66% of Cybersecurity Analysts Experienced Burnout This Year, Report Finds (venturebeat.com) 31
Today, application security provider Promon released the results of a survey of 311 cybersecurity professionals taken at this year's Black Hat Europe expo earlier this month. Sixty-six percent of the respondents claim to have experienced burnout this year. The survey also found that 51% reported working more than four hours per week over their contracted hours. VentureBeat reports: Over 50% responded that workload was the biggest source of stress in their positions, followed by 19% who cited management issues, 12% pointing to difficult relationships with colleagues, and 11% suggesting it was due to inadequate access to the required tools. Just 7% attributed stress to being underpaid. Above all, the research highlights that cybersecurity analysts are expected to manage an unmanageable workload to keep up with threat actors, which forces them to work overtime and adversely effects their mental health.
This research comes not only as the cyber skills gap continues to grow, but also as organizations continue to single out individuals and teams as responsible for breaches. Most (88%) security professionals report they believe a blame culture exists somewhat in the industry, with 38% in the U.S. seeing such a culture as "heavily prevalent." With so many security professionals being held responsible for breaches, it's no surprise that many resort to working overtime to try and keep their organizations safe -- at great cost to their own mental health.
This research comes not only as the cyber skills gap continues to grow, but also as organizations continue to single out individuals and teams as responsible for breaches. Most (88%) security professionals report they believe a blame culture exists somewhat in the industry, with 38% in the U.S. seeing such a culture as "heavily prevalent." With so many security professionals being held responsible for breaches, it's no surprise that many resort to working overtime to try and keep their organizations safe -- at great cost to their own mental health.
Only 66% (Score:2)
Re: Only 66% (Score:2)
Re: Only 66% (Score:5, Insightful)
Re: (Score:2)
The difference is the impact. If a retail worker gets burnout, throwing it away and replacing it with a working model is trivial.
Way harder to find a working security analyst these days that isn't already in use.
It can be the most unrewarding tedium.. (Score:4, Interesting)
The volume of simply crap CVEs that come through make things a tedious nightmare (95% of CVEs are frankly low/no-risk garbage that serve no practical purpose and only is a feather in the cap of some researcher).
Since a lot of flows demand tedious reconciliation of CVEs versus deployments, and developers frequently just grab a fixed 'latest' copy of a dependency and never look back.... Lots of tedious crap....
Re: (Score:2)
The volume of simply crap CVEs that come through make things a tedious nightmare (95% of CVEs are frankly low/no-risk garbage that serve no practical purpose and only is a feather in the cap of some researcher)
I have had more than a few choice word with those theoretical dick heads. Just about most CybeSecurity "auditors" (that just know enough to check a box on some stpid list) need to take a very long walk off of a very short pier. smh.
Re: (Score:2)
The volume of simply crap CVEs that come through make things a tedious nightmare (95% of CVEs are frankly low/no-risk garbage that serve no practical purpose and only is a feather in the cap of some researcher)
I have had more than a few choice word with those theoretical dick heads. Just about most CybeSecurity "auditors" (that just know enough to check a box on some stpid list) need to take a very long walk off of a very short pier. smh.
Wouldn't work. They'd just go around in circles ...
ArmoredSkink (Score:2)
Re:66% admited they don't beling in cybersecurity (Score:4, Insightful)
CyberSecurity is easy AF if you're good at it and have the proper mind for it
And you work for clients who appreciate the importance of what you do. If you don't have good customers, the field seems ideally tailored to produce burnout. People don't want to work with you; when they do work with you they're not happy; and the better job you do the less important they'll think your contribution is.
Re: (Score:2)
Yep. If the cafeteria is full and on a whole table only two people are sitting, and even they avoid eye contact with each other, you found internal auditing and security.
Says a lot about the other 34% (Score:5, Insightful)
Re: (Score:3, Interesting)
Much of the Cybersecurity business is a scam. Many certifications are barely more than a shakedown to extract tons of money for certifications that are often rubber stamps or nonsense paperwork
See also: IT
Re: Says a lot about the other 34% (Score:2)
Unfortunately that's why cyber security sucks so bad.
Re: (Score:2)
Gauging the value of security is also not trivial: You only know whether your security is worth a damn when the shit hits the fan.
It's like thinking you have the second-best army on the planet, going to a war and then finding out your army is a paper tiger.
Re: (Score:2)
Re: (Score:2)
no kidding. (Score:2)
Because. You can't complain about wanting perpetually less regulation while putting every user's pop culture needs first (remember routing being decleared unnecessary?) while complaining about a lack of security?
Burnout - nah (Score:3)
Real burnout leaves you unable to cope with life - like real depression. But like depression it's a term that is chucked about loosely when it's not justified. Yes, there is quite possibly a problem with overwork, but to describe this as 'burnout' is unfair to those who really collapse into being burnt out.
Omg 4 whole hours (Score:3)
Sorry, not sorry. No sympathy. Grow a pair, suck it up, and learn to live with a high workload, just like EVERY OTHER WELL-PAID WHITE-COLLAR PROFESSION.
If you dont like it, there are plenty of lower-paid jobs out there.
Re: (Score:3)
No doubt! Who in IT works only 44 hours a week?
Ex-pentester here, if you'd like to know why. (Score:5, Interesting)
I used to be a dev for most of my life but cybersecurity has always been the foundation of my work and it is what got me into software development in the first place. So, having done OSCP, CEH and pwned a lot of boxes for bounties on my free time, as a hobby, I decided to change my careers and go cybersec full time.
It was a big mistake, and I very quickly went back into a dev role again.
Here's why:
- Cybersecurity engagements are plagued by delays. Teams are never ready on the first day of an engagement. Yet, when they eventually get ready (which sometimes is on the second-to-last day of the engagement), you are still expected to test the entire agreed scope in the remaining time.
- Related to point #1. Red tape everywhere. You always wait for someone to deliver to you all the prerequisites/requirements which were pre-agreed for the engagement. Think accounts, permissions, exclusions of your machines from company-wide detection systems if needs be, etc.
- You struggle with a sense of achievement and closure. As a cybersecurity professional you are a perfectionist, you want to make sure you left no stone unturned and deliver a real value to your client instead of a false sense of security, which can actually get you into serious legal trouble. Yet, with the delays mentioned in point #1 and red tape in point #2, you never get to perform all the work you need.
- Related to the previous point. At the end of the day, you don't have anything tangible to show for it. There's no project you can present to someone. Most of the time you've got no new exploits that you developed along the way. Unlike in software dev where you can sit back, relax and look and marvel at your creation.
- You can never stop learning. This is usually a good thing, but in the cybersecurity world if you don't keep with the latest tools and techniques, your knowledge gets outdated pretty fast. In order to keep up, cybersecurity professionals need to invest significant amounts of personal time to stay up-to-date, sacrificing personal life, leisure and relationships.
- There is no 9-to-5 in this job. Many of the tools need to be run for extended periods of time to iterate all the possible attack vectors across all inputs. They require constant monitoring and adjustments at all and any times of the day.
- If you work for a consultancy, you will be sent all around the map on a moment's notice. Many of my colleagues spend three quarters of the year living out of suitcases in hotels all over the country. Some of them bought houses which are just standing empty.
- Cybersecurity becomes more and more automated every day. Cybersecurity professionals aren't cheap and therefore all the CEOs are getting onto the bandwagon of using automated tools alone as the security checkbox, rather than employing people for out-of-the-box thinking.
- The role is biased towards young workforce. As our intelligence profile changes with our age (explore vs exploit tradeoff) we become less efficient at thinking outside of the box as we age so your career prospects are actually shrinking with time.
- Most cybersecurity assessments, in the real world, leave very little time for creative work, finding novel solutions, zero-days. You are expected to fire all your pre-arranged guns at the target, create a report and move on.
- As a pentester you often get entangled in an advisory capacity into helping the client with fixing all the vulnerabilities and retesting them when they get fixed. As most companies are slow to address issues, you get pulled into former client calls all the times, sometimes months or even years after the engagement.
Re: (Score:3)
Mind if I pile on?
- SLAs and other availability requirements often require you to work at hours that gives you a permanent jet lag, not unlike some shift worker.
- Related to the "nothing to show" point, even if you had something to show, NDAs usually keep you from doing so. You may discover something relevant, maybe find the same problem over and over, but you cannot go and tell people that they should / should not do X because you've seen it before.
- Related to that, frustration levels are mounting and you
Re: (Score:2)
Re: (Score:2)
Well, that's the big plus working for finance. You never get told to tone it down or pull punches. Because one thing is certain, there will be a paper (or in this case, electronic) trail of that, and should the shit hit the fan, someone will want to read this, because damages usually run in the millions.
Nobody wants to be the person who said "could you tone it down a bit?" when this happens.
Will throw in from the cyber threat hunter side. (Score:1)
However those things are very rare, it can be years between them. The majority of the time you are just repeating the same processes and looking at same hex characters in different arrangements.
At least with being a system admin, programmer or other computer jobs you are rotating around to different software and problem types. Not with threat hunting, he
It's pointless (Score:2)