In 2024, cybersecurity burnout is back—but blame management

Anyone work in cybersecurity during the first outbreak of COVID-19? Perhaps you’ve blocked it out, and we wouldn’t blame you. After all, the rise of COVID-19 cases led to another unprecedented outbreak—chronic burnout in cybersecurity teams across the globe.

And now, according to RSA Conference’s Executive Chairman, Dr. Hugh Thompson, cases of burnout are spiking all over again in cybersecurity professionals.

“During Covid in 2021, you had to pivot what you were doing—moving from a slogan of zero trust to actually making that work,” Dr Thompson said during his opening keynote at RSAC 2024. “It was a stressful time for everyone, but especially for cybersecurity.

“We saw levels of burnout go back down to a steady state in 2022 and 2023, but now they’re going back up for different reasons.”

• The reason for burnout? The stress of reporting
• Too much faith in “management” is also a theme of 2024
• AI has left no cybersecurity domain untouched in 2024
• The solution to burnout? Rely on your cybersecurity community
• More news from RSAC 2024

“In submissions we’ve received, we’ve seen words like ‘ransomware’ tied to burnout, and that’s completely understandable,” Dr. Thompson said. “However, we’re also seeing words like ‘liability’ and ‘reporting.'”

He said that when a cybersecurity incident occurs, practitioners are suddenly at odds between their business obligations to record the crisis and actually putting the fires out.

Dr. Thompson also said being a cybersecurity professional is often like being a lighthouse keeper, shining a light in dark places and preventing ships from running around. However, prevention is not always recognized by organizations.

“Every day, [cybersecurity professionals] prevent something terrible from happening. And if it happens, [they] respond . . . and understand the importance of it. The problem with prevention is you don’t get celebrated. . . . Nobody makes you a cake and says, ‘Congratulations, you prevented 917 compliance violations today!' It doesn’t happen . . . and that can be very difficult.”

It might sound bizarre to say cybersecurity professionals have too much trust in something, given the discipline takes a zero trust approach on nearly everything. But apparently, the word “management” has a dulling effect on experts, according to Dr. Thompson.

“There’s a nuance around risk management, and this has been around a long time. What we’re seeing is when a new threat enters the ecosystem, the firs- year people like to talk about it, discuss the different nuances of it, and you see a framework. Then, you see SBOMs get introduced.”

After this, everyone gets lulled into a false sense of security. People feel the problem has gone away, but it still remains.

“You get terms like software supply chain security . . . and the term gets augmented by management. The following year, the volume of submissions goes way down. Have you solved the problem? No, but we feel like we have because we have words like management and framework associated with it.”

“We’ve had AI as part of the RSA program for many years, but it’s technically been the application of machine learning. In 2024, it’s everywhere, in every discipline, always present.”

Dr. Thompson said RSA speakers in 2024 tended to fall into two groups: those who were excited about using AI for cybersecurity enhancement, and those who were trying to stop their organizations from sinking themselves by using it.

“There’s definitely one group of people who are asking, ‘Can I use LLMs to do what I do better?’ The second is looking at the business applying tech at an unbelievable pace . . . and wondering, ‘How do I know if I’ve got the right compensating controls? How do I know this new evolving risk . . . is actually under control?’”

Dr. Thompson said while individual cybersecurity professionals may be smart, as a community they are wise, and relying on each other is the key to tackling burnout and the challenges of AI.

“All the things we face in cybersecurity . . . are actually possible to overcome through community,” he said. “Community unlocks possibility. People can get overwhelmed and stall, but a community can endure and thrive. Individuals are strong, but as a community we are formidable.”

Dr. Thompson said with over 40,000 cybersecurity professionals from all over the world at RSA Conference 2024—from more than 130 countries—it was a special opportunity for professionals to help each other overcome these challenges.

“Everyone here is so open and willing to share with each other. That’s what this program—this week—is all about. The theme of RSAC this year is about ‘The Art of Possible.’ It’s meant to inspire hope, but serves as a warning that we should never underestimate what is possible by our adversaries.

“I hope this week is an understanding you are not alone. You are not like that isolated lighthouse keeper, but you do shine a light. You are a beacon in this space. This is your source of strength. It is this community that can allow you to get past the hard problems. Each of you shines a light in a dark place, and without you, some ships would run aground.

“And if something does happen despite our best efforts, and you hit a reef, there will be others in the community waiting somewhere near a row boat, with oars ready, to get into the ocean and help you.”

Want more news from RSA Conference 2024? Check out these blog posts:

• The future of cybersecurity teams? 4 digital staff for every human
• Top cybersecurity trends of 2024, according to Google research
• RSA Conference 2024: The future of AI security