Burnout in the Security Industry
TASA ID: 10544
Stress and burnout are emerging as possibly the biggest threats to the security industry. Long hours, coupled with “alert overload” along with a perceived unfavorable opinion of business value are taking a toll on the industry. One of the reasons for this is that since security does not produce revenue it is considered a “cost center.” Security operations may negatively affect profitability and throughout the years have been considered a “necessary expense” of doing business. One of the ways good security was explained in the retail industry years ago was, what you don’t see on the monthly P & L (Profit and Loss Statement). Organizations tend to “forget” about security until something “bad” happens and many times, “bad” things happen because of security employee stress and/or security employee burnout. It doesn’t matter whether security is in-house or outsourced, burnout remains the same. Security is a profession that requires strict attention to detail and focused attention at all times. Many times, complacency will cause those working in the industry to miss important indicators or clues that there is a security issue. Accountability is a key factor. It doesn’t matter whether or not security personnel have limited security experience or are seasoned veterans, accountability in the security industry remains the same.
Many times, security policies and procedures are unclear, not specific enough or there is very limited training, so when security personnel complete a task or activity believing that they are operating within the scope of their job responsibilities, they find out later that they are being held accountable for a situation they were not trained to handle or a situation where they had no control over the outcome. This results in stress.
Stress is the bodily response to a pressure from a situation and there are three different types of stress:[1]
Acute Stress - The most common type of stress, resulting in a “fight or flight” response where symptoms disappear as soon as the stressor is gone.
Episodic Stress - When acute stress occurs regularly and a person does not have time to recover from the stressor, which can result in a lower overall tolerance of stress and increased sensitivity to stressors.
Chronic Stress - Long-term stress from situations where a person feels he or she does not have control over the outcome, potentially causing serious effects to mental and physical health.
Stress is common in the security industry. When a person encounters stress, the body produces a stress hormone to initiate a “fight or flight” response. Everyone experiences stress, but chronic stress can have a negative impact on a person’s mental health—especially if that person has an underlying health condition, such as anxiety, depression or another serious health issue. Chronic stress can also have a detrimental effect on problem solving, a skill that is critical for those working in the security industry. “Burnout,” a term that has been frequently used as a word for this stress, anxiety, and depression was officially recognized by the World Health Organization (WHO) in 2019 as an “occupational phenomenon,” not a medical condition. It is a syndrome that results from chronic workplace stress that is not successfully managed that is characterized by:
- Feeling drained of energy
- Distancing oneself mentally from his or her job and/or feeling negative or cynical toward one’s job
- Experiencing a reduction in one’s ability to do his or her job[2]
In a research study, both managers and front-line workers stated that they felt stress from:
- Unmanageable workload
- Career stagnation
- Constant interruptions
- Toxic culture
- Dated technology
Managers felt that the primary cause of burnout was stress from an unmanageable workload and front-line workers felt it was constant interruptions.[3]
Stress and fatigue can affect a security officer’s mental and physical performance, especially if the security officers or security professionals are assigned 12-hour, instead of 8-hour shifts. There is a labor shortage in the security industry – for both skilled security officers as well as IT security professionals. One research study found that there are approximately 300,000 cybersecurity positions in the US alone that are vacant.[4] This means additional work—and pressure—for those covering these positions. A global survey of 343 cybersecurity executives published in November 2017 by the Enterprise Strategy Group and the Information Systems Security Association found that almost 40% of those surveyed stated that the skills shortage was causing high rates of burnout and staff turnover.[5] The New York Times reported that Cybersecurity Ventures’ predicted that there will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions that were unfilled in 2014.[6]
Many times, security officers and other security professionals work double shifts because of poor scheduling or inadequate staffing. This leads to serious safety and security concerns because security officers, who are tired, stressed or generally burned out:
- React more slowly than usual
- Fail to notice things going on around them
- Respond incorrectly
- Show poor logic and impaired judgement
- Are unable to concentrate
- Are less motivated
- Are more forgetful
- Have a greater tendency for taking risks
- Have reduced motor coordination
- Have slower reaction time
- Have impaired or reduced alertness
- Lose cognitive and logical reasoning skills
- Are unable to process communications[7]
Sometimes, to offset fatigue and stress, security officers may rely on caffeine, from energy drinks or coffee in an attempt to increase their level of alertness, but these effects are short-lived and lead to accidents and possibly dangerous security situations. There is no substitute for adequate rest and time away from the job. Poor job performance is many times more apparent when tasks are repetitive, such as checking IDs or logging trucks in a vehicle gate, which are common security functions.[8] If a security breach occurs because of any of these reasons, the implications could be a life and death situation.
If stress becomes excessive, or if a person feels he or she has no control over the stressor, there can be lasting repercussions. Sometimes stress or pressure can be beneficial and help us get through difficult situations without negative effects, but only if that stress is short-term and we can return to a resting state. If the response to stress persists over time, the effect can cause a permanent state of “fight or flight” and can impact both physical and mental health. Security is not the only industry that is experiencing stress and burnout. First responders, such as the military, law enforcement and healthcare providers are also facing increased pressure in the course of their work.
One of the reasons that there is increased pressure for IT and cyber security professionals for this are that the stakes have risen dramatically. Hackers aren’t just taking an individual’s credit card info, but are targeting power grids, hospitals, manufacturing facilities and other critical infrastructure – all of which could have devastating repercussions. There are several reasons that IT and cyber security has escalating job stress – the systems are always under attack and there is no downtime. There is no specific start time or finish time. It is a constant non-stop situation that requires a hyper-alert state for extended periods of time. In the cyber security world, the stress simply never ends.[9]
Chronic stress can have negative impact on the immune, digestive and cardiovascular systems according to the National Institute of Mental Health (NIMH). Some people may experience mainly digestive symptoms, while others may have headaches, sleeplessness, sadness, anger, or irritability,” the NIMH said. “Over time, continued strain on your body from stress may contribute to serious health problems, such as heart disease, high blood pressure, diabetes, and other illnesses, including mental disorders such as depression and anxiety.”[10]
Professionals today feel the pressure of an ‘always on’ work culture, causing stress and may lead to burnout. In January of 2020, a Deloitte’s Marketplace Survey of 1,000 full-time US professionals found that:[11]
- 77 percent of respondents say they have experienced employee burnout at their current job.
- 91 percent of respondents stated that having an unmanageable amount of stress or frustration negatively impacts the quality of their work.
- 83 percent of respondents say burnout from work can negatively impact their personal relationships.
- 87 percent of professionals surveyed say they have passion for their current job, but 64 percent say they are frequently stressed, which goes against the myth that passionate employees are immune to stress or burnout.
- Nearly 70 percent of professionals feel their employers are not doing enough to prevent or alleviate burnout within their organization.
- 21 percent of respondents say their company does not offer any programs or initiatives to prevent or alleviate burnout.
Security operations professionals have an exceptionally high level of stress because of ransomware, phishing and social engineering, web skimming malware, supply chain attacks and brute forcing and credential stuffing.[12] Unfortunately, the security industry is measured the majority of the time by failure – in other words, when something goes wrong. When that is coupled with an industry that has to “keep secrets,” to keep information confidential, it leads to a toxic situation that leads to higher than normal levels of stress and job burnout.[13]
One single security incident may occur because of a simple oversight or a vulnerability that was overlooked or was enabled by a failure to promptly detect malicious activity in progress. In many cases, inexperienced, stressed or fatigued security employees are making these mistakes, but the results take a toll on the entire industry. An unfortunate security incident can harm the reputation of the organization, affect customer attrition and cost exorbitant legal fees. The Ponemon Institute for data center security estimates the average cost of a breach is now close to $4 million, so the decisions being made in a security operations center may have the most effect on the organization’s bottom line.[14]
The bottom line is that companies need to put emphasis on workplace culture. It’s interesting to note that one in four professionals say they never or rarely take all of their vacation days. We need to consider why this is happening. Leaders set the tone for the organization and it’s critical that a healthy workplace culture exists to have competent, productive employees who can effectively combat stress so that it doesn’t result in burnout. To do this, people should be at the center of the organization and communication should be a two-way street. Workers in the security industry need to feel valued for their contributions to the organization. If positive changes are to happen within an organization, change has to happen with the people, not to them. Security is a critical industry that requires people to be “present” and in control of forces that lead to burnout and cause people to leave the industry.
TASA Article Disclaimer
This article discusses issues of general interest and does not give any specific legal or business advice pertaining to any specific circumstances. Before acting upon any of its information, you should obtain appropriate advice from a lawyer or other qualified professional.
This article may not be duplicated, altered, distributed, saved, incorporated into another document or website, or otherwise modified without the permission of TASA and the author (TASA Id# 10524). Contact marketing@tasanet.com for any questions.
[7] Safety Smart! Fatigue and Safety, May 2014