Image Credits: Aaron Bugal, Field CTO Asia Pacific and Japan, Sophos
Cybersecurity is no longer just a technical issue – it’s a critical business priority. As organisations increasingly understand the reputational, operational, and financial impact of cyber threats, the importance of resilience in the digital age has become clear.
In Singapore, the government is actively strengthening these efforts, offering short courses, upgrading the Skills Pathway, and fine-tuning the operational technology masterplan to tackle evolving risks. Last year’s nationwide cybersecurity exercise involving key sectors like energy, banking, and healthcare further demonstrated the country’s commitment to preparing for cyberattacks.
Yet, amidst all this progress, there is one risk continuing to fly under the radar – cybersecurity professional burnout.
Our recently published Future of Cybersecurity in APJ 2024 report uncovered worrying truths about the mental health of cybersecurity professionals. Burnout, fatigue, and disconnection to board directors dominated headspaces – and with unrelenting cyber threats, the industry must find a way to address this concerning issue.
Erodes focus, weakens performance
The report found that 82 percent of Singapore respondents felt that feelings of burnout increased in the last 12 months with 32 percent saying that this burnout makes them “less diligent” in their cybersecurity roles.
Additionally, 23 percent of respondents identified that cybersecurity burnout or fatigue contributed to, or was directly responsible for, a cybersecurity breach, and 20 percent of companies experienced slower-than-average response times to cybersecurity incidents.
The two leading reasons cited for these overwhelming levels aren’t surprising: burnout and fatigue were caused by a lack of resources and the monotony of routine activities.
Both of these contributing factors could be put down to poor hiring practices. It is now quite common to hear of candidates looking to break into ‘cyber’ and then find out that the position they’re filling isn’t what they expected it to be.
But were they consulted, prescriptively, on what their roles would be?
Mis-hiring cyber specialists into roles that don’t match their skill sets or career goals is a sure way to put employees on the back foot. Furthermore, a lack of support and resourcing breeds more friction, preventing smooth operational defences against threats — to the point where 19 percent of respondents stated that such issues contributed to a breach.
To help improve cybersecurity professionals’ mental health, organisations should support cyber-defenders to do more of what they do like to do best, guiding them toward acquiring greater skills and knowledge.
Addressing culture from the top down
This industry desperately needs a better attitude toward fostering a healthier cyberculture, and it must begin from the top of the food chain. Overall, 49 percent of respondents in Asia Pacific and Japan said their company’s board members didn’t fully understand requirements around cyber resiliency; 46 percent believed the same thing about their C-suite.
This is disturbing, as leaders of organisations play a vital role in improving cyberculture. They have the power to listen and address the problem, either using current staff skills and budgets or, if necessary, choosing to reallocate resources to make the necessary changes.
However, this change must stem further than only talking the talk. Survey respondents reported that lip-service and non-committal indicators are the norm – and that leadership’s lack of understanding of their accountability leads to an incorrect expectation of how overall secure the business is.
This personnel crisis is, frankly, an issue of proper risk management. It may be that making that case at the executive committee and board levels will bring the issue into focus: stress causes fatigue and burnout, fatigue and burnout cause staff turnover, or something potentially worse.
Everyone is aware of how small and large businesses have fallen to cyber breaches due to employee error. These lived experiences should be used as a starting point to help educate and bootstrap a change in attitude towards cyber resilience.
It is also useful to highlight the legal and regulatory impact of cyberattacks on boards – phrasing it in a way that resets leadership’s expected level of accountability and drives change. Sophos’ report found that 95 percent of respondents believe legislation and regulatory changes mandating cybersecurity board-level responsibilities and liabilities increase the focus on cybersecurity at a company board or director level.
The path to resilience
There isn’t a quick fix to reducing pervasive workplace stress. Attitudes toward better stress management and improving other problematic cultural issues in cybersecurity have traditionally moved at a glacial pace. But at least they’re moving, and tech leaders can move the needle in individual organisations even if they’re not at the top of the corporate food chain. This can take place by:
- Considering the most basic building blocks of their day-to-day work: If employees are equipped with the right technology to help minimise noise and repetitive tasks, and empowered with processes that guide them through risk identification and communication, they’ll have a great foundation to build on.
- Keeping a regular cadence of communication: It can be hard for managers to see those small stressors individually, but the cumulative effects of stress are a genuine vulnerability. Learn to recognise the signs of stress in yourself and your peers as well.
Ultimately, acknowledging stress and taking corrective action to minimise or mitigate it is a solid base for building a great cybersecurity culture. It’s our hope that the simple fact of asking how our colleagues are doing – and of normalising conversations around a topic that is often avoided – can help organisations to better drive positive outcomes around cyber resiliency.