Australian businesses and government bodies may be pulling out all the stops to close the yawning cyber security skills gap, but the industry also faces the threat of mass attrition as constant pressure drives one-third of cyber security professionals to consider leaving their jobs.

Fully 51 per cent of cyber security professionals said they experienced “extreme stress or burnout” over the past year as they fought to keep companies protected in the face of surging attacks during the COVID-19 cyber criminals, VMware’s latest Global incident Response Threat Report found.

This stress emerged as cyber criminals became more creative in designing their attacks, and more effective in targeting them to cause maximum damage through successful high-profile hits on the likes of Colonial Pipeline and SolarWinds.

With integrity and destructive attacks now comprising over 50 per cent of attacks, cyber criminals have been “sowing chaos”, the survey found, by moving in lockstep with companies that have been pushing hard towards digital transformation by adopting technologies such as cloud-based Kubernetes environments.

Fully 43 per cent of survey respondents said over a third of the attacks they were dealing with were targeting cloud workloads – confirming that cyber criminals were shadowing companies’ cloud-based transformations.

Facing an onslaught of ransomware-as-a-service having commoditised the process of crippling companies for financial reward, and ‘cloud-jacking’ techniques that allow cybercriminals to ‘island hop’ along a company’s software and business supply chains, many of the 123 surveyed cyber security and incident response professionals said they had simply had enough.

Fully 67 per cent of respondents said they had had to take time off because of on-the-job stress, while fully 65 per cent of those citing burnout said they had considered leaving their jobs because of it.

Problem-solving cyber security professionals spend their time running from one stressful and demanding task to another, Red Hat chief architect Emily Brand told a recent industry forum as she highlighted “the importance of taking a breath”.

“I was always just [running] into the wall and [running] into the wall until I broke down that wall,” she said, “and that was with everything that I learned and everything that I did.

“It really accelerated my passion, but also accelerated my burnout – and I’ve probably already had three burnouts in my career because of that.”

Those burnouts could have been “very much prevented by just, every once in a while, [considering] if what I’m doing is actually making sense in giving real value to myself and my company – or am I just running, running, running?”

Fight the brain drain

Burnout is more than just about losing high-capable staff. Reports suggest that substance abuse and suicide attempts among cyber security staff have surged in recent years, with a 2019 study suggesting 1 in 6 chief information security officers self-medicates or uses alcohol.

And while much of the stress of cyber security comes from the escalating pace of attacks, organisational cultural issues continue to pose their own issues, notes Josh Corman, founder of I Am The Cavalry and a senior advisor for the US Cybersecurity and Infrastructure Security Agency (CISA).

Established psychological tools like the Maslach Burnout Inventory attempt to measure the impact of issues like employees’ level of cynicism, level of exhaustion or fatigue, and level of efficacy, Corman said – noting that even poor diversity and inclusion (D&I) cultures can exacerbate the stress of cyber security jobs.

“We seem to have a robust pipeline, but in the last few years we’ve noticed that we’re having a pretty high burnout rate or churn rate,” he explained.

“We can attract people into the field, but based on some toxic behaviour, and some misogynistic behaviour, we found we were driving people out.

“Our toxicity in its current form perpetuates our diversity challenges, which perpetuates our workforce shortage, which perpetuates our exhaustion. “

To head off a flight of talent that could leave them even more vulnerable to cyber criminals, VMware principal cyber security strategist Rick McElroy warned, business leaders must proactively address burnout through workplace strategies that reduce the pressure on cyber security staff.

“Burnout is a huge issue with incident response teams, who are handling a spike in engagements in what is still a largely remote environment,” he explained.

High levels of burnout and attrition “underscore the need for leaders to build resilient teams,” he added, citing the benefits of possible strategies including rotating work, allowing individuals to take “mental health days”.

Business leaders should also consider providing more one-on-one support, sponsoring staff into leadership and professional development courses, and even “non-standard activities” such as walking meetings and mindfulness training.

“Give your team the time to operationalise a piece of technology before implementing a new one,” McElroy said, and “offer real breaks”.