Alert fatigue and private life disruptions are driving away cyber-security talent

A Q1 2023 study conducted by Opinium, an independent third-party research house, highlights the challenges that most concern IT decision-makers (ITDMs) in the United Kingdom. And while most of the problem areas will be familiar to those working in IT and cyber-security, the intensity of the pain and risk merits closer inspection.

Most of these challenges point in the same direction: a scarcity of expert (and expensive) human talent. But there are strategies to help businesses not only survive, but thrive in this environment.

First, a few of the top findings. Then we’ll talk about the good news.

1: UK ITDMs rate cyber-security third on their list of concerns, but those in IT-specific roles see it as the biggest problem

Business leaders in the UK have plenty to think about these days, including a cost-of-living crisis, the looming prospect of a recession, and high customer expectations. In addition, 50 per cent of all respondents highlighted security as a top challenge for 2023. Given their proximity to the daily activity of the security operations centre (SOC), it’s perhaps not surprising that IT departments see cyber-security as the biggest challenge they face.

2: UK organisations face tremendous security-related fatigue

In addition to investigating and researching alerts, responding to cyber-security incidents, and threat hunting, security teams are also charged with conducting cyber-hygiene training for employees, implementing and integrating new security tools and training themselves so they can stay abreast of the latest hacker tactics.

Unfortunately, they waste a huge chunk of time on low-priority alerts and false positives, leading to alert fatigue, which occurs when a constant barrage of alerts hits the SOC’s queue and the team either can’t deal with the volume or becomes desensitised to them. 

The result? Analysts either take longer to respond and investigate, or ignore the alerts completely.

Thanks to a major global talent shortage of 3.4 million security professionals, and representing an increase of more than 26 per cent over 2021, security teams are frequently understaffed. The outcome of this shortage: the job often infringes on workers’ private lives. 

How often? Ninety-three per cent of respondents say work related to IT management and cyber-security risk has forced them to cancel, delay or interrupt personal commitments. Thirty-four per cent say this happens all or most of the time, as do 43 per cent of IT team members and 38 per cent of CIOs/CTOs. (Many organisations, especially in the 250-1,000 employee tier, don’t have a dedicated security team, and in these cases the IT team is responsible for security operations.)

3: The resulting burnout threatens security and causes staff turnover

A 2021 report found that companies with 500-1,499 employees ignore or don’t investigate 27 per cent of all alerts. That figure is 30 per cent for companies with 1,500-4,999 employees.

From a risk perspective, this is obviously unacceptable. But alert fatigue also exacts a price in terms of the long-term health of the organisation and its people. Our report shows 61 per cent of all ITDM respondents and a whopping 70 per cent of IT and security pros say they or members of their teams have experienced burnout. (Those in the trenches – security and IT teams – report higher numbers than everyone else, suggesting the problem may be worse than company leaders realise.)

In the absence of internal remedies, the risk that workers will exit increases. In this case, respondents believe there’s better than a 50 per cent chance they’ll lose people in the coming year.

The survey question specifically says “cyber-security industry”, not company. If this means a shrinking of the available security talent pool, then it worsens the shortage problem noted above.

4: These problems are more pressing for companies with 250-1,000 employees

A few charts illustrate the issue.

• These teams are more likely to report excessive alerts

• They report a greater incidence of alert fatigue

• They’re more likely to experience work intrusions into their private lives

• They report higher rates of burnout

• And they’re more likely to predict burnout-related departures

Our CISO, Greg Notch, says companies in this segment are “big enough to have big company problems, but lack the structure and funding to build a security program sufficient to defend their enterprise.”

The folks trying to keep those programs afloat are understaffed, so they’re naturally burning out. Also, because they’re stuck doing repetitive work just to keep the lights on, it’s preventing their career growth into more strategic roles. So they leave to find those opportunities elsewhere. And it’s easy for them to do that because of the talent shortage.

But there’s hope

Above I promised good news. In an environment where there’s a dramatic talent shortage, it’s impractical to think all organisations can staff and effectively operate their own SOCs. (Not only are there simply not enough people, shortages drive compensation costs through the roof.)

Managed detection and response (MDR) addresses these problems. MDRs are fully-managed, 24/7 services staffed by experts who specialise in detecting and responding to a wide range of cyber-attacks, including phishing, ransomware and threat hunting. By marrying human expertise to advanced technologies, MDR analysts can detect, investigate, neutralise and remediate advanced attacks.

This obviates an organisation’s need for a large staff. The best MDRs spend a good bit of time researching the latest hacker tactics and developing advanced tools to process massive amounts of data and automatically sort signal from noise, meaning a company’s analysts see the important alerts, not all the alerts.

The list of benefits goes on, but the bottom line is that, for many organisations, MDR means broader, deeper, more sophisticated cyber-defence (and fewer headaches) for less money.

SOCs are under tremendous stress as they try to safeguard their organisations, and if CISOs and their teams feel overwhelmed the data illustrates why. If any of this sounds relevant for your business, we encourage you to review the full report and let us know your feedback.

By Chris Waynforth, Vice President/General Manager, EMEA, Expel