Working as a cybersecurity analyst is incredibly challenging. It’s one of the only roles in IT that requires 24/7/365 availability. The constant stressors of the job can overload security analysts, which ultimately leads to burnout—affecting every factor of the job from performance to talent retention. Recently recognized by the World Health Organization (WHO) as an occupational phenomenon, “burnout” is described by the agency as a syndrome resulting from “chronic workplace stress that has not been successfully managed.” Per the WHO, symptoms of burnout include feelings of exhaustion, cynicism about one's job and difficulty doing the job successfully. Despite the myriad security analyst job openings and the promise of six-figure salaries, analysts become exhausted within just a few years on the job—if they even last that long. And I've learned through my years of experience in the industry that the burnout filter has no bias for talent. While an analyst experiencing some of these symptoms from time to time is normal, the level at which analysts are burning out industry-wide is a problem that will undoubtedly have a devastating impact on our collective digital future.
What’s causing burnout?
Beyond the current global shortfall of nearly three million cybersecurity positions, placing an increased burden on the overworked and understaffed security teams already working in the industry, several other factors contribute to the endemic issue of cybersecurity analyst burnout.
Daunting schedules
Security operations centers (SOCs) are 24 hours a day, seven days a week, 365 days a year operations. The stakes are even higher in MSSP-type environments where teams manage, monitor and manage cybersecurity for multiple organizations. As such, it can be difficult to get holidays off, and due to the constant activity analysis required, overnight shifts are rotated or assigned to junior analysts for the first few years of their career. Many SOCs require 24/7 availability where analysts can be put on whatever shift is necessary for operations. Consequently, an analyst’s schedule is rather unforgiving and can be unfriendly to analysts who have restrictive schedules, who have families, who are going to school or who are working to earn additional certifications to level-up their skills.
Minimal room for error
Analysts are allotted a minimal margin for error. They are inundated by an enormous number of security alerts daily, usually from a suite of tools. When trying to monitor and investigate this influx of alerts from various tools, analysts run the risk of missing bonafide intrusions, and the consequences for doing so are dire. Beyond contributing to the compromise of the organization, an error in analysis can lead to heavy fines or other serious repercussions, which additionally contributes to the high-stress environment many analysts operate in.
Constantly evolving threat landscape
It can be extremely difficult to keep up with the knowledge required to identify threats consistently and accurately. When knowledge of a vulnerability becomes public, security teams will either patch that vulnerability (once a patch becomes available), or they’ll start to find other ways to mitigate it on their own. This encourages attackers to change tactics, either utilizing another vulnerability or finding some way around whatever mitigation strategy has been employed. For attackers, it’s imperative to stay one step ahead of defenders, creating a cat-and-mouse game between attackers and defenders. Thousands of common vulnerabilities and exposures (CVEs) are made public every year. As such, security analysts struggle to keep up with the ins and outs of their own network, what vulnerabilities it has and what to do to ameliorate the impact of those vulnerabilities. Making matters worse, some exposures will never be publicly disclosed and won’t be discovered until it’s too late. In addition to the factors listed above, many SOCs offer security analysts salaries that are capped after a certain dollar figure. What’s more, the nature of analysis work doesn’t allow for many opportunities for career advancement, and a lot of organizations are actually cutting training benefits either partially or fully—even when guaranteed in contract. Perhaps worst of all, organizations are pinching pennies when it comes to cybersecurity, not understanding the ratio between the risk of an information compromise and the reward of saving money on your SOC. These factors all contribute to analyst burnout, ultimately causing these individuals to leave the cybersecurity industry and the “problematic shortage” of cybersecurity skills.
Security consequences stemming from burnout
As is the case in any industry, the advice and the firsthand experience of experts is extremely valuable and is not something the cybersecurity sector wants to continuously lose. When it comes to cybersecurity, teams often lack advanced skills in security analytics, forensic investigations or cloud computing security, which places additional pressure on the most experienced team members to pick up the slack because of this exodus of experts. Whether due to the stress, the unforgiving nature of an analyst’s schedule or limited opportunities for advancement, burnout is forcing many analysts to switch industries or take unrelated jobs in the field. Just as it would be if you had structural engineers leaving the field after just a few years, the implications of losing anyone who gains experience, adaptability and confidence as they progress in their knowledge of security analysis are hugely significant—and the consequences in the enterprise can be devastating. With skilled employees leaving cybersecurity just as they’re becoming proficient, there’s a mentorship gap in the sector. A mentor is someone who an analyst can work with for a long time, who not only trains them on the tools they’re using but really guides them on the fundamental principles of information security so that they actually understand what they are doing on a more holistic level. That kind of understanding can be very difficult to obtain just by learning new tools and attacker techniques. Finally, entirely too much of the analysis work these individuals are doing is mundane and repetitive. While monotonous and not incredibly complex, this is time-consuming and laborious, and worst of all, when an analyst is bogged down with these rote tasks, they can’t tackle more complicated work that requires more sophisticated analysis. In addition to being understaffed and overworked, SOCs are so swamped with day-to-day security operations that they have little time for ongoing cybersecurity training. Additionally, funding is not growing at the same rate that the threat landscape is, and as a result, the amount of work analysts have to deal with is constantly growing—and that is a crucial problem. Consider this example. An MSSP doubles the number of customers servicing, and almost every additional customer has 24/7/365 eyes-on-glass requirements. However, in that same timeframe, the MSSP only increased its number of analysts by 10% to 15%. And because investigating and handling a true positive in a SOC can be a multiple-hour process, analysts are unable to effectively monitor and analyze the other customers they’re responsible for. Monitoring and analysis simply aren’t happening, opening the door for hackers and bad actors to infiltrate the systems. As the complexity of each network grows, the influence of the internet expands, and the amount of web traffic continues getting bigger. In response, the amount of alerts analysts are receiving daily also increases. Consequently, even if an organization didn’t increase its customer load or change any contracts, it is almost guaranteed that year after year, the needs of that SOC will increase a substantial amount. And when analysts are facing an ever-increasing amount of alerts, the potential for mistakes stemming from a lack of sharpness due to burnout increases.
What organizations can do to combat burnout
First and foremost, it is vital to our collective digital future that organizations employ automation to eliminate as much of the onerous, repetitive copy-paste work and other mindless tasks that analysts have to perform and allow them to do more thoughtful and impactful work. With more available time, analysts are able to not only improve their skills and knowledge, but they can also actively hunt for threats and help solve actual security problems. Furthermore, organizations need to be aware that security analysts are human beings with human needs. Between the demanding schedule and the stresses of the job, the role of an infosecurity analyst can very quickly interfere with their personal life and disrupt their work-life balance. Whether working for the government or in the private sector, the complaints from the analysts are almost always the same—the unforgiving schedule, the lack of training and opportunities for advancement and the stress stemming from having to keep up with an evolving threat landscape while operating with little room for error. Finally, employers need to acknowledge that due to alert volume, the individual nature of analysis and the varying existing knowledge- and research-based detection ability of each analyst, analysts are expected to be actively engaged in several tasks at the same time. From planning and executing security plans to protect an organization’s networks, computers and systems to monitoring those systems for security breaches and investigating any violations, ensuring regulatory compliance and staying relevant with security trends, a security analyst’s list of responsibilities continues to grow as the number and rate of cyberattacks increases. And automation helps teams orchestrate faster, more effective incident response and threat management, freeing analysts up to work smarter, not harder. As the world continues its progression into an increasingly digital state, attack surfaces are expanding, and the threat landscape is evolving as attackers grow increasingly sophisticated. In this precarious environment, cybersecurity professionals must recognize the symptoms of burnout and try to head off the problem before it gets worse. From an unforgiving schedule to the constantly evolving nature of threats leaving little room for error, the constant stresses of cybersecurity analysis can easily lead analysts to suffer from burnout, and if we don’t take action now, the consequences surrounding a breach will pale in comparison to what we can expect in the future.
About the Author: Nick Tausek is a Security Research Engineer at Swimlane, specializing in Use Case development. He was an information security analyst for 8 years, and has worked in SOCs in the government, NGO, and private sectors. His interests include Python scripting, Fallout, and Bob’s Burgers. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
