‘Too Much Pressure, Too Few Allies’: The Plight of the Cyber Professional

However, that’s not really accurate as I’m sure many of you can relate to. It’s one of the things we try to do as security professionals, but it’s a lot more mundane than that. If I wanted to be more accurate, I could have said things like: “I read and write a lot of documents and reports” or “I teach people not to use bad passwords” or “I attend lots of meetings.”

There have been times I’ve been trying to write Teams messages when I’m walking him and his brother home from school. Sometimes, I work on the weekends on those bits I didn’t finish during the week. In the grand scheme of things, are any of these things important?

Probably not, but we have all been there in some form or another where we have made it important to ourselves that these things need to be completed, despite the personal impact.

Recently, I helped someone access their personal e-mail and other accounts after they had been hacked. As I finished the call, I felt a sense of accomplishment that I had not felt in some time. I had managed to do something that mattered and helped someone.

As a long-time Doctor Who fan, I always have The Doctor’s vow in my mind: ‘Without Hope. Without Witness. Without Reward’ I never do anything in my work expecting a fanfare or huge thanks. I have always maintained that if something I say or do helps someone, be that a colleague, family member or friend, it’s worth it. I’m sure some will agree: many of us found our way into security because we wanted to help others, even if indirectly. However, as we’re promoted or take on new responsibilities, that drive and ability to help others can become lost in the sea of strategy, meetings and reports.

State of Cyber Security

It’s telling and revealing that, in the recent ISACA State of Cyber Security report, some of the things I’m feeling personally are echoed elsewhere in the profession (and I would like to imagine some of you are nodding along feeling the same).

We are currently a profession grappling with unprecedented stress, burnout and workforce shortages. Two-thirds (66%) of the 3,800 cyber security professionals surveyed report that their jobs are more stressful now than five years ago.

The complexity of the threat landscape is the top driver (63%), but it’s not the only factor. 47% of respondents blame stress as the reason for attrition. The real danger is how deadly burnout can be. An individual may still show up to work, still respond to requests and incidents, but the spark is gone. They are running on empty. This invisible erosion of resilience is a threat we must all learn to detect early.

However, this is one threat we cannot detect with technology or Artificial Intelligence. Empathy and leadership are the key tools we must use. No longer is it a ‘security’ problem. It’s a problem that we must address with the help of Human Resources, IT and our executive teams. Only by being open and honest about the stresses we face – and working through them together with executive support – will we begin to address them.

I fully recognise that, as a support function, we don’t bring in money and, sometimes, we can be seen as the team that wants to spend the most. However, I’m sure I speak for many security professionals when I say that we would not have the customers using, buying or contracting our services without security being considered. Were there aspects not in place or not to the standard the customer wanted, then deals may not be made. We need to ensure that this is recognised and supported as much as possible.

Conflicting priorities

With cyber attacks increasing, that weight and burden weighs heavily on us. Will we be next? How can we ensure the protection of our organisation with so many conflicting priorities and so little resource?

Like The Doctor in many adventures, we are confronting an hostile landscape with what feels like too few allies, too much pressure and a growing sense that the odds are stacked against us.

As I reflect on this and the pressures we face as a profession, I think back to what I said to my son. The truth is, our work is not just about stopping bad people. It’s also about protecting others, often quietly, often under strain.

We carry that weight so that our organisations, colleagues and customers can continue with confidence. If one day I can tell my son and his brother that I helped make things safer for people, even in small ways, then that will be enough.

Simon Backwell is an Information Security Professional and Member of the ISACA Emerging Trends Working Group (www.isaca.org)