Sophos: Cyber Security Professional Burnout Is Widespread, Creating Risk for APAC Organisations
Many cybersecurity professionals with burnout in APAC have suffered in silence for years. However, a growing body of regional research, including a recent report from cybersecurity firm Sophos, is bringing attention to the extent, causes and impacts of the problem.
The Sophos report, The Future of Cybersecurity in Asia-Pacific and Japan, found burnout and fatigue are widespread, with nine out of 10 employees impacted on some level. Causes include a lack of resources and alert fatigue, often resulting in employee anxiety or disengagement.
Organisations surveyed in the report acknowledge that burnout and fatigue have contributed to lower team productivity, the success of some cyber attacks and employees choosing to seek new roles or leave the industry entirely. AI is named as one potential support in the future.
Burnout among cyber pros a known problem for years in APAC
Burnout in cybersecurity is a well-known problem. Andrew Pade, general manager of defence operations at the Commonwealth Bank of Australia, has said that since moving into cyber security at the Reserve Bank of Australia over two decades ago, many peers have left due to burnout.
SEE: Ransomware is affecting not just data but IT pros mental and physical health.
Research in Australia and New Zealand in recent years has provided evidence of this problem:
- A 2023 study from Cybermindz and University of Adelaide of 119 cyber professionals in Australia found these workers scored higher on the burnout scale than the general population and, in some cases, exceeded the burnout faced by frontline health workers.
- Over half (54%) of Australian cybersecurity professionals admitted in Mimecast’s State of Ransomware Readiness report that cyberattacks have a detrimental impact on their mental health, and nearly a quarter (22%) were thinking of leaving their current role.
- A Lacework survey released in 2022 suggested a larger proportion (57%) of cyber pros in Australasia were either looking for new employers or considering leaving the industry; 87% who wanted to leave the industry cited burnout from workload as a reason.
The cyber security burnout problem was previously swept under the rug
Jinan Budge, head of Forrester’s security and risk research in the Asia-Pacific, has written that burnout in cybersecurity was discussed in “hushed and careful whispers” until 2018, but that the release of more studies had elevated the conversation in regional organisations.
Sophos survey shows problem is widespread and growing
The Future of Cybersecurity in Asia-Pacific and Japan survey, conducted by Technology Research Asia for Sophos, found burnout and fatigue in cybersecurity is widespread in the region. The problem was also found to be getting worse in 2024, not better.
- The survey found 85% of companies experience fatigue and burnout among cyber and IT professionals; 23% were experiencing the issue ‘frequently’ and 62% ‘occasionally’ (Figure A).
- Nine out of 10 (90%) of companies stated burnout and fatigue had increased during the last 12 months, with 30% of companies saying the increases have risen ‘significantly’.
- Where employees were surveyed and responded directly, 90% of all Asia-Pacific cyber and IT employees said they had been negatively impacted by burnout and fatigue.
India among countries in the APAC region hardest hit by burnout
Burnout and fatigue are most prevalent in India, where 37% of organisations said the problem is ‘frequently’ experienced by employees, higher than the 23% regional average. India also had the highest (48%) rates of ‘significant’ growth in burnout and fatigue over the last year.
The main causes of burnout in the Asia-Pacific cybersecurity profession
There are five top causes of burnout in the region, according to the Sophos report (Figure B):
- A lack of resources available to support cybersecurity activities and staff.
- The mix of monotonous routine with challenging moments of activity.
- Growing pressure from boards and executive management in the region.
- Alert overload from a variety of cyber technology tools and systems.
- An increase in threat activity creating an ‘always on’ environment.
Burnout has consequences for individuals and organisations
Cybersecurity employees and organisations are both put at risk when burnout occurs. The Sophos report noted that, at a time of cyber skills shortages and an increasingly complex threat environment, employee stability and performance were important to safeguard organisations.
Individual cyber security performance degraded by burnout problem
Individuals feel a potent mix of guilt, apathy, detachment and anxiety due to burnout and fatigue. For instance, Sophos found 41% of professionals with burnout felt they were not diligent enough in their performance, and 34% felt heightened levels of anxiety if subject to a breach or attack.
PREMIUM: Download these tips for avoiding IT burnout.
In addition, 31% were feeling cynical, detached and apathetic towards cyber activities and duties, while 30% stated burnout and fatigue make them want to either resign or change careers. Further, 10% felt guilty that they could not do more to support cybersecurity activities.
Employers see reduced productivity, more breaches and staff turnover
Individual performance problems lead to risks for employers. Sophos found key impacts are:
- A loss of 4.1 hours per week among cyber and IT pros due to burnout and fatigue. The Philippines and Singapore experienced the biggest drag on productivity in the region due to the problem, logging 4.6 hours and 4.2 hours lost per week, respectively.
- Cybersecurity burnout or fatigue was identified as having contributed to, or been directly responsible for, a cybersecurity breach in 17% of organisations. In addition, 17% found the problem was responsible for slower response times to security incidents.
- About 23% of cybersecurity turnover was attributed by organisations to burnout and fatigue. A huge 38% of resignations were attributed to the problem in Singapore, while 28% of Malaysian organisations needed to ‘move on’ staff due to stress and burnout.
Employers responding to the cybersecurity burnout problem
Sophos’ research suggests that, on the whole, employers are not ignoring the growing burnout problem. Across the region, 71% of businesses surveyed said they had put in place and were actively providing stress counselling support services to IT and cybersecurity professionals.
SEE: How the CBA is managing cyber security in an age of “infinite signals.”
This does not mean organisational cultures are always open to dealing with the problem. In Australia, only 40% of employees who raised the issue with their employer received a positive response, compared with 83% of employees in India and 73% in Malaysia.
Technology could have a role to play in combating professional burnout
The Sophos survey report said that, despite alert fatigue, technology has a strong future role to play. The report suggests improved automation and the use of a burgeoning suite of artificial intelligence cybersecurity solutions could help alleviate some aspects of the causes of burnout.
Sophos concluded that fatigue and burnout are critical issues with detrimental impacts on employees and company capabilities in the Asia-Pacific region.
“Reduced focus and higher levels of vulnerability, along with higher rates of cybersecurity and IT employee churn, are real problems for many organisations,” the report said.