High level staff shortages and a growing cybercrime onslaught are putting South Africa’s cybersecurity professionals at risk of burnout – with many suffering from exhaustion, insomnia, disengagement, and a range of physical symptoms.
This emerged during a recent Cyber Security Awareness Month Cybersecurity Roadshow hosted by the Institute of Information Technology Professionals South Africa (IITPSA) at the University of Cape Town, where leading security professionals discussed the pressure the sector is under.
Citing exhaustion, disengagement, and various other symptoms, the security professionals said burnout put organisations at risk.
Professional member and IITPSA SIGCyber Committee chair, Professor Kerry-Lynn Thomson, from the School of IT at the Nelson Mandela University, says: “The demands placed on cybersecurity professionals have never been higher. As cyberthreats become more sophisticated and pervasive, professionals in cybersecurity must remain constantly vigilant, working long hours and under tremendous pressure to protect organisations from cyberattacks. Unrelenting stress and pressure have led to alarming rates of burnout within the cybersecurity community.”
Suren Naidoo, group chief information security officer at TFG Cybersecurity, adds: “Burnout also increases absenteeism and reduces productivity which impacts the organisation’s ability to meet certain objectives like the introduction of new solutions, or detect and respond to incidents timeously. The consequences of this are that it puts greater stress and pressure on already burdened staff members thereby potentially increasing burnout across the team. This may result in increased staff turnover as staff members resign due to the burnout as they seek new jobs with lower demands and better work-life balance.”
Insomnia and energy drinks
The cybersecurity professionals pointed to accountability and blame as another cause for stress in the sector.
“Nobody wants to be made the scapegoat for any incident,” says Naidoo. “It would impact your reputation and brand as a cybersecurity leader. Given the recent case study of the Uber CISO being charged and sentenced to three years of probation – and several other high-profile cases like Target and Equifax where the executive leadership were removed or resigned post breach – this is becoming a serious concern for many CISOs and C-suite leaders.”
Doctor Mafuwafuwane, a veteran cybersecurity professional, and SIGCyber Committee vice-chair, says: “In most cases, it’s not one individual’s fault within the cybersecurity sphere. But at the end of the day, senior security managers and C-Level own the accountability. The attack environment is persistent with no psychological rest as security teams are never sure when an attack will arise – and cybersecurity teams are aware that the downstream effects of single negligence can affect millions of people.”
Always being on-call means cybersecurity professionals seldom rest, they add.
“Cybersecurity professionals are burning out, hackneyed, and in “always-on” mode,” says Mafuwafuwane. “Not only are the number of attempts of cyberattacks growing worldwide, but human error is one of the major causes of data breaches in a company and the chance of a data breach for a phishing attack is only worsened when employees are burned out.
“Cybersecurity professionals deal with environments that are ‘active’ eight by five, but under threat 24/7, so we face an exceptionally high risk of burnout at all levels – from junior security engineers to the CISO.”
The nature of the work means less work-life balance and professionals often have to cancel personal plans to attend to cyber incidents, they say.
“I have had to cancel some of my plans a couple of times and it’s not unusual to hear those in the cybersecurity industry say that holidays and weekends are the most likely times to get a call for a vital incident,” says Mafuwafuwane. “We are constantly balancing that with nourishing time to recover and prevent burnout, which is essential.”
Naidoo adds: “As a leadership team, we are acutely aware of the risks of burnout for individuals and the organisation and we look out for the various symptoms.”
These symptoms include disengagement, characterised by “not showing up”, being late to meetings, and little to no active participation in meetings, project involvement, or social gatherings. Another symptom, lack of accomplishment, is characterised by not meeting key project deliverables and zero appetite to study.
“Symptoms also include health issues like insomnia and hyper-tension as well as physical, mental, emotional, and behavioural exhaustion,” Naidoo says. “These are not always easily identifiable and hence our individual team member meetings are key to surfacing issues. We also monitor high leave balances to ensure staff take time off.”
Veteran security professional, Grant Hughes, says: “I know of security professionals who have been unable to write any exams or attend conferences for the past two years because they are just too busy and overworked. People may become so busy that they start questioning the value or impact of cybersecurity efforts simply because there is a never-ending list of things to do. People also become more easily frustrated or irritated, even with minor issues. In my past experience, I have encountered individuals demonstrating impatience with colleagues or team members. The smallest things would trigger them. Reflecting back, they were overwhelmed and probably burned out. But at that time, we didn’t have a term for it.
“Neglecting self-care is a common early warning sign of burnout,” Hughes adds. “This could include ignoring personal well-being including exercise, healthy eating, and leisure activities. There is always a deadline and working late can easily become the norm. We see professionals close to burnout engaging in unhealthy coping mechanisms such as excessive caffeine or alcohol consumption. When you start moving to three-plus coffees a day – as well as energy drinks – then you know you are in the red zone.”
However, Hughes says: “There should be teams (or managed services) working 24/7 – with people on stand-by – to support them.
“If people who are not on stand-by are being pulled into things consistently after hours, it is a reflection of bad planning or lack of planning,” Hughes says. “For example, there should be a SOC operating 24/7. Each support team should have a stand-by person (who should not make family plans or go on vacation whilst on stand-by).”
Addressing these challenges, the security professionals pointed to skills development, managed services, and AI tools as potential solutions to the burnout problem.
Mafuwafuwane says: “There is a broad and deep ecosystem of security service providers that can support any range of cybersecurity capabilities – much more so than there were five years ago – in very cost-effective ways and these providers have relevant skills through shared model best practices.”
Naidoo says: “We have enhanced our talent continuity plans by introducing a formal mentorship programme to increase the competency of staff members at all levels. This is a long-term investment to also ensure that we give staff members the opportunity to identify mentors and coaches that they can work with over an extended period. In addition, we have had an internship programme since 2017, and that has certainly helped bring in young people and, more importantly, assist in reducing the skills shortage.”
Prof Thomson concludes: “Due to the cybersecurity skills shortage both in South Africa and globally, there is a lot of focus on encouraging people and students, in particular, to choose careers in cybersecurity – but are we doing enough to prepare them for the stresses and reality of what those careers entail? We must prepare students – our future cybersecurity professionals – not only with technical skills, but also with the resilience and mental fortitude to thrive in this demanding field.
“Ultimately, a healthier cybersecurity workforce will lead to stronger digital defences,” Prof Thomson says.