Fighting cyber attacks has become “significantly” more stressful over the past year, with 86 per cent of companies now reporting staff fatigue and burnout that contributes to 1 in 5 data breaches, according to a new study that flags “chaotic”, retroactive incident responses.

Although three-quarters of companies now have dedicated cyber security teams, the newly-released Sophos report, The Future of Cybersecurity in Asia Pacific and Japan, found that 30 per cent of 204 Australian respondents said those teams had seen burnout increase “significantly” over the past 12 months – with 43 per cent admitting that this made them “less diligent” while performing their work.

Some 19 per cent said that this burnout had contributed to, or was directly responsible for, a cyber security breach, with 23 per cent reporting “chaos” when a breach occurred – driving 29 per cent to express feelings of cynicism, detachment, and apathy towards their responsibilities.

Respondents blamed factors including a lack of resources to support cyber security activities; the routine aspects of the role that “create a feeling of monotony”; increased pressure from boards and executive management; “persistent” alert overload from cyber security tools and systems; and the always-on environment caused by increasing threat activity and the adoption of new technologies.

Burnout was so bad that 22 per cent admitted that that it made them want to either resign or change careers – and 23 per cent said they had already done so – while 16 per cent said that staff had been ‘moved on’ because burnout had caused so many performance issues.

“At a time when organisations are struggling with cyber security skills shortages [amidst] an increasingly complex cyberattack environment, employee stability and performance are critical for providing a solid defence for the business,” Sophos field CTO Aaron Bugal said as the new figures were released.

“Cyber security is now a perpetually interactive sport – and there needs to be a team that provides adequate coverage around the clock.”

Yet in many companies, respondents indicated prioritisation of cyber security was suffering at the hands of executives who “assume cyber security is easy and concerns are over exaggerated” – fuelling chronic underfunding of cyber security and a perennial struggle to create strong, company-wide cyber security culture.

And while 42 per cent of respondents said ongoing regulatory change has forced a significantly increased focus on cyber security within unprepared boards and senior leadership teams, that increased attention wasn’t necessarily trickling down through the organisation.

While company boards were receiving regular cyber security briefings in 49 per cent of companies – well ahead of the 41 per cent regional average – Australian businesses were behind global benchmarks when it came to briefing senior leadership, third-party suppliers, government agencies, and customers.

Worse still, senior executives were the worst offenders when it came to repeatedly breaching cyber security good practice – with 44 per cent labelled as repeat offenders, compared with 39 per cent of employees and 30 per cent of board members.

Steps to address burnout

Although awareness of issues around cyber security related burnout have been well established in anecdotes and research – particularly after the pandemic pressure cooker drove “extreme stress or burnout” amongst half of cyber professionals – the figures highlight the ongoing need for business executives to become more proactive in looking after the mental health of the cyber security workers on whom the integrity of their companies depends.

“Boards and executive committees need to drive change and demand responsibility from their deputised charges,” Bugal said, calling for “an attitude adjustment” as business leaders “clearly articulate their accountability in developing and maintaining a [response] plan.”

Yet the proportion of Australian companies providing stress counselling for IT and cyber security employees was the second lowest among the six countries studied – which also included the IT services and business centres of India, Japan, Malaysia, the Philippines, and Singapore – and the fewest number of Australian respondents, just 39 per cent, said they had received a positive response when they raised concerns about cyber security fatigue within their organisations.

Ongoing shortfalls in mental health support have driven the creation of programs such as Cybermindz, which this month launched a 12-month CISO Support program designed to help cyber security executives identify and address the factors that can lead to burnout.

A series of 12 pilot programs, run over the course of 2023, had seen an average 27.3 per cent reduction in overall stress after eight weeks – as well as a 30.7 per cent increase in coping abilities, and the halving of those reporting that they felt overwhelmed by difficulties.

With cyber security burnout rates exceeding those of frontline healthcare workers, Cybermindz founder Peter Coroneos said the program – which is being rolled out in Australia first before planned expansion to the US and UK – had built on the insights from those programs, as well as methodologies derived from the iRest Dyad military support program, “to create something specific for leaders, who are carrying the biggest burden” of cyber security defence.

“There is a growing body of anecdotal and hard evidence showing the toll cyber leadership pressures are having on individuals and their families,” Coroneos said.

“We hope that doing this will have a meaningful impact on personal wellbeing and, by extension, organisational and society resilience.”