Why Cybersecurity Professionals Burn Out
Abilities mismatch leads to stress, attrition. Cognitive assessments are essential.
Amidst widespread lamenting about the cybersecurity skills gap and the all-too-true proclamations that cyber has jobs for people with all kinds of skill sets, Debbie Gordon believes one very important point is being regularly missed.
That point, she recently told Cybercrime Magazine, is that while there are myriad roles in cybersecurity, too many companies — and recruiters — are failing to register that they often require not only different skill sets, but different cognitive perspectives.
“There’s an abilities mismatch, where some people aren’t innately cut out to do certain jobs,” Gordon — founder and CEO of cyber-range training firm Cloud Range — explained. “They see movies about hackers and think ‘I want to go do that’ and don’t realize the dozens of other roles that are in cybersecurity.”
This often ends up with people being placed in jobs that prove uncomfortable for them — leading to job stress, poor performance evaluations, burnout, and early attrition.
It’s a problem that could be prevented, she believes, if more attention were taken to not only placing people in cybersecurity jobs, but placing them in the right jobs.
The types of skills needed to do penetration testing, for example, are very different from the skills required to manage a security operations center (SOC) or to manage a company’s cybersecurity governance posture; in the Venn diagram of cybersecurity skills required for these and other jobs, each has some crossover but also many aspects that are quite different.
Despite this reality, “many security leaders, and hiring managers, and HR folks don’t realize that there are different cognitive abilities and requirements for different jobs,” Gordon explained. “So, the number one thing that security leaders can and should do is to do a cognitive assessment to make sure they’re actually cut out to do it.”
“A lot of people get stuck and burn out,” she said, “and the burnout may not be because the job is so hard; often, it is also because they just may not have the cognitive abilities” for the role.
Training is a long-term commitment
Inadvertently pigeonholing people into the wrong positions is a risk that recruiters take, particularly in today’s world where employers have warmed to the idea that employees with only partial skill matches can be trained to fulfill the rest of the job criteria.
Rather than hiring staff and assuming they will find their way, Gordon said, companies need to lay down clear training and career development plans that recognize that cybersecurity jobs become more rarefied — and require increasingly divergent skills — the further a worker progresses in their career.
“The more junior the role, the more consistent among different companies that role may be,” Gordon explained. “However, the higher they go, the more complex and varied those roles become — so it’s imperative that there is planning about what that person is going to need to know as they move up and over and up again in different security roles. You can’t just depend on what the standard training was when they came to the company.”
Indeed, she said, training is an investment — and a long-term one that is important not only for ensuring staff can meet the responsibilities of their jobs now and in the future, but also that they will feel relevant and engaged for the long term.
“Effective security leaders are investing,” Gordon explained, “knowing that the more skills and abilities they give people, not only are they going to make them more effective in their current role, but they’re also going to be more likely to retain them as they have the opportunity to move into different roles within the organization — versus going to a different organization.”
Ensuring the right mix of training is essential, she said, noting that the most effective learning requires equal attention be given to knowledge, skills, and abilities — three quite different areas that aren’t always balanced effectively by corporate cybersecurity organizations.
Building knowledge — watching videos or completing learning modules — gives way to building skills, which is practicing specific capabilities using the knowledge that has been obtained.
Building abilities, however, requires continuous practice of those skills — and this is where Cloud Range, the company Gordon founded in 2018, has found strong support by providing simulated SOC environments where SOC managers, analysts, and other staff can experience a simulated cyber attack and respond to it.
In such an environment, she said, “they have to go in and detect and respond to an attack or multiple attacks happening, and they have to know what to do when, with whom, using what — and they don’t even know what they’re looking for.”
“That last mile of training is what we provide our customers — which are companies with full-blown security teams… some of which are really advanced, and some of them are not so advanced.”
Table stakes at the SOC
The broad range of cybersecurity maturity likely explains the rapid growth in uptake of cyber range solutions, with around 15 percent of companies using the technologies to test and prepare their teams for cyber attack.
That’s up from 1 percent a few years ago but, Gordon said, that proportion is rapidly growing now because companies see it as a way of continuously improving the cyber capabilities of a workforce.
Hands-on training translates into quicker time to value, since new employees have the opportunity to hone their expertise in simulated full-blown attack scenarios rather than being limited to whatever narrow scope of attacks actually happen.
“We accelerate experience,” she said, “and for existing employees, it makes them more effective on an ongoing basis because they have the exposure to these different attacks.”
Yet just providing a cyber range is only part of the battle: Cloud Range’s approach wraps the training environment in a broad range of curriculum, content, and metrics.
This approach ensures that companies can see how their team is progressing “from a risk management standpoint,” Gordon said, “all the while ensuring that team members have a direction and a learning path for that ultimate goal, of retention and increasing their effectiveness.”
“It makes existing employees more effective on an ongoing basis because they have exposure to these different attacks,” Gordon explained. “They also gain confidence because they’re able to practice in a safe environment.”
“This helps companies proactively prepare their teams to be in a position to detect and defend against attacks, so that we don’t hear about them on the news.”
– David Braue is an award-winning technology writer based in Melbourne, Australia.
This article previously appeared in Cybercrime Magazine.