventually get ready (which sometimes is on the second-to-last day of the engagement), you are still expected to test the entire agreed scope in the remaining time.
    - Related to point #1. Red tape everywhere. You always wait for someone to deliver to you all the prerequisites/requirements which were pre-agreed for the engagement. Think accounts, permissions, exclusions of your machines from company-wide detection systems if needs be, etc.
    - You struggle with a sense of achievement and closure. As a cybersecurity professional you are a perfectionist, you want to make sure you left no stone unturned and deliver a real value to your client instead of a false sense of security, which can actually get you into serious legal trouble. Yet, with the delays mentioned in point #1 and red tape in point #2, you never get to perform all the work you need.
    - Related to the previous point. At the end of the day, you don't have anything tangible to show for it. There's no project you can present to someone. Most of the time you've got no new exploits that you developed along the way. Unlike in software dev where you can sit back, relax and look and marvel at your creation.
    - You can never stop learning. This is usually a good thing, but in the cybersecurity world if you don't keep with the latest tools and techniques, your knowledge gets outdated pretty fast. In order to keep up, cybersecurity professionals need to invest significant amounts of personal time to stay up-to-date, sacrificing personal life, leisure and relationships.
    - There is no 9-to-5 in this job. Many of the tools need to be run for extended periods of time to iterate all the possible attack vectors across all inputs. They require constant monitoring and adjustments at all and any times of the day.
    - If you work for a consultancy, you will be sent all around the map on a moment's notice. Many of my colleagues spend three quarters of the year living out of suitcases in hotels all over the country. Some of them bought houses which are just standing empty.
    - Cybersecurity becomes more and more automated every day. Cybersecurity professionals aren't cheap and therefore all the CEOs are getting onto the bandwagon of using automated tools alone as the security checkbox, rather than employing people for out-of-the-box thinking.
    - The role is biased towards young workforce. As our intelligence profile changes with our age (explore vs exploit tradeoff) we become less efficient at thinking outside of the box as we age so your career prospects are actually shrinking with time.
    - Most cybersecurity assessments, in the real world, leave very little time for creative work, finding novel solutions, zero-days. You are expected to fire all your pre-arranged guns at the target, create a report and move on.
    - As a pentester you often get entangled in an advisory capacity into helping the client with fixing all the vulnerabilities and retesting them when they get fixed. As most companies are slow to address issues, you get pulled into former client calls all the times, sometimes months or even years after the engagement.

    • Mind if I pile on?

      - SLAs and other availability requirements often require you to work at hours that gives you a permanent jet lag, not unlike some shift worker.
      - Related to the "nothing to show" point, even if you had something to show, NDAs usually keep you from doing so. You may discover something relevant, maybe find the same problem over and over, but you cannot go and tell people that they should / should not do X because you've seen it before.
      - Related to that, frustration levels are mounting and you

      • Excellent and true. However older and wiser greybeards say you should be breaking down the problem and delegating, because its the same issue as any major change release project - only you can BANK on new patches coming in daily. Presently due to software licences - getting a server certificate and keys to the kingdom is childs play. Enumerate product XYZ and you hit the jackpot easy in config/setup or logs. The response is we need product xyz, which usually comes with its own RAT kit. Teach them to run the
        • Well, that's the big plus working for finance. You never get told to tone it down or pull punches. Because one thing is certain, there will be a paper (or in this case, electronic) trail of that, and should the shit hit the fan, someone will want to read this, because damages usually run in the millions.

          Nobody wants to be the person who said "could you tone it down a bit?" when this happens.

    • It is neat the first couple of time, finding that base64 exfil coming from a client, or if you get something really newish or very unique to figure out.
      However those things are very rare, it can be years between them. The majority of the time you are just repeating the same processes and looking at same hex characters in different arrangements.
      At least with being a system admin, programmer or other computer jobs you are rotating around to different software and problem types. Not with threat hunting, he
  • Don't "help" people who don't want to be helped. They just blame you.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...