Security researchers have warned of “increasing and unsustainable stress levels” in the cybersecurity workforce resulting from persistent ransomware threats and looming, large-scale attacks, which are pushing security professionals towards abandoning the industry altogether.
A report by cybersecurity company Deep Instinct found that 46% of senior and executive-level cybersecurity professionals have considered quitting the industry due to stress.
This is being driven by an “unrelenting threat from ransomware”, researchers found, as well as supply chain attacks on a scale similar to the 2020 SolarWinds hack and 2021’s Kaseya ransomware incident, both of which had far-reaching and long-lasting consequences for organizations impacted.
The burden of preventing such attacks weighs heavily on those tasked with keeping networks and wider organizational systems secure, Deep Instinct found. More than 90% of cybersecurity professionals are stressed in their roles, with a “significant proportion” of professionals conceding that this is negatively impacting their ability to do their jobs.
Those in leadership positions are likely to be feeling pressures of the industry more acutely, the report found: one in three C-Suite executives – including CISOs, CTOs, ITOs and IT strategy directors – said they were ‘highly stressed’.
“More cybersecurity professionals than ever are seriously considering leaving the industry permanently as a result of these pressures – with potentially catastrophic consequences for the organizations that rely on their vigilance,” the report said.
Burnout and fatigue in cybersecurity have been exacerbated by the move to remote working, which has made network security more challenging for organizations.
The diminished oversight that cybersecurity teams have on devices in a remote setting makes it more difficult to ensure IT security practices are being followed, many IT teams are still not sufficiently equipped to address the challenges that remote working presents.
This responsibility puts more pressure on to CISOs and other cybersecurity leaders: 52% of C-suite professionals surveyed by Deep Instinct said that securing a remote workforce was their biggest cause of concern. This was followed by the impact of digital transformation on the organization’s security posture, which researchers said highlighted the challenges of securing hybrid environments.
“Senior cybersecurity executives acknowledge that their stress levels are impacting decision-making and can have implications for the security posture of companies,” the report added.
“The stress we’re seeing across the cyber industry appears to be accelerating the exodus of talented people from the industry: a particular challenge when many cybersecurity defences and mitigation processes are human-dependent, requiring constant monitoring and intervention.”
SecOps teams are also burdened by larger workloads and longer hours as a result of persistent cybersecurity threats. Nearly half of respondents that sat outside of the C-suite (47%) said they felt pressured to stop every threat, despite acknowledging that it was impossible to do so, while 43% felt there was an expectation to always be on call or available.
The researchers identified a “widespread adoption of completely counter-productive measures” to alleviate stressors, such as switching off “overwhelming” alerts.
A lack of tools to perform theirs role properly and staff shortages were each cited as major challenges by 40% of respondents, respectively.
“The results show there is not one clear winner which reinforces why stress levels are so high,” researchers said. “Without a singular focus on one type of attack, resources are stretched thin and its obvious to see how a SecOps team may feel deflated against the challenges they face.”
The ‘universal threat’ of ransomware
Cyber criminals have benefitted from the move to remote working, with ransomware incidents having increased significantly during the past two years.
While organizations are typically advised not to pay hackers in exchange for encrypted data, cybersecurity professionals are doing so in order to avoid downtime and the associated reputational damage should the attack become public.
More than a third (38%) of survey respondents admitted to both experiencing a ransomware attack, and paying the ransom in exchange for the decryption key, compared to 62% that didn’t pay. And yet, paying hackers off does not guarantee the safe return of company data: 46% of those who paid said records or sensitive information was exposed regardless, while 45% were unable to restore all their data. A further 23% of respondents were hit by a subsequent extortion demand after paying the ransom.
Deep Instinct’s Voice of SecOps 2022 report was based on the responses of 1,000 senior cybersecurity professionals from companies in the US, UK, Germany and France.
All interviewees worked for businesses with 1,000 employees or more, and for businesses with annual revenues of at least US $500m across financial services, retail and eCommerce, healthcare, manufacturing, public sector, critical infrastructure, and technology.