How training and recognition can reduce cybersecurity stress and burnout

Cybersecurity is a demanding profession that comes with significant stress and burnout — it presents a complex problem for many businesses, with constantly evolving threats, ambiguous issues, and no clear-cut solutions. Security professionals bear a great deal of responsibility and are subject to long hours of work and high pressure in an unpredictable and constantly shifting landscape. Many security teams are understaffed, overburdened, and lack resources, which can compound stress levels, while the need to meet deadlines, remain informed of the latest security risks, and manage intricate security systems and incident reporting can contribute to burnout.

“In the context of cybersecurity, job demands can include mental and physical workload associated with managing a high volume of security incidents and keeping up with evolving threats,” Dr. John Blythe, a behavioral scientist and director of cyber workforce psychology at Immersive Labs, tells CSO. “Without job and personal resources, role demands can create stress and burnout.”

There are ways to help mitigate the stress and burnout that can have significant impact on security teams and businesses, Blythe says. Recognition of problem areas and access to training can alleviate the negative effects of job demands, improve employee well-being and job performance, and ultimately help address both issues.

How stress and burnout impact cybersecurity teams and businesses

When cybersecurity professionals experience stress and burnout, they may become less productive, leading to delays in projects and missed deadlines, Blythe says. They are also typically more prone to making errors and mistakes in their work, which can increase the risk of security breaches and other issues. “Stress and burnout can lead to high rates of employee turnover, too, which can be costly for businesses in terms of recruitment and training. What’s more, when one or more members of a team are experiencing stress and burnout, it can negatively impact the morale of the entire team, leading to lower job satisfaction and a less positive work environment.” If a security breach occurs due to employee burnout or stress, it can damage the reputation of the business and lead to a loss of customer trust, he says.

Training and recognition provide skills, resources, support

Training and recognition can help to prevent stress and burnout by reducing job demands and ensuring that cybersecurity professionals have the necessary skills, professional resources, and support needed to manage their workload effectively, Blythe says. “Staff need access to training that helps them keep pace with cyber threats, whilst recognition is important for boosting staff morale.”

There is no victory condition for security; cyber professionals often deal with one issue, then move right on to the next risk, the next event, the next incident — taking a toll on their mental health, says Aaron Kiemele, CISO at Jamf. “Recognizing and rewarding these efforts and achievements can help boost motivation and help staff understand they are valued and appreciated. Training will expose employees to peers who are having the same issues, under similar conditions. Security is a team sport, and security professionals need reminders that we are all in this together.”

Training and recognition can also boost employees’ personal resources (also known as psychological capital) including hope, optimism, resilience, and confidence, which can help them cope with stress and burnout.

4 ways job and personal resources ease stress and burnout

Blythe shares four ways access to job and personal resources can help to limit/prevent stress and burnout in security teams:

• By buffering the negative effects of job demands: “When individuals have access to job resources such as autonomy, social support, and training and development opportunities, they are better equipped to manage the demands of their job.” This can help to reduce the negative impact of job demands on an individual’s well-being, preventing burnout from occurring.
• Providing a sense of control: Having access to job resources can also provide individuals with a greater sense of control over their work, which can help to reduce feelings of stress and anxiety. “This can lead to greater job satisfaction and motivation, which can prevent burnout from occurring.”
• Improving coping skills: “Personal resources such as psychological capital can help individuals develop the coping skills they need to manage stress and prevent burnout.” For example, having high levels of optimism and resilience can help individuals bounce back from setbacks and stay motivated in the face of challenges.
• Promoting work-life balance: Personal resources such as social support and time management skills can help individuals maintain a healthy work-life balance. “This can prevent burnout by ensuring that individuals have time and energy to devote to other areas of their life, such as hobbies and relationships.”

The right types of training and recognition are key

While training and recognition can have notably positive impacts on reducing stress and burnout of security personnel, some will be more effective than others, meaning both need to be appropriate for the organization and its security workforce. “CISOs should collaborate with their HR team to design evidence-based interventions that are suitable for their organization, which may involve establishing a formal training and recognition program with clear objectives and metrics for measuring progress,” Blythe says.

In Kiemele’s experience, conferences can be the single most useful training and recognition resource, and he advises CISOs to encourage and support their staff to attend such events whenever possible. “The content can be timely and excellent but is often secondary to the core value of meeting and mingling with other security professionals. ‘Security is a team sport, and knowing that you are not in this alone, that there is an entire community of folks undergoing the same trials and tribulations, seeing the same issues, and working to innovate solutions, is priceless.” Every security professional needs to know they are a part of something larger, a community dedicated to supporting the greater mission of reducing risk for their organizations. “There is nothing quite like going to a security conference and realizing you have a tribe.”

Cybersecurity training and certifications are helpful

Training courses or certifications can also help security personnel to build new skills and knowledge along with supporting long-term development, which can increase their confidence and reduce stress levels, says Leo Cunningham, CISO at Flo.

“Training that helps the team stay current with the latest threat actors, technologies, vulnerabilities, and best practices, making the work more efficient and effective, reducing the risk of unforced errors and expanding the team’s capabilities, is very important,” says Kiemele. “By investing in their employees’ training and development, security leaders demonstrate that they value and support their team’s professional growth and career development, which can further boost morale and motivation.”

Additionally, training that helps to develop organizational and communications skills can help workers manage their own stress and identify issues with colleagues and teams, says Nadine Michaelides, expert psychologist and CEO of Anima People. “Part of the problem is that the approach to problems that involve people both as a cause and consequence focuses too much on technology and does not address human factors appropriately. Security teams are left holding the baby with no idea how to manage such complex issues. One of the most important aspects we can have to manage stress is the confidence and vision to find a solution, but if all you hit are brick walls, then you quickly become deflated and overwhelmed.”

Build a culture of well-being

Security leaders should aim to build a culture of well-being by providing ongoing feedback and support to their employees as well, Blythe adds. “By leading by example and advocating well-being within their teams, security leaders can help to create a supportive culture, which can in turn reduce stress and burnout among their teams. Security leaders should build a well-being culture by focusing on psychological safety, promoting work-life balance, encouraging open communication, promoting healthy habits, and leading by example.”

Security leaders also need to ensure consistent acknowledgment of a job well done, and a simple thank you can do wonders in this regard, says Kiemele. “When their hard work and contributions are recognized and appreciated, teams are more likely to feel a sense of satisfaction in their work. This will reduce the mounting stresses and foster a supportive environment with a real sense of shared purpose, and team camaraderie, and reinforces a culture that encourages and values work well done.”