To End Burnout, Cybersecurity Must Tolerate Failure

To kick off the 2024 Gartner Security & Risk Management Summit last week, Gartner’s vice president analysts, Christopher Mixter and Dennis Xu opened the three-day conference with an introduction to augmented cybersecurity with a focus on leaving the zero-tolerance-for-failure mindset behind. 

Mixter and Xu spoke to a fully packed main hall at the Gaylord National Resort & Convention Center near Washington, D.C. about Gartner’s approach to augmented cybersecurity, which goes beyond artificial intelligence, and the need for cyber resilience. 

“It is hard simply to survive amid the complicated operating environment you have to defend," Mixter began. “It gets even harder as budget growth starts to level off, and as the cybersecurity talent gap expands, both here in North America and all around the world. The talent shortage is a very real threat to companies and organizations worldwide. The number of cyber talent we need might as well be a billion for all that we’re going to solve in the near term.” 

Mixter emphasized cybersecurity organizations cannot simply spend or budget away the problem of talent, nor their resiliency. 

Xu asked the audience, “What prevents us from striving amidst complexity? Mindset. The mindset of zero-tolerance failure.” 

Related:10 Ways to Boost Cybersecurity Talent Retention

The premise of Mixter’s and Xu’s presentation centered on the liability that this type of mindset has within cybersecurity organizations, because this mentality fuels burnout and a lack of sustainability amongst the workforce. 

Though preventative investments are important and part of the solution to cyber threats and attacks, it’s not a holistic approach nor a cure-all. Data from Gartner indicates that there is an increase in the impact and frequency of breaches, specifically in Canada and the United States. In 2023, there were 3,205 reported data comprises in the US, a 72% increase over 2021, their data shows. The volume of successful cyber attacks continues to expand as well. 

To thrive, “we need highly mature sustainable response and recovery capabilities,” Mixter suggested. Per Gartner’s Cybersecurity Controls Assessment, which surveyed roughly 500 organizations, response and recovery ranked the highest priority, even ahead of protection as Xu noted. Conversely, response and recovery “have the largest gap between priority level and desired level of maturity,” Xu explained. 

According to Mixter, underinvestment in response and recovery is a result of the zero-failure mindset, and that underinvestment “is driving cybersecurity teams into the ground.”

Related:How CISOs Can Contend With Increasing Scrutiny from Regulators

“62% of cybersecurity leaders have experienced burnout at least once in the past year,” Xu shared according to Gartner. “You all are doing good work, but you shouldn't have to be heroes.”

This sentiment was central to the keynote presentation and the conference at-large. Cybersecurity organizations must develop a culture of sustainability and resiliency without compromising their workforce, particularly because potential cyber attacks are inevitable. 

photo by Ijeoma Nwatu

Xu offered a definition of augmented cybersecurity: to sustainably defend the organization and to elevate response and recovery to equal status with prevention. Augmented cybersecurity organizations identify with the following characteristics:  

Beyond building and maturing into an augmented cybersecurity organization, Mixter and Xu touched on generative AI and its impact, which Gartner monitors with its radar tool across different categories. 

Other ways and areas to encourage cyber fault tolerance is the involvement of third parties including vendors. Building competencies in response and recovery across multiple areas of your business processes and within an organization is essential. Additionally, hiring specialists with technical expertise can make the difference between containing an emergency and allowing it to consume your organization. 

Related:‘They’re Coming After Us’: RSA Panel Explores CISO Legal Pressure

The analysts recommend using GenAI to develop efficiencies and to determine the fewest technologies to observe, defend, and respond to threats. 

In pursuing augmented cybersecurity, treat resilience like a true competency. One organization, an Australian nonprofit called Cybermindz, supports mental health professionals in the cyber community. They have programs and courses to address burnout and psychological well-being. Part of building resiliency is redesigning work to reduce burnout and one way to change the workplace is via employee feedback and engagement.