Worker with his head down on his desk, overworked and frazzled. There are scrunched up pieces of paper on the desk and he is holding a flag that reads 'Help!'
Image: © Brian Jackson/Stock.adobe.com

Is ‘overwork’ culture a problem for cybersecurity professionals?

16 Nov 2023

A small survey of cybersecurity employees by Centripetal found that 90pc checked in on work messages during their annual leave.

Cybersecurity professionals are indispensable nowadays – and that can be a double-edged sword. On one hand, cybersecurity is extremely rewarding and a great career for someone highly ambitious and dedicated to the vocation.

As Jess Parnell, CISO at cybersecurity company Centripetal puts it, getting ahead in the industry requires a certain personality. “Those who truly engage with and succeed in cybersecurity are usually very passionate people. In addition, cybersecurity is an exciting landscape, where the attack surface and state of play is constantly shifting.

“This can be addictive, particularly as the industry also offers mission-driven work, where protecting your organisation becomes less of a job and more of a calling.” And that’s where the downside of working in such a high-stakes, vocational job comes into play; it can be hard to switch off – literally and figuratively.

Hard to switch off

While more extensive research into this aspect of life in cybersecurity is required, Centripetal did carry out a small survey of 200 people on overwork culture. The company surveyed cybersecurity workers at various cybersecurity events in the UK and Ireland, including a recent industry conference called InfoSec World.

Although the sample size is small, some of the survey’s findings could potentially start a conversation about the prevalence of burnout among cybersecurity workers. The vast majority (90pc) of the 200 people surveyed said that they found it so difficult to leave work aside that they checked their emails, Slack and other forms of communication while they were on annual leave.

Almost one-third (32pc) said that their lives were interrupted by work matters every night, while 70pc said they were interrupted at least once a week.

An ongoing problem

This is not sustainable and it is not fair. But whose fault is it? The answer to this question is not a simple one, otherwise, the problem might be solved. Unfortunately, due to the shortage of cybersecurity professionals and the abundance of cyberattacks, there are simply not enough people to go around. According to Parnell, the problem lies in the lack of senior, experienced people.

“There is no shortage of people who want to start working in cyber,” he says. “Where there is a shortage is in more senior positions. This is because of people coming into the sector and expecting to walk into six-figure salaries, without gaining the relevant experience first.”

He adds that if new starters are willing to gain the experience they need to move on to more senior leadership roles, the sector will see “the existing demands on workers drop”.

Whose fault is it anyway?

But Parnell also thinks that part of the reason there is an overwork culture in the sector is “employee-driven as opposed to industry-driven”. Is the vocation really that strong or are employers taking advantage? Centripetal’s survey found that company loyalty was the main reason why many work such long hours. In fact, more people (46pc) listed company loyalty as their drive to work compared to factors such as increased cyberthreats (23pc) and inadequate staffing (16pc).

Undoubtedly, employees do need to learn to switch off and take the time off that they are entitled to. But the onus cannot be placed entirely on workers; employers need to acknowledge that they can’t put unfair expectations on people even if they are highly paid and enjoy their work. Parnell says companies experiencing skills shortages in cybersecurity can deploy tech to help mitigate cyberthreats and take care of mundane, repetitive tasks. They can also lead by example. “There is no silver bullet,” he says, but good management is the key to making sure cybersecurity teams aren’t overstretched.

“A good cybersecurity professional will want to follow everything to its natural conclusion, to the potential detriment of the employee from a burnout perspective,” says Parnell. “A good manager will be able to help them prioritise the things which are truly important and the things which do not need to be immediately actioned. Furthermore, the manager needs to be empowered to do so by a company culture which places a strong emphasis on employee wellbeing.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Blathnaid O’Dea
By Blathnaid O’Dea

Blathnaid O’Dea worked as a Careers reporter until 2024, coming from a background in the Humanities. She likes people, pranking, pictures of puffins – and apparently alliteration.

Loading now, one moment please! Loading