Hidden crisis in cybersecurity: 17 out of 20 professionals suffering from fatigue and burnout


Cybersecurity professionals, lacking resources and struggling with overwhelming workloads, are grappling with mental health issues, the Sophos commissioned Tech Research Asia research survey reveals.

Eighty-five percent of respondents admitted that their cybersecurity employees had suffered from or were currently suffering from fatigue and burnout. The top reasons were lack of resources, cited by 48%, and monotony of routine activities, mentioned by 41%.

Emotionally depleted employees waste a tenth of the “normal” workweek time, as apathy consumes 4.1 hours per week on average.

The stress is not directly caused by the sheer volume of incidents and data. If the crisis is never-ending, researchers argue, the stress becomes endemic.

Researchers noted the lack of conversation between cybersecurity professionals and their leadership or board of directors. Nearly half of the respondents felt their executives and their company’s board didn’t fully understand the requirements around cyber resiliency.

“This gap suggests a series of endemic problems that have a direct impact on maintaining proper institutional security posture – not to mention an impact on the beleaguered teams charged with the task,” said Aaron Bugal, a Field CTO at Sophos.

Bugal argues that poor hiring practices are one of the main contributing factors. The lack of talent leads to situations where employees end up in positions that don’t align with their skills or career goals.

“How many posted job descriptions truly represent the job that awaits the successful applicant? Detection engineering, threat hunter, forensic analysis – all are deeply rooted technical specializations within our industry. However, do we clearly define these roles and responsibilities when we need someone desperately?” Bugal asks. “This is where apathy starts to creep in: “This is boring. I didn’t sign up for this.”

The proposed solution is to impose more cybersecurity responsibilities on leadership, as personnel crisis “is, frankly, an issue of proper risk management.”

Almost all of the respondents confirmed that regulatory requirements for executives or boards to take responsibility for cybersecurity had increased their focus: 51% said it helped somewhat, and 44% said it helped significantly.

While there isn't a quick fix, small steps can relieve stress, such as better communication with team members and equipping people with the right tools to minimize repetitive tasks and noise.

“Acknowledging stress and taking corrective action to minimize or mitigate it is a solid base for building a great cybersecurity culture,” the report reads.