Is Cybersecurity a Stressful Job?

Is Cybersecurity a Stressful Job

The demand for Cybersecurity professionals is at an all-time high and shows no sign of diminishing in the near future, which is great news for anyone looking at a career within the industry.

As with any job, you might have some concerns, such as is a Cybersecurity job stressful?  The answer is not a straightforward one and depends on your temperament and what type of work you enjoy. 

Additionally, a CISO experiences a unique set of challenges and stresses when compared to a Security Analyst.  If you enjoy a challenge and a diverse working environment, then a cybersecurity job is not a stressful one. 

Neither of these roles is less stressful than the other, they present a completely different set of skills and mentality.  The day to day jobs will be quite different.  A CISO will tackle leadership issues and experiences, while a Security Analyst can expect a more reactionary role.

What Causes Stress In Cybersecurity Job?

Understaffing and overworking are one of the leading causes of stress within security jobs. This is of course not true of every employer. I’ve been fortunate enough to largely work within industries and companies with a strong security requirement, which has equated to funding to meet the staffing needs.  

If not adequately tackled, stress can be a serious issue for any organization’s security posture.  

It’s not all doom and gloom, as everyone reacts to be job pressures differently, but you should be aware of what you’re getting yourself in for before beginning a career within cybersecurity. 

Leading Causes of Cybersecurity Stress

1. Resource Shortages

Nearly 50% of CISOs have expressed concerns over the lack of staffing resources available to them to tackle the daily workload.  This is not even taking into account tackling future threats and proactive addressing threats.  

Resourcing pressures increase the workload on existing employees, creating a never-ending circle of fighting fires and an aversion to taking on additional responsibilities and risks presented by the business.  

Resource issues may or may not impact you as a cybersecurity professional, and you may in fact thrive on an increased workload.  But, it is a real danger if employees are not equipped to deal with the workload and constantly feel overwhelmed. 

It’s up to management to prioritize workloads and increase efficiency to alleviate this workspace pressure.

2. Lack of Support

For years I was involved in data loss prevention, consulting for a number of financial intuitions.  Far too often DLP was a cybersecurity problem, rather than something that needed to be embraced company-wide.  

This is not exclusive to DLP, it’s a common trait of organizations.  Cybersecurity is often perceived as an obstacle to progress rather than a way of mitigating risk. 

If you’re involved with Cybersecurity for any length of time you’re bound to come up against users, departments, or members of the leadership team that refuse to understand why a security control is in place and why it’s a good thing.  It’s even worse when board members see security as an inconvenience and will override your controls whenever they see fit. 

Support for cybersecurity needs to come from the very top of an organization, without this support security departments are in a never-ending battle with users and far too often their hard work can be undone with a single executive decision.

The good news is that the corporate world is changing, security is at the forefront of many organizations’ focus, which means support is available from the very top. 

3. Large Workloads

When I started my cybersecurity career I worked within a SOC for a number of months.  Most of the time our workload was steady and manageable, however, I experienced a number of weeks where we saw a massive amount of tickets flooding in to triage.  

Just when you thought you were on top of your work queue, another 30 alerts would come in.  They also weren’t the sort of events you could easily classify and close off, every single one needed analysis to understand exactly what was happening. 

If that work had continued like that for more than a few weeks, I could see myself burning out very quickly.  It was a never-ending deluge of events with a minimal amount of stimulation.

This is unfortunately true of many SOCs.  In a survey conducted by Ponemon, 73% of respondents said they felt they were overwhelmed by the amount of work they had to get through.  This was heavily skewed towards Security Analysts and Admins.  

One of the big problems with this sort of work is that it’s largely reactive, it’s difficult to make proactive changes at the SOC level to make a meaningful impact.  This also leads to a feeling of lack of visibility of the work being carried out.  

It’s very easy to feel that your work is having no meaningful impact which coupled with the large workload can easily lead to burnout.  

To mitigate this, SOCs need to work to reduce false-positive rates and automate the tedious work as much as possible. Working for an hour on a meaningful true positive event is far more rewarding than working for an hour on 20 events of no interest and with little value. 

4. Always Available

Getting a call at 2 am and then again at 4 am is due to work is a sure-fire way to ruin a good night’s sleep. Unfortunately, it’s a reality that cybersecurity professionals face on all too frequent basis.  Even the thought that you might get called is enough to cause anxiety and stress. 

Fair responsibility rotation and compensation for being on-call is one way to reduce on-call stress. 

5. Long Hours

Long work hour culture is in my opinion something that needs to end.  If work requires you to work longer than your contracted hours, then there’s something wrong with what you’re doing or how you’re doing it.  

I understand that longer hours will be needed occasionally, but it should never be the norm.

However, according to Nominet, nearly 90% of cybersecurity correspondents confirmed they worked longer than 40 hours per week.

Longer hours don’t equate to more work done, and in fact, can lead to decreased efficiency and lack of attention. 

Management needs to understand how their employees are spending their time and ensure systems, automation, and procedures are in place to make sure that their employees are working in an efficient manner.  

We work to live, not the other way around. Nobody ever said when they were on their death bed that they wished they had spent more time at work. 

6. Late to the Project

It happens more often than it should, but being asked how best to address security concerns for a new IT initiative that’s in its final stages is a thankless and stressful task. 

As a security architect, I’ve been involved with new IT project initiatives from the very start, and I’ve also been asked to come in at the end of the project lifecycle.  Both scenarios have challenges, but I would much rather than have the former rather than the latter.

Security should not be last-minute consideration that projects look to address as an afterthought.  Taking this approach leads to far too many concessions and additional stress.

40% of security correspondents have stated that addressing security concerns in projects is a huge stress factor, according to a study conducted by ESG. 

Creating a culture where the correct security departments are engaged with from the inception of a project can save headaches and stress in the long term and should be part of new IT initiatives.  

7. Skills Shortages

Feeling poorly prepared to deal with tasks can spiral into stress and a sense of inadequacy. 

The cyber skills shortage is a real issue in our field, existing skills can quickly become obsolete as methods and technologies change.  

Management must measure current skills gaps and work with employees to respond to the shortages.  This can come in the form of skill-sharing, training, and time set aside for self-development.  As workloads increase this becomes harder to overcome and can quickly lead to fatigue, burnout, and unnecessary stress. 

8. Changing Threat Landscape

Cybersecurity is an ever-changing field of threats and technologies, which can either be a blessing or a curse.  

Some certifications, like the CISSP, require continued learning credits to keep the certification active.  In practical terms, this means you’re expected to attend conferences, pass other certifications, publish papers, or attend training every year. 

If you’re someone that thrives on learning and keep up to date with the latest technologies and trends, then a cybersecurity career might be ideal.  If you’re not that sort of person, then a cyber career might be stressful. 

What Can Be Done To Combat Cybersecurity Career Stress

Many of the aspects that can cause stress to cybersecurity professionals can be tackled by listening to employees.  

The most prevalent causes are related to workloads, skills shortages, culture, and technology.  All of which can be tackled with enough investment and changes to working culture.  Automating tasks and training staff members can lead to reduced burnout.  

Final Thoughts

From reading this article, you might be forgiven for thinking that a cybersecurity career is filled with stress with no signs of positive change.  

The truth is that many of these issues are prevalent in all jobs across every industry.  

Reflecting on my own experiences, working in Retail, IT and Cybersecurity, I’ve not found any one career more stressful than the other.  

I’ve personally found cybersecurity to be a fulfilling career with plenty of challenges along the way, but nothing that has felt overwhelming.  Other professional’s experiences might be different to my own, however, a survey by Exabeam found that 78% of respondents would recommend a career in cybersecurity and 58% said they found the challenges rewarding.