Sleep deprived, overworked and fatigued security professionals impose huge risks to an organization
By Karl Sharman, Vice-President, BeecherMadden
Tired, overworked and fatigued employees pose huge risks to organizations. It’s obvious to think, that when you’re tired you make fewer effective decisions. Decision fatigue is that effect especially in cybersecurity that can lead to avoiding decisions or a person lacking self-control which can lead to dangerous outcomes for organizations looking to protect from external threats. Is this the new inside threat?
When I say new, that is not correct. In 2016, NIST did a study on this called ‘Security Fatigue’. This was mainly targeted at employees who were fatigued and having to remain vigilant with security decisions. However, there is a section in the study that looks at computer users feeling bombarded and overwhelmed through security, so much so that they experience decision fatigue. When you consider this outcome, this is no different to what security professionals will experience within a security team on a daily basis.
Furthermore, Tessian in 2019 delivered extensive insight into decision fatigue within cybersecurity. They stated 92% of employees feel tired at work while 76% of those admit they make more mistakes when tired. Additionally, 91% of employees feel stressed, while 71% of those admit they make more mistakes when stressed. Alarming findings in a complex and evolving landscape.
The ever-present threats are taking their toll on budgets, staffing and ultimately health. Career burnout is a real and more common threat within cyber professionals, with the signs there it’s for us all to see. In our last study, 86% of people are looking or open to moving jobs for a better opportunity or a better working balance.
Currently, organizations are increasing responsibility and pressure without increasing pay, they are creating rigid and toxic environments and not accommodating for those who are stressed or having negative feeling towards their role. As a headhunter, these organizations make it easier to attract candidates to other opportunities.
How do you identify it to avoid a culture and staffing crisis in one of your more important functions?
- Poor performance or productivity
- Inability to keep to commitments
- Cynicism or pessimism
- Lack of motivation
- Self-medication – such as drinking
- Dis-interest or distraction
Not detecting these signs early can hit organizations at the bottom line. However, there are simple, effective methods in order to prevent these:
- Ensure employees are well fed
- Ensure employees are getting enough sleep
- Limit and simplify choices
- Have a process for making decisions and how to communicate these
- Create a culture where speaking out is ok
- Provide clear expectations to all employees and define what ‘good’ looks like
- Build the right working environment (breaks, working hours, flexibility, temperatures, lighting etc)
If it’s a challenge, it can be changed. Basic changes can decrease risk to your organisation and primarily your security team. Pressure, stress and fatigue are leading to worse sleep affecting key employees within decision making. According to a variety of reports, the shortage for cybersecurity professionals with be 3.5 million within the next 2 years, without considering the repercussions of this issue that could easily double with people threatening and currently leaving the industry. It is important to remember, the only recession within cybersecurity is sleep.