Many burned out cybersecurity professionals in APAC have suffered in silence for years. However, a growing body of regional research, including a recent report from cybersecurity company Sophosis drawing attention to the scope, causes and impacts of the problem.
Sophos' report, The Future of Cybersecurity in Asia-Pacific and Japan, found that burnout and fatigue are widespread with nine in 10 employees affected at some level. Causes include lack of resources and alert fatigue, which often results in employee anxiety or disengagement.
Organizations surveyed in the report acknowledge that burnout and fatigue have contributed to lower team productivity, the success of some cyber attacks, and employees choosing to seek new roles or leave the industry entirely. AI is mentioned as a possible support in the future.
Burnout among cyber professionals is a known problem for years in APAC
Cybersecurity burnout is a well-known problem. Andrew Pade, general manager of defense operations at the Commonwealth Bank of Australia, has said that since he joined cybersecurity at the Reserve Bank of Australia more than two decades ago, many peers have left due to burnout.
SEE: Ransomware is affecting not only data but also the physical and mental health of IT professionals.
Research conducted in Australia and New Zealand in recent years has provided evidence of this problem:
- A 2023 study by Cybermindz and the University of Adelaide of 119 cyber professionals in Australia found that these workers scored higher on the burnout scale than the general population and, in some cases, exceeded the burnout faced by frontline healthcare workers.
- More than half (54%) of Australian cybersecurity professionals admitted to Mimecast Ransomware Readiness Report that cyber attacks have a detrimental impact on their mental health, and almost a quarter (22%) were considering leaving their current role.
- TO Lace survey published in 2022 suggested that a higher proportion (57%) of cyber professionals in Australasia were looking for new employers or considering leaving the industry; 87% of those who wanted to leave the industry cited burnout due to workload as the reason.
The issue of cybersecurity burnout had already been swept under the rug
Jinan Budge, head of risk and security research at Forrester in Asia-Pacific, has written that cybersecurity burnout was discussed in “quiet, careful whispers” until 2018, but that the publication of more studies had elevated the conversation in regional organizations.
Sophos survey shows problem is widespread and increasing
He The future of cybersecurity in Asia-Pacific and Japan A survey, conducted by Technology Research Asia for Sophos, found that cybersecurity burnout and fatigue are widespread in the region. It was also found that the problem will get worse in 2024, not better.
- The survey found that 85% of companies experience fatigue and burnout among IT and cyber professionals; 23% experienced the problem “frequently” and 62% “occasionally” (Figure A).
- Nine in 10 (90%) of companies said burnout and fatigue had increased over the past 12 months, with 30% of companies saying increases had increased “significantly”.
- When employees were surveyed and responded directly, 90% of all Asia-Pacific IT and cyber employees said they had been negatively affected by burnout and fatigue.
India among APAC countries most affected by depletion
Burnout and fatigue are most common in India, where 37% of organizations said the problem is “frequently” experienced by employees, higher than the regional average of 23%. India also had the highest rates (48%) of “significant” growth in burnout and fatigue over the past year.
Top Causes of Burnout in the Asia-Pacific Cybersecurity Profession
According to the Sophos report, there are five main causes of burnout in the region (Figure B):
- Lack of available resources to support cybersecurity activities and personnel.
- The mix of monotonous routine with challenging moments of activity.
- Increasing pressure from boards of directors and executive management in the region.
- Alert overload from a variety of cyber technology tools and systems.
- An increase in threat activity that creates an “always on” environment.
Burnout has consequences for individuals and organizations
Both cybersecurity employees and organizations are at risk when burnout occurs. The Sophos report noted that at a time of cyber skills shortages and an increasingly complex threat environment, employee stability and performance were important to safeguard organizations.
Individual cybersecurity performance degraded by burnout problem
People feel a potent mix of guilt, apathy, detachment, and anxiety due to exhaustion and fatigue. For example, Sophos found that 41% of professionals with burnout felt they were not diligent enough in their performance, and 34% felt higher levels of anxiety if they were the target of a breach or attack.
PREMIUM: Download these tips to avoid IT burnout.
Furthermore, 31% felt cynical, distant and apathetic towards cyber activities and duties, while 30% stated that burnout and fatigue made them want to resign or change careers. Additionally, 10% felt guilty for not being able to do more to support cybersecurity activities.
Employers see reduced productivity, more violations and employee turnover
Individual performance problems create risks for employers. Sophos found that the key impacts are:
- A loss of 4.1 hours per week among cyber and IT professionals due to burnout and fatigue. The Philippines and Singapore experienced the biggest drag on productivity in the region due to the issue, recording 4.6 hours and 4.2 hours lost per week, respectively.
- Cybersecurity burnout or fatigue was identified as contributing to or directly responsible for a cybersecurity breach in 17% of organizations. Additionally, 17% felt the issue was responsible for slower response times to security incidents.
- Organizations attributed around 23% of cybersecurity turnover to burnout and fatigue. A whopping 38% of resignations were attributed to the problem in Singapore, while 28% of Malaysian organizations needed to “handover” staff due to stress and burnout.
Employers Respond to Cybersecurity Burnout Issue
Sophos research suggests that employers are generally not ignoring the growing problem of burnout. Across the region, 71% of companies surveyed said they had implemented and were actively providing stress counseling support services to IT and cybersecurity professionals.
SEE: How the CBA manages cybersecurity in an era of “infinite signals.”
This does not mean that organizational cultures are always open to addressing the problem. In Australia, only 40% of employees who raised the issue with their employer received a positive response, compared to 83% of employees in India and 73% in Malaysia.
Technology Could Play a Role in Fighting Burnout
The Sophos survey report states that despite alert fatigue, technology has an important role to play in the future. The report suggests that better automation and the use of a growing set of AI cybersecurity solutions could help alleviate some aspects of the causes of burnout.
Sophos concluded that fatigue and burnout are critical issues with detrimental impacts on employees and business capabilities in the Asia-Pacific region.
“Narrowing focus and higher levels of vulnerability, along with higher rates of cybersecurity and IT employee turnover, are real problems for many organizations,” the report says.
