Sophos has just launched the latest edition of its “Future of Cybersecurity in Asia Pacific and Japan” report, and unlike previous editions, which examined the traditional cybersecurity issues confronting businesses throughout the Asia Pacific, the focus of this brand new February 2024 edition is markedly different, dealing with the impact of burnout and fatigue on cybersecurity employees.

The findings of the detailed 22-page “The Future of Cybersecurity in Asia Pacific and Japan” report, released by global cybersecurity firm Sophos, in collaboration with Tech Research Asia (TRA), has discovered 86% of cybersecurity and IT professionals in Australia are impacted by burnout and fatigue – an alarming figure!

Even more glaring is the revelation that burnout is felt across almost all aspects of cybersecurity operations, with 30% of Australian respondents saying that feelings of burnout increased “significantly” in the last 12 months, and 43% of Australian respondents stating this burnout made them “less diligent” in their cybersecurity roles. Dangerously, 19% of Australian respondents identified that cybersecurity burnout or fatigue contributed to, or was directly responsible for, a cybersecurity breach, and 17% of Australian companies experienced slower than average response times to cybersecurity incidents.  

More information on the findings are below, but this led to an excellent opportunity – speaking with both John Donovan, the MD of Sophos in Australia and New Zealand, and Peter Coroneos, the founder of Cybermindz.org, the world’s first mental wellness program for cybersecurity professionals, who joined me to discuss the report and these findings in depth, with that “fireside chat” available immediately below, so please watch and read on!

So, what are the causes of cybersecurity burnout and fatigue?  

The five main causes of cyber burnout and fatigue in the report include:  

1) A lack of resources available to support cybersecurity activities 
2) The routine aspects of the role, which create a feeling of monotony  
3) An increased level of pressure from board and/or executive management 
4) Persistent alert overload from tools and systems   
5) Increase in threat activity and the adoption of new technologies that foster a more challenging, always on environment.  

And what is the impact of burnout and fatigue on cybersecurity employees?

The study revealed that, in Australia: 

  • -43% felt they are not diligent enough in their performance 
  • 20% felt heightened levels of anxiety if subject to a breach or attack 
  • 29% experience feelings of cynicism, detachment and apathy towards cybersecurity activities and their responsibilities 
  • 22% stated it makes them want to either resign or change career (23% of all surveyed have acted on this and resigned) 
  • 9% feel guilty that they cannot do more in their role to support cybersecurity activities 

Aaron Bugal, field CTO at Sophos said: “At a time when organisations are struggling with cybersecurity skills shortages and an increasingly complex cyberattack environment, employee stability and performance are critical for providing a solid defence for the business. 

“Burnout and fatigue are undermining these areas and organisations need to step up to provide the right support to employees especially when, according to our research, 19% of Australian respondents identified that cybersecurity burnout or fatigue contributed to, or was directly responsible for, a cybersecurity breach.

“This Sophos and TRA report provides timely insight into organisational cyber stress and demonstrates that things need to change. Although there’s not a simple fix, an attitude adjustment would go a long way to define the right expectations around what it means to evolve into a cyber-resilient business. 

“Boards and executive committees need to drive change and demand responsibility from their deputised charges, in essence for better governance around cyber approaches. 

“However, they need to clearly articulate their accountability in developing and maintaining a plan because cybersecurity is now a perpetually interactive sport – and there needs to a team that provides adequate coverage around the clock.” 

So, what is the impact of cybersecurity burnout and fatigue on business operations?

There were four key areas where cyber burnout and fatigue had a direct impact on Australian business operations:  

  • 1) Direct contribution to breaches: 19% of respondents identified that cybersecurity burnout or fatigue contributed to, or was directly responsible for, a cybersecurity breach. 
  • 2) Slower response times to cybersecurity incidents: 17% of companies experienced slower than average response times to cybersecurity incidents. 
  • 3) Lost productivity: Businesses are experiencing a productivity loss of 3.8 hours per week amongst cybersecurity and IT professionals, compared to 4.1 hours on average per week across APJ.  
  • 4) Resignations and employees moving on: Stress and burnout were directly attributed as a cause of cybersecurity and IT professional resignations in 23% of companies. Organisations also noted that, on average, 16% of them had “moved on” as a cybersecurity or IT employee due to cyber burnout leading to performance issues.  

Sophos commissioned Tech Research Asia (TRA) to undertake research into the Asia Pacific and Japan cybersecurity landscape. This included a major quantitative component with a total of 919 responses captured from Australia (204 companies), India (202), Japan (204), Malaysia (104), The Philippines (103) and Singapore (102).  

Here’s a summary of the topics discussed in the video above:

– I started by introducing and welcoming John Donovan, a 30+ year veteran of the IT industry, and who joined the Sophos team as Managing Director for Australia and New Zealand in April 2019, and Peter Coroneos, who among many career highlights was the Chief Executive of the Internet Industry Association of Australia from 1997 to 2011, is currently the Global Ambassador for CyAN, the Cybersecurity Advisors Network, and is the Founder of Cybermindz.org, the world’s first mental wellness program for cyber security professionals to prevent and address burnout, and more. 

– Next, John Donovan introduced the report, noted you can download it here, and explained why the report is very different to its predecessors, in that it focuses specifically on the issues of burnout and the dangers this entails. 

– We then turned to Peter Coroneos to explain how Cybermindz.org was specifically created to deal with these issues in 2022, and how these issues have become more glaringly critical than ever.

– John then shared some of the report’s findings, and how they have changed the way Sophos itself operates in response. 

– Peter went into more detail on the results people experiencing the Cybermindz.org iRest protocol have had, the difference it has made to their lives, and how this has helped those people thrive in their roles and better mentor the next generation. 

– John discussed how the report isn’t just for awareness, but to go well beyond that in actually advising companies and helping them put these kinds of strategies into place, tackling these issues in a smart, intelligent, caring, people-centric and results driven manner is clearly vitally important, and the feedback the report has received. 

– Peter then discussed the new programs Cybermindz.org has made available during February 2024, including a new CISO Support solution, specifically tailored for Chief Information Security Officers (CISOs) and cyber leaders confronting the daily risk of burnout, and where people can discover more for themselves.

– Peter and John then discussed what else we needed to know, and their final messages to the viewers, listeners and readers. 

– We ended by noting special CISO roundtables are planned in the not-too-distant future in Sydney and Melbourne, and that more information on these exclusive sessions would be made available soon!

So, please watch the video interview above, and check out the report for yourself!