For the past two years, data analyst Chloe – not her real name – has been working in the cyber division of a major organisation. She enjoys her job, but Chloe has lately been finding it hard to switch off and is starting to feel burnt out.

“It’s like you’re on call 24/7,” she told Information Age.

“I love the work. But at the same time there is always a threat looming, and it never goes away.

“I’m on edge and when the phone buzzes, I’m in a constant state of having to act and respond immediately.”

Chloe isn’t alone.

A small study of 119 cyber security professionals conducted by Australian non-profit Cybermindz and the University of Adelaide found cyber professionals scored higher on a burnout scale than the general population – with some scores exceeding those reported by frontline health workers.

Emotional exhaustion tended to be even higher for women in security consultant roles.

Those researchers used the Maslach Burnout Inventory, looking at burnout as a combination of emotional exhaustion, depersonalization, and reduced professional efficacy.

During the height of COVID-19, more than half of cyber security said they experienced “extreme stress or burnout” with 70 per cent saying they had taken stress leave.

Last year, Mimecast research found 84 per cent of cyber security professionals in North America had experiencing burnout.

For Chloe, it seems like every day brings another potential crisis.

“I’m always thinking, what's coming next? What can I do? How can I communicate this problem quickly, so that I get the support to stop an attack.”

She does at least feel some relief now that more people are becoming aware of the burnout.

“Starting a conversation is the most important thing. Ask, how can we help you?

“In the past, mental health has been such a touchy subject, it’s important the industry addresses this issue in a tangible and practical way.”

Stress, exhaustion exacerbates cyber skills shortage

Peter Coroneos, founder of Cybermindz, said people outside the industry are shocked to learn that these invisible workers that are protecting all of society from digital threats are in such a state of fragility.

He said the stress is exacerbating skills shortages in a field that desperately needs workers.

“As far as those leaving the industry, our findings are anecdotal but consistent,” he said.

“Not only are we losing CISOs, but sub-CISOs are refusing promotions because they don’t want the additional stress, despite the extra money and status.”

For Coroneos, regulators clamping down on organisations who breach security procedures may itself have unintended consequences.

“We understand why governments and regulators feel the need to clamp down, to force boards to take cyber seriously and to respond to public calls,” he said.

“The irony is, if it’s having the effect of accelerating burnout in cyber teams, perversely, we may be less secure as a result.”

Speaking at the recent at the Australian Financial Review Cyber Summit, Deloitte risk advisory manager David Owen agreed that stress and burnout is contributing to a high churn rate in the profession.

“It’s ironic because I heard recently that we could face a skill shortage in our industry, and we'd need another 17,600 cyber professionals by 2026,” Owen said.

“There's clearly a tension here between trying to keep people in our industry and supporting them through quite difficult situations.

“We need people with experience right now. The industry is short staffed, sometimes these workers are operating a grade above, this is a source of anxiety and stress; along with working 18 plus hours.”

Cyber is becoming a systemic risk, and it needs a collective approach for all.

“Fundamentally, this need to be a responsibility of whole organisation, rather than the burden on the cyber department and, led by management.”