The most stressful aspects of being a cybersecurity professional

Talk with any cybersecurity professional, and you’re sure to hear them talk about the challenges they’re up against. What stresses them out the most? Keeping up with the security needs of new IT initiatives.

That’s according to a third annual research report, The Life and Times of Cybersecurity Professionals, recently published by ESG and the Information Systems Security Association (ISSA). (Note: I am an ESG employee.)

Here are details from that report:

• 40% of respondents said one of the most stressful aspects of a cybersecurity career is keeping up with the security needs of new IT initiatives. So, the IT team is busy moving workloads to the cloud, deploying IoT devices, or writing new mobile applications, driven by new business initiatives. Unfortunately, the cybersecurity team often lacks the appropriate technical knowledge and must play catch-up on understanding risks associated with changing business processes. This is a risky situation.
• 39% of respondents said one of the most stressful aspects of a cybersecurity career is finding out about IT initiatives/projects that were started by other teams within my organization with no security oversight. OK, take the previous scenario around keeping up with IT initiatives and throw in the element of surprise. Think about when a marketing executive announces, “We’ve decided to share sensitive customer data with a third party that specializes in customer profiling and analysis. We started this project three months ago.” Now, the CISO must figure out how to safeguard the data after the fact. Pretty darn stressful. 
• 38% of respondents said one of the most stressful aspects of a cybersecurity career is trying to get end users to understand cybersecurity risks and get them to change their behavior accordingly. Yes, most large organizations do security awareness training, but it’s treated as a check-box exercise only. Since people are a weak link in the security chain, most organizations don’t push cybersecurity education far enough, leading to a stressful work environment and big cybersecurity problems.
• 37% of respondents said one of the most stressful aspects of a cybersecurity career is trying to get the business to better understand cyber risks. I have good news and bad news here. The good news is that we are on the cusp of a new class of proactive risk management tools from vendors such as Kenna Security, Rapid7, RiskLens, RiskSense, and Tenable Networks that can monitor and report on cyber risk in real time. This class of technology will help CISOs and business executives make data-driven and timely risk mitigation decisions. The bad news is that too many companies still view cybersecurity as a necessary evil and really don’t care to better understand cyber risk. Cybersecurity professionals working at this kind of organization should address job stress by simply moving on.
• 36% of respondents said one of the most stressful aspects of a cybersecurity career is trying to keep up with the growing workload. There’s that pesky cybersecurity skills shortage again. Certainly, there are things that can be done here – technology integration, process automation, and managed services come to mind – but this is a societal issue that the public and private sector must deal with collectively.

The ESG/ISSA research report is available for free download here. Your feedback is most welcome.