Staff burnout: a legitimate threat to CNI security

Scott Nicholson, Co-CEO at Bridewell Consulting takes a detailed look at the employee burnout crisis and the steps to tackle it.


This is a contributed article by Scott Nicholson, Co-CEO at Bridewell Consulting.

From the likes of hospitals and energy grids, to transport lines and water providers, any country’s Critical National Infrastructure (CNI) is essential to day-to-day life. However, Bridewell’s latest research has found that nearly half of IT professionals in the CNI sector are suffering from unsustainable stress, pushing them to the point of burnout. The research also found that 41% have been absent because of burnout, 32% are looking for another job and 28% have resigned.

There appears to be a number of drivers contributing to this burnout. These include a growing number of cyber attacks, increases in cyber security compliance, greater interconnectivity of systems, understanding new technologies, and the need to support more cyber assurance activities. This highlights the need for the right skills and knowledge to protect CNI organisations.

These findings are especially significant because the CNI sector is dealing with escalating cyber threats, and its IT people need to be at the top of their game to mitigate them.

The growing cyber threat

According to CNI organisations, their top three threats are cyber attacks, malware, and physical security risks. In the UK’s CNI sector alone, 86% of organisations have detected cyber attacks in the last 12 months and 93% have experienced at least one successful attack in that time.

Notable attacks in recent months include the Verkada breach which exposed the feeds of 150,000 security cameras including in hospitals, schools, police stations and prisons. British energy provider Npower was also victim to an attack that saw customer accounts breached through compromised credentials.

CNI attacks could be orchestrated by a range of different perpetrators, from lone hackers simply doing it for fun to political hacktivists and nation states waging cyber warfare.

The consequences of these attacks can put public safety at real risk, including a threat to loss of life. Global CNI organisations need to consider rising external threats and how the internal threat of staff burnout might be impacting their security posture.

Mitigating the burnout threat

Reducing the number of IT and security employees experiencing burnout is a time-sensitive issue for CNI organisations. The importance of having the first line of defence fighting fit cannot be understated. The majority (84%) of organisations agree the UK’s CNI industry will be impacted by a critical cyber security skills shortage in the next three to five years, so finding cover for staff who have resigned or are taking time out will present further headaches.

It’s clear that more needs to be done to alleviate the pressure on CISOs and their teams. Without greater investment, organisations’ security could suffer significantly. Not only does more need to be done to attract skilled workers to the industry, but also in supporting existing workers and new joiners. With these findings in mind, there are steps CNI organisations can take to tackle the burnout crisis.

Being able to spot the signs of burnout is increasingly important for organisations to support their security professionals and provide the right assistance. Irritability and fatigue, a negative attitude, disengagement or absenteeism can all be hallmarks. Managers should ensure that volunteer mental health officers can provide the outlet for concerns to be discussed.

Allowing as much flexibility as possible in the working day, such as encouraging regular breaks throughout the mornings and afternoons and varying working hours can also play their part in preventing burnout. In times of pressure, allowing staff to take a step back for even ten minutes can help them to gather their thoughts and reduce the feeling of being overwhelmed. 

An outsourced approach can also help CNI organisations fill gaps in depleted teams. Bringing in external consultants who have expertise in CNI security can help to plug the gaps quickly and effectively, in turn mitigating the additional risk on security by lack of staff or poor wellbeing. By lightening the load on the rest of the team in this way, their own wellbeing can improve.

When it comes to hiring, a common mistake is searching for someone that ticks every box. This means passionate and talented individuals who could be upskilled are often overlooked. One way to help alleviate the skills gap is to invest in training. Of course, not every CNI organisation has the resources or expertise to perform this vital training in-house. This is another area where the external consultant can help, upskilling promising new starters as permanent team members.

Helping IT and security teams reset

Burnout presents CNI organisations with an internal threat that must be addressed. By enlisting external expertise, organisations benefit from the experience and support of trusted advisors who can both fill the gaps in resource and provide crucial training to existing staff. What’s more, valued employees who are approaching burnout and considering leaving the organisation will recognise that the company has invested in supporting and developing them in their role which can inspire a change of heart.