Imagine the average cybersecurity professional. They might work in your typical cubicle (or perhaps now work remote or some hybrid variation), surrounded by monitors, coffee cups and fluorescent lights, always watching for threats, whether real or perceived. They patch tirelessly, working all hours of the day, assessing risk, and reporting on the same to ensure the organizations they aspire to protect are as sound as can be.
Turns out they’ve found themselves caught in a never-ending spiral just to try and keep pace. These highly skilled professionals, who often come with significant hands-on, academic and/or research backgrounds, who aim to help fend off cyberattackers, are burning out. As it turns out, it’s happening to this group at a rate that rivals that of frontline healthcare professionals.
Despite the COVID-19 pandemic, global political instability, and outright war there was another kind of quieter threat that continued to bubble. Cyberthreats have been on the rise and now exist at a scale for which many were unprepared. While we continue to invest more in education, more people, and more technology, we are not making adequate progress to solving this problem. Globally, healthcare is firmly entrenched in the attackers’ sights and has become a preferred target, with multiple studies citing healthcare as one of the most attacked sectors. Ransomware continues to be a multi-billion-dollar enterprise and will continue to thrive if organizations continue to pay. Some are beginning to ask if cybersecurity is in fact an unsolvable problem.
Amid all this chaos, new terms now dominate our workplace conversations. Familiar words like ‘burnout’ are being joined by newer friends, such as ‘quiet quitting’ (and even now ‘loud quitting’). The term ‘burnout’ has emerged on the other side of the pandemic as an overarching theme and outcome, as we rush to study both causes and the efficacy of point solutions to help bring our most important resource (people) back from the brink. Defined simply as a ‘feeling of personal ineffectiveness which one is not able to overcome’, there is good data and brilliant minds hard at work to help contribute to solving this problem.
The notion of effectiveness really speaks to how your activities make a difference, move the envelope, or accomplish a goal. For cybersecurity professionals, at a micro level, this may be task-driven work in pursuit of a plan or multi-year strategy, or even the usual slate of monthly security patches. At a macro level, this is protecting and preparing for the inevitable cyber-incident (as we often say, it’s not ‘if’, but ‘when’).
Cybersecurity professionals are literally repeating the same tasks month to month, with no end in sight, and in many cases, have little autonomy or ability to stop the bleeding. Recruitment is often stymied by a global skills shortage that numbers in the millions, with many of those fresh out of school unable to find entry-level cybersecurity jobs because they don’t fit the profile of the mystical cybersecurity unicorn. Additional technologies not only carry heavy investment (with revenues in Canada exceeding 3.5 billion U.S. dollars in 2022), but also amplify and dramatically increase the number of alerts that cybersecurity professionals must contend with, sending them down a path to what we’ve come to refer to as ‘alert fatigue’.
And the risk of missing one of these signals at the wrong moment? Target’s security breach in 2013 serves as an excellent reminder of why, despite everything that would incline us towards complacency, we must not stray down that path. We must begin to control the previous technology sprawl in support of a defined and purposeful roadmap that matures and advances, while simultaneously supports cybersecurity professionals to raise the right items to their attention in the right moments and begin to build and educate teams from previously untapped sources.
This ever-present threat now dominates the lives (and livelihoods) of the professionals who have stepped forward to protect their organizations. Countless evenings, weekends, and family events cancelled or compromised by the threat du jour. We must do better to support and grow our teams if we are to continue to fend off this threat effectively (or respond appropriately when needed), without intervention, we will quickly find ourselves wander past ‘interesting’ times, and down a collision-course to ‘chaos’.
‘A Cybersecurity Odyssey: Between Scylla and Charybdis’ harkens back to Homer’s Odyssey and suggests opportunities for healthcare leaders to ‘chart a safer course’ to control their destinies in the face of the cybersecurity dangers found on the opposite sides of the river.
Brendan Kwolek is the Chief Information and Digital Officer for Halton Healthcare.
You can read Brendan’s full article here in the January 2024 edition of Healthcare Management Forum. Kwolek offers practical options designed to attract and retain the right people.
Healthcare Management Forum 