High level staff shortages and a growing cyber-crime onslaught are putting South Africa’s cyber security professionals at risk of burnout, with many suffering from exhaustion, insomnia, disengagement and a range of physical symptoms.
This emerged during a recent Cyber Security Awareness Month Cyber Security Roadshow hosted by the Institute of Information Technology Professionals South Africa (IITPSA) at the University of Cape Town, where leading security professionals discussed the pressure the sector is under.
Citing exhaustion, disengagement and various other symptoms, the security professionals said burnout put organisations at risk.
Professional Member and IITPSA SIGCyber Committee Chair, Prof. Kerry-Lynn Thomson, a Professor in the School of IT at the Nelson Mandela University, said: “The demands placed on cybersecurity professionals have never been higher! As cyber threats become more sophisticated and pervasive, professionals in cybersecurity must remain constantly vigilant, working long hours and under tremendous pressure to protect organisations from cyberattacks. Unrelenting stress and pressure have led to alarming rates of burnout within the cybersecurity community.”
Suren Naidoo, Group Chief Information Security Officer at TFG Cybersecurity, said: “Burnout also increases absenteeism and reduces productivity, which impacts the organisation’s ability to meet certain objectives like the introduction of new solutions, or detect and respond to incidents timeously. The consequences of this are that it puts greater stress and pressure on already burdened staff members, thereby potentially increasing burnout across the team. This may result in increased staff turnover, as staff members resign due to the burnout, as they seek new jobs with lower demands, and better work-life balance.”
Insomnia and energy drinks
The cyber security professionals pointed to accountability and blame as another cause for stress in the sector. Naidoo said: “Nobody wants to be made the scapegoat for any incident. It would impact your reputation and brand as a cyber security leader. Given the recent case study of the Uber CISO being charged and sentenced to three years of probation and several other high-profile cases like Target and Equifax where the Executive leadership were removed or resigned post breach, this is becoming a serious concern for many CISOs and C-suite leaders.”
Doctor Mafuwafuwane, a veteran cyber security professional, and SIGCyber Committee Vice Chair said: “In most cases, it’s not one individual’s fault within the cybersecurity sphere. But at the end of the day, Senior Security Managers and C-Level own the accountability. The attack environment is persistent, with no psychological rest, as security teams are never sure when an attack will arise, and cybersecurity teams are aware that the downstream effects of single negligence can affect millions of people.”
Always being on-call means cyber security professionals seldom rest, they added.
Mafuwafuwane said: “Cybersecurity professionals are burning out, hackneyed and in “always-on” mode. Not only are the number of attempts of cyberattacks growing worldwide, but human error is one of the major causes of data breaches in a company, and the chance of a data breach for a phishing attack is only worsened when employees are burned out.”
“Cyber security professionals deal with environments that are ‘active’ eight by five but under threat 24/7, so we face an exceptionally high risk of burnout at all levels – from junior Security Engineers to the CISO.”
The nature of the work means less work-life balance, and professionals often have to cancel personal plans to attend to cyber incidents, they said.
Mafuwafuwane said: “I have had to cancel some of my plans a couple of times, and it’s not unusual to hear those in the cyber security industry say that holidays and weekends are the most likely times to get a call for a vital incident. We are constantly balancing that with nourishing time to recover and prevent burnout, which is essential.”
Naidoo said: “As a leadership team, we are acutely aware of the risks of burnout for individuals and the organisation, and we look out for the various symptoms.”
These symptoms include disengagement, characterised by ‘not showing up’, being late to meetings, and little to no active participation in meetings, project involvement or social gatherings. Another symptom, lack of accomplishment, is characterised by not meeting key project deliverables, zero appetite to study.
“Symptoms also include health issues like insomnia and hyper-tension; and physical, mental, emotional, and behavioural exhaustion. There are not always easily identifiable and hence our individual team member meetings are key to surfacing issues. We also monitor high leave balances, to ensure staff take time off,” Naidoo said.
Veteran security professional Grant Hughes said: “I know of security professionals who have been unable to write any exams or attend conferences for the past two years, because they are just too busy and overworked. People may become so busy that they start questioning the value or impact of cybersecurity efforts, simply because there is a never-ending list of things to do. People also become more easily frustrated or irritated, even with minor issues. In my past experience, I have encountered individuals demonstrating impatience with colleagues or team members. The smallest things would trigger them. Reflecting back, they were overwhelmed and probably burned out. But at that time, we didn’t have a term for it.”
Hughes added: “Neglecting self-care is a common early warning sign of burnout. This could include ignoring personal well-being, including exercise, healthy eating, and leisure activities. There is always a deadline, and working late can easily become the norm. We see professionals close to burnout engaging in unhealthy coping mechanisms, such as excessive caffeine or alcohol consumption. When you start moving to three-plus coffees a day, as well as energy drinks, then you know you are in the red zone.”
However, Hughes said: “There should be teams (or managed services) working 24/7, with people on stand-by to support them.
If people who are not on stand-by are being pulled into things consistently after hours, it is a reflection of bad planning, or lack of planning. For example, there should be a SOC operating 24/7. Each support team should have a stand-by person (who should not make family plans or go on vacation whilst on stand-by).”
Addressing these challenges, the security professionals pointed to skills development, managed services and AI tools as potential solutions to the burnout problem.
Mafuwafuwane said: “There is a broad and deep ecosystem of security service providers that can support any range of cybersecurity capabilities, much more so than there were five years ago, in very cost-effective ways, and these providers have relevant skills through shared model best practices.”
Naidoo said: “We have enhanced our talent continuity plans, by introducing a formal mentorship programme to increase the competency of staff members at all levels. This is a long-term investment, to also ensure that we give staff members the opportunity to identify mentors and coaches that they can work with over an extended period. In addition, we have had an internship programme, since 2017, and that has certainly helped bring in young people, and more importantly assist in reducing the skills shortage.”
Prof Thomson said: “Due to the cybersecurity skills shortage, both in South Africa and globally, there is a lot of focus on encouraging people, and students in particular, to choose careers in cybersecurity – but are we doing enough to prepare them for the stresses and reality of what those careers entail? We must prepare students, our future cybersecurity professionals, not only with technical skills but also with the resilience and mental fortitude to thrive in this demanding field. Ultimately, a healthier cybersecurity workforce will lead to stronger digital defences.”