Technology Now

In this episode we are looking at a growing issue in the tech field: Burnout among cyber security professionals.
A report shared by the Information Systems Audit and Control Association shows that 51% of people working in cyber security may leave their job in the next year because of stress.

But it's not just the stress of protecting organisations that is having an effect on people’s mental health in the sector.

It’s an area that led today's guest, cyber security expert Peter Coroneos, to set up - a not-for-profit to help address and prevent burnout in the cybersecurity industry.

This is Technology Now, a weekly show from Hewlett Packard Enterprise. Every week we look at a story that's been making headlines, take a look at the technology behind it, and explain why it matters to organizations and what we can learn from it.
Do you have a question for the expert? Ask it here using this Google form:

About the expert:

Sources and statistics cited in this episode:
ISACA report :
Statistics on the cyber security workforce:
Global spending on cyber security:
Study into the mental health of cyber security professionals:
3D printed ‘skin’ sensors:

Creators & Guests

Aubrey Lovell
Michael Bird

What is Technology Now?

HPE news. Tech insights. World-class innovations. We take you straight to the source — interviewing tech's foremost thought leaders and change-makers that are propelling businesses and industries forward.

Aubrey Lovell (00:10):
Hey, friends, and welcome back to Technology Now, a weekly show from Hewlett Packard Enterprise, where we take what's happening in the world and explore how it's changing the way organizations are using technology. I'm your host, Aubrey Lovell, and in this episode we are looking at a growing issue in the tech field, burnout among cybersecurity professionals. A report shared by ISACA, the Information Systems Audit and Control Association, shows that 51% of people working in cybersecurity may leave their job in the next year because of stress. That's a significant number when you consider there were 5.5 million people working in cybersecurity worldwide in 2023, according to figures from the International Information System Security Certification Consortium. We've linked to all those stats in the show notes.

So, why are so many cybersecurity professionals feeling the strain and how can organizations look after the people who have carried the burden of responsibility for our safety? Well, if you are the kind of person who needs to know why what's going on in the world matters to your organization, this podcast is for you. And if you haven't yet, subscribe to your podcast app of choice so you don't miss out. This is a really important discussion, so let's get into it.

Figures from research body Statista show the global spending on cybersecurity services has come close to doubling in the last eight years, going from 53.46 billion to 92.91 billion, but the amount spent on cybersecurity doesn't come close to the amount of money lost to cybercrime, which is set to reach $9.22 trillion by the end of 2024 according to those same statistics. To give you an idea of just how huge that is, if cybercrime were a country, it would have the third-largest economy in the world behind the U.S. and China. So, the role of a cybersecurity expert is more important than ever and with that context comes pressure. The threat of burnout for people in cybersecurity isn't helped by its rapid growth as a field. The ISC2 report we mentioned earlier revealed a gap of almost 3.5 million more jobs than workers in 2022.

An independent study into the mental health of cybersecurity professionals by an employment agency found that almost two thirds say their stress levels had increased over the last year. All that to say, burnout is a very real issue in cybersecurity, but it's not just the stress of protecting organizations that is having an effect on people's mental health in the sector. Like any of us, recognition plays a big role in how valued we feel when it comes to doing our jobs. It's an area that led today's guest, cybersecurity expert, Peter Coroneos, to set up, a non-for-profit to help address and prevent burnout in the cybersecurity industry.

So, Peter, how much of a problem is burnout amongst cybersecurity professionals?

Peter Coroneos (03:15):
I think it's a lot bigger than people realize. In particular, we've been seeing conference presentations where more attention is being brought to this issue of burnout in cybersecurity, but I would say that outside of the cyber profession, the problem is still underrecognized and, more importantly, the consequences of not addressing the problem are fully under appreciated.

Aubrey Lovell (03:42):
So, is the scale of potential damage affecting cybersecurity professionals, like the thought that if they make a mistake, it could potentially cost a firm billions?

Peter Coroneos (03:51):
Absolutely. I think cybersecurity professionals that we talk to, and we talk to a lot, are acutely aware of the burden that they carry in respect of the mission that they're trying to fulfill. Invariably, it's beyond the pay. It's more about this overarching sense of protective instinct to help secure the organization, to secure the customer data, to secure ultimately society at large. I think everyone in cyber at one level or another is acutely aware of the value that they bring, although that is very often not recognized. I think that in itself is a contributor.

Aubrey Lovell (04:34):
Just how badly are people affected in terms of the numbers? Is this rife or is it people at certain levels who feel it the most?

Peter Coroneos (04:42):
It's widely recognized that there is a major skill shortage within cybersecurity across jurisdictions and internationally. What we are seeing is up to 85% of participants saying that they anticipate that at some stage they're going to leave unless they can get their burnout addressed, and 24% say that they would leave cybersecurity entirely. So, this is within the context of a net deficit in skills. Those numbers came from a study by the Wakefield group in 2023, and 77% of those that were surveyed said that stress is impacting their ability to keep customer data safe, and that 83% said that burnout has contributed to errors that have ultimately led to a breach, so a burnout within their own teams or within themselves. These are quite worrying statistics. 45% of that same survey group said that their leadership was not proactive in addressing burnout, so they're not feeling a great deal of support.

We've been doing our own research since 2022 in this field, specifically around the question of burnout. And what we're doing is we are mapping the three dimensions of burnout being emotional, exhaustion, the sense of cynicism or disconnectedness with the job. And the third dimension is professional efficacy metric, that sense of, "How well do I believe I'm doing in my own work?" We found that in the measure of, "How well do I believe I'm doing in my job", which by the way of those metrics is the one that predicts resignation intent, cybersecurity workers are doing worse than frontline healthcare workers. So, going back to the recognition within the profession, this is a problem, but I think the real message to be gleaned from these numbers, from this research is that society really needs to sit up, and pay attention and to realize that these people that have dedicated their careers, their lives to defending society really need help.

Aubrey Lovell (06:52):
Where is the stress and burnout coming from? Is it from that responsibility? Is it from a lack of understanding from others around what exactly it entails, the pressure from management and boards? What are the different factors you see contributing to burnout?

Peter Coroneos (07:08):
The obvious one is, as we mentioned, the burden that they sense that they carry in having this job of protecting infrastructure, protecting data, protecting the organization from cyber attacks at a time when the attackers themselves have diversified, they've deepened their skills, they're collaborating with each other. So, you've got this real asymmetry between the capacity of individuals to defend against an attacker network that is universal. It's everywhere and it's nowhere, very hard to identify who's attacking you. So, there was this sense of, if I fail once, then that could be an existential risk to the organization, but when I succeed day in, day out, nobody notices. We're not getting the recognition because we can't really demonstrate what success is other than we didn't get hacked today.

In addition to that, we obviously had the pandemic where workforces were having to be remotely relocated outside of the traditional corporate security perimeter. We saw massive increases in phishing attacks. The ransomware phenomenon has continued to increase. Also, we're seeing increased regulation on organizations by governments, but, unfortunately, we think there's some unintended consequence there, where, with every increase in regulation, the pressure increases on the cyber teams that they better not fail. And of course, what happens is that as people burnout and leave, then that tends to increase the pressure on those remaining behind. So, you end up in a bit of a downward spiral.

Aubrey Lovell (08:52):
You say people are quick to point the finger of blame, but nobody applauds the good work people in cybersecurity are doing on a daily basis. Do you think there needs to be a change in the mindset of organizations towards professionals in cybersecurity? And if so, how do we go about doing that?

Peter Coroneos (09:09):
Yeah, I think blame is a very pernicious express of a lack of understanding within leadership of just how difficult these roles are. Often, the question's put to the CISO, "Are we safe?", but really the question should be, "Are we aware of our risks and are we adequately prepared to respond to them?" To which a good CISO would also say, "Well, yes." Or, if no, "This is what we need to do to actually improve that dynamic." So, I think blame is a very dangerous, and unhelpful and really uninformed response to a cyber breach, particularly when the CISOs are constantly trying to explain to the leadership the challenges that they face. It's fair to say that there is still largely a disconnect that CISOs report between their capacity to communicate to the board that the actual situation that they face versus the degree of understanding and support that they get back in return.

So, I think that is really an important part of the dynamic that we don't see in the other professions is basically it breaks down to two types of people, the ones that leave work at the end of the day and are unable to switch off, but equally they find that there are a number of people within the profession that have been there 10, 20 years, have developed some inbuilt mechanism to actually switch off when they need to switch off when they walk away from the job at the end of the day. I think that's the area that we need to do more work in within cybersecurity, so that we can start to not only educate the practitioners, but also to equip them with what we term the neurological resilience, the internal resilience that gives them the ability to work within these challenging circumstances, but to not take it personally, not to take it on as a burden that they can't release themselves from at the end of the day.

Aubrey Lovell (11:11):
Thanks, Peter. This is such an important conversation to have and I'm glad that we're doing it, so thank you so much.

We'll be back with Peter Coroneos to talk about the risk of burnout in cyber professionals and how to prevent it after this.

Okay, so now it's time for Today I Learned, the part of the show where you and I get to find out something exciting and new we can use as an icebreaker next time we're at a conference. And today, we are looking at an advancement, which is not only bringing robotics closer to mimicking human touch, it's also making it quite affordable. Researchers at a university in the U.S. have developed a 3D-printed sensor for robot arms that has the feel of human skin. Professor Joohyung Kim is the man behind the 3D-printed pads, which he says function as soft skin for robotic arm and pressure-based mechanical sensors. The pads have airtight seals which react when touched just like a balloon shifts its skin when you squeeze it.

Before this discovery, sensors would have had a maze of electronics built into them, which is not only time-consuming to make, they're also very costly to replace. Professor Kim says the 3D printed manufacturing process addresses both these issues and can be easily reprogrammed to print various sizes for different needs. He hopes the new design will be used in hospital settings where, in the past, the pads would need to be sanitized regularly and the skin-like covering would need to be changed quite often. It is hoped that this discovery will allow for greater, more comfortable sensory interaction between a robot and a patient. Pretty awesome.

All right, it's now time to return to our guest, Peter Coroneos, to find out what is being done to help prevent burnout and cybersecurity professionals.

So, Peter, here's the big question, what are your suggestions to boards and leaders? How does this issue get solved?

Peter Coroneos (13:13):
The starting point with any real commitment to working with teams to help improve their internal mental resilience is really the conversation around how you're doing and for leaders to really engage with their teams and to acknowledge that we're all human. Anyone put in these roles is going to be feeling stress. Beyond that, we start talking about the programs that we ourselves are implementing now called the Integrative Restoration, or iRest protocol. So, iRest was developed by a clinical psychologist in America, Dr. Richard Miller, and had taken it into the U.S. military around 2006, where they were having issues with veterans returning from the war zones, Iraq, Afghanistan, with trauma, post-trauma, PTSD, anxiety, depression, all the normal consequences of war. They started to introduce this protocol, which is a 10-step sequence of progressively relaxing the individuals, getting them out of their flight and fight mode and getting them back into a calmer state.

From there, they can actually safely begin to work with some of the subconscious triggers that they might be not even aware that they're carrying. Those are the things that accumulate over time, and if we allow them to build up, and we don't sort of listen in and respond to them in an appropriate way, then ultimately they'd lead us in a situation where if a crisis were to occur, we're more likely to lose our sense of control in that circumstance. So, what we're doing when we bring in the iRest protocol is we use the language and culture of cyber, so that they feel very much that they're understood When we run them through. They get the benefits of the immediate switch off so that they begin to report they're sleeping better is one of the first things that they notice. The teams, in turn, begin to feel more cared for. They feel that the organization is really taking seriously the difficulties that they're facing in their work and proactively doing something about it in a tangible way.

Also, we're able to measure the results as we go, so that we can do the snapshot of the status of the team where they sit on the burnout trajectory before we begin. And then as we progressively run the program through the organization, we can begin to show them the net improvements that they're seeing across these various metrics. Then of course, you get the qualitative data back from the individuals themselves saying how much better they feel and some of the positive effects that you report when the neurology is starting to respond positively to the kind of new environment that we're giving them. So, you can understand that in these critical roles where they're having to deal with vast amounts of data and they're having to analyze situations in very short order, the more that we can have them in their analytical brain where their higher executive functions are occurring and less in their reactive brain where their emotional responses reside, then the better they're going to be performing in their roles. And then by extension, the safer the organization becomes.

Aubrey Lovell (16:36):
So, for someone listening who maybe works in cybersecurity or has cybersecurity professionals within their organization, have you got any tips you can offer to help prevent burnout?

Peter Coroneos (16:48):
So, rather than talking about the tip, we prefer to talk about the entire iceberg. So, in effect, we're talking about that part of the mind, that part of our cognitive and emotional apparatus that sits beneath the surface that's not necessarily accessible to us in our waking state. I have to say though that before we embark on this depth approach, it's still helpful for organizations to start to normalize the conversation around mental health. And then secondly, to tell them the way in which we can support them and to have that as an ongoing thing, so that we build in this type of support into the working week. So, it becomes a long-term means of supporting them in these critical roles.

Aubrey Lovell (17:33):
Thanks so much, Peter. This has been great.

You can find more on the topics discussed in today's episode in the show notes.

All right. Well, we're getting towards the end of the show, which means it's time for This Week in History, a look at monumental events in the world of business and technology which has changed our lives. The clue last week was, it's 1987. And this picture got a lot of people animated. Did you get it? Well, it was the release of the Graphics Interchange Format, better known as the GIF. GIF was the first web-specific color animated image format and allowed even slow modems to download dazzling moving images at lightning speed. It was an immediate hit and hasn't really changed much in over 35 years since a 1989 update added transparent backgrounds and better metadata.

It's not all been smooth sailing, though. Through the mid-late 1990s, a series of massive legal battles broke out over licensing GIF images due to a patent on the compression algorithm it used. Website owners became terrified, usually without justification that they'd have to pay multiple thousands of dollars for having GIFs on their site. A campaign was launched to, quote, "burn all GIFs", and we're not quite sure how that would work out, but the PNG, an portable network graphics format, was developed in response. However, the patents on the GIF all expired in the early 2000s. Since then, the humble GIF has remained an integral part of internet humor and artistic expression. Great job.

Next week, the clue is, let's rewind to 1977. Think you know it? Well, don't tell. And that brings us to the end of Technology Now for this week. Thank you to our guest, Peter Coroneos, founder at We've put some links to them and their work in the show notes. And thank you all for being here. This episode was produced by Sam Datta-Paulin with production support from Harry Morton, Zoe Anderson, Alicia Kempson, Alison Paisley, Alyssa Mittrie, Kamila Patel, and Chloe Suewell. Our social editorial team is Rebecca Wissinger, Judy Ann Goldman, Katie Guarino, and our social media designers are Alejandra Garcia, Carlos Alberto Suarez, and Ambar Maldonado.

Technology now is a Lower Street production for Hewlett Packard Enterprise. We'll see you next week.