Cyber Teams
$626 Million: The true cost of burnout in cybersecurity
What’s the business impact of burnt-out staff? Our research surveyed over 2,000 C-level professionals to get a data-driven answer.
Hassassin,
Oct 29
2024
Hack the Box (HTB) recently commissioned an independent report with market research firm Censuswide to investigate the ramifications of burnout for financial performance and employee well-being.
The survey sample included 1,001 CEOs and executives, 1,207 CISOs, and other cybersecurity professionals in the US and UK.
We found that CEOs and C-level executives generally estimated the cost of employee burnout at around $3 million per year.
However, based on our findings, the real cost to productivity (which factors in the number of work days lost to poor mental health) is significantly higher:
$626 million in the US, and $130 million in the UK, every year.
$626 million is a big number. How did we get to it?
First, we asked CEOs in the UK and US to estimate their overall costs from burnout Loading Preview...
To build a more accurate picture of the true cost, we then began with two average figures.
The average number of sick days staff take is 3.4 per year, and the average number of hours lost to poor productivity is 3.4 per month. This amounts to over 40 hours per year.
From there, we used average salaries and team sizes to estimate the costs of sick time, working time, and recruiting or replacing staff. This highlighted a wide gap between C-level expectations and the actual cost of burnout in cybersecurity.
Build your firewall against burnout
The full report, Building a firewall against cybersecurity burnout, goes into greater detail on the methodology of the research and shares insights from security leaders on how to beat burnout from the ground up.
There’s C-level disconnect on the criticality of burnout
Andrea Succi, CISO at Ferrari Group, shares that “the ‘always-on’ nature of the job, coupled with a global shortage of skilled cybersecurity professionals” means many are working long hours under scrutiny.
Intense workloads are an everyday reality for security teams. However, CEOs aren’t fully aware of the impact this has on staff morale. Our report found a gap between CISOs and CEOs regarding their level of concern about burnout.
While 90% of cybersecurity leaders reported concerns about team burnout, only 73% of executives expressed similar concerns.
This points to a level of disconnection between executive teams and cybersecurity teams working overtime on the frontlines to defend business-critical environments.
Per the surveyed CEOs, there were a variety of reasons their cybersecurity employees worked over their contracted hours. The three most common responses chalked burnout to the following:
-
An increase in the number of cybersecurity threats.
-
The unpredictability of threats that occur after working hours.
-
Time for training extra skills.
Longer hours. Less vacation. Less well being
Survey findings paint a sobering picture of work-related well-being for security professionals. Many admitted to working longer hours and taking fewer vacation and sick days due to intense workloads.
About two-thirds of respondents (68%) said they were working 10-50 hours of unpaid overtime every week, and about a third (35%) said they had used fewer than 3 to 5 days of vacation time to help meet heavy workloads.
But even more of them, 76% of the people we surveyed, reported calling out sick for their work-related well-being. This is also affecting peoples’ home lives: 12% of cybersecurity employees reported missing personal milestones, like commitments at their child’s school or family parties, due to demands at work.
According to ISC2 Loading Preview...
Burnout-induced human errors lead to security breaches
Companies are not immune to the impacts of burnt-out cybersecurity teams. According to Statista’s 2023 research Loading Preview...
Also in 2023, Security data company Devo Loading Preview... Loading Preview...
As we learned earlier, these errors can cost companies a lot—and likely more than CEOs and board members may anticipate. For example, reports indicate that the WannaCry ransomware, which brought the UK’s National Health Service (NHS) to a grinding halt in May of 2017, cost the NHS around £92 million Loading Preview...
What can we do about burnout?
The burnout situation in the cybersecurity industry is dire, but it is not hopeless. There are some solutions to these problems, and our research points to two key recommendations:
1. Provide the right teams, tools, and training
If people lack clear roles and responsibilities, they may take on too much or leave tasks for other people Loading Preview...
If they lack the skills to use certain tools or address threats Loading Preview...
If teams don’t have enough staff, people may need to work longer hours or skip vacations to complete their workloads.
We recommend focusing on having the right people, tools, and right training to enable security professionals to keep up with the threat lanscape. And this requires acting on our second recommendation.
2. Connect the board with cyber
Our survey revealed a stark disconnect between C-level executive teams and their cybersecurity teams. One way to mitigate this would be to include the CISO in boardroom conversations.
Putting a cybersecurity expert connected to the IT and security teams in the room can give company leaders more perspective on security threats, unlocking the staff or training needed to address them.
This in turn reduces the risk of unrealistic expectations, enables buy-in for security resources, and keeps the C-suite invested in security as a business-critical function.
Recommended read: How CISOs can better connect with their boards Loading Preview...
Today’s cyber threats present a flux of new challenges to organizations. And unskilled, burnt-out teams pose a real risk to the security of your business.
This is why cybersecurity performance programs and continuous improvement are no longer a nice-to-have, but a necessity.
A people-first approach to cyber performance
-
Risk mitigation: Timely content offers training on the latest CVEs in real-world environments, reducing risk and exposure to these vulnerabilities.
-
Employee retention: Cybersecurity teams that are offered upskilling opportunities are far more engaged and less likely to burn out.
-
Performance benchmarking: Conduct CTFs and gap analysis to identify weaknesses in your security posture.
-
Tailored training to industry standards: HTB content is mapped to MITRE ATT&CK and NIST NICE frameworks so you can assess your cyber preparedness in different areas.
-
Boost organizational awareness: HTB can assess cyber readiness and performance company-wide with effective practices like tabletop exercises (TTXs) or nearly practical assessments designed for security staff and non-technical teams.
ContentsLatest News
