As businesses scramble to avoid data breaches and reconsider where the chief information security officer fits into the corporate structure, the uncertainty is having a measurable effect on the mental health of the people who protect the networks.
The pressure is real, according to a survey published Thursday by Osterman Research and the domain name vendor Nominet. Thirty-two percent of security practitioners say they believe they would either lose their job or receive an official warning in the event of a data breach. Ninety-one percent reported moderate or high stress, with a quarter saying the job has affected their mental or physical health.
Burnout is so common among security professionals that some executives are considering ways to ease the pressure on their teams. Chris Betz, the chief security officer at telecommunications company CenturyLink, told CyberScoop this week he tries to avoid contacting staffers after they’ve left the office. If Betz notices a task that needs to be completed, he says he writes an email, but waits to send it.
“I’ll send a time delay on different things so my team doesn’t get run real ragged,” he said. “Otherwise, that’s a great way to burn out your top talent.” The mere expectation of checking work email after closing time is enough to affect employee health, according to a study released last year by Virginia Tech.
The Osterman/Nominet numbers only are the latest evidence that security pros find it difficult to unplug after a long day of avoiding hackers, trying to convince engineers or developers to install security updates and, increasingly, playing politics at work. The pressures are particularly acute for the people at the top: Forty percent of top information security executives report to the CEO, while 27 report directly to the board of directors and 24 percent to the chief information officer, according to a survey conducted last year by IDG and PwC.
Stress comes from all over, too. Breaches can occur for any number of reasons outside a CISO’s control, and they can draw negative publicity in a way that other corporate flubs don’t. Last year, for example, West Virginia-based Coplin Health Systems told 43,000 medical patients their information had been compromised after thieves stole a laptop from an employee’s car.
Betz cited corporate incident response teams as a department that might be especially prone to feeling overwhelmed. A group that spends all day responding to small incidents or chasing red herrings could easily fall into a rut, clocking in and clocking out without focus or urgency.
“I want to make sure the day-to-day churn doesn’t keep us from paying attention to the bigger things we need to be focused on,” Betz said. “So I want people to spend roughly 60 percent of their time doing their job, and 40 percent of their time making their own job better.”
The Osterman/Nominet research highlights the potential ramifications of having a security team that is numbed by the daily grind. More than 60 percent of the security pros polled said they found malicious software that had been hidden in their infrastructure for an unknown period of time. Another 9 percent said they weren’t sure if they had missed anything.
One example of an improvement is freeing incident response staffers to find a way to automate a series of repetitive tasks into a single push of a button, said Betz, who joined CenturyLink in September.
“People can feel like they’re stuck in a rut but there’s nothing more empowering for somebody who’s motivated and ambitious to have the chance to make their life better,” he said. “The values will vary by organization … but the goal is to build a team that is super capable, and spend as much time as possible driving them to a higher capability while so preserving their energy to they can surge when we need it.”