There has been a lot of talk about the sharp increase in workplace burnout. The WHO defines burnout as a syndrome resulting from chronic workplace stress that has not been successfully managed. This includes three dimensions:
- Feelings of energy depletion or exhaustion
- Increased mental distance from one’s job
- Reduced professional efficacy
The third element alone should catch the attention of senior management. It’s clear that “powering through” burnout is not sustainable nor effective and can and does result in further damage without intervention. Wall Street Journal reporter Ray A. Smith cautions: “A burned out employee ultimately will decline in productivity because they just can’t do it anymore” and this can result in “mistaking or leaving out a zero that could quickly turn into a million-dollar loss.”
IT and security professionals are, of course, no strangers to stress. For years, the industry has been challenged by talent gaps and shortages, the acceleration of innovation and need to integrate emerging technologies, and the mitigation of growing external risks. Factor in the state of today – a worldwide Great Resignation, growing geopolitical tensions, escalating cyber threats lurking in the shadows, and daily warnings from government leaders – and we can see that pressures on security executives have reached epic proportions. According to Adam Meyers, SVP of intelligence for Crowdstrike, being in “a prolonged period of high state alert where people are constantly trying to react and respond to incidents may lead to people being worn down and making mistakes,” so it’s really no surprise that 84% of security professionals recently said they feel burnt out.
While these numbers capture the sentiment of CISOs and security executives, another group within cyber security is also feeling these effects – the compliance leader – and it’s important that companies address these issues before it’s too late.
What contributes to compliance leader burnout, and how can it be mitigated?
There are several factors contributing to compliance leader burnout but below are the top three to recognize, along with ways that companies and their compliance talent can effectively address these moving forward.
Being blamed for failures outside of compliance leaders’ control
Just as a CISO will be held responsible for a security breach, even if the incident was unforeseeable, a compliance leader is considered responsible for all aspects of compliance: getting the appropriate certifications and reports, making sure the company passes its audits, etc. But if traditional methods of compliance are used, the compliance leader has no actual oversight on whether those controls are running. For example, the compliance team may set up controls over user access, but if one control owner forgets to run their control, the resulting failure will likely be blamed on the compliance leader.
How to fix this
Data-oriented compliance that automatically pulls data from primary sources can sift through a vast volume of data and give an early signal if it senses a problem that needs to be looked at by a security person or engineer. This makes it less likely that a compliance leader will be blindsided by a long-running failure to implement a control.
When a control is built into processes that a department is already running, it’s less likely to be overlooked by that department—since the control is part of a process that’s operationally important to the company.
A perception that the compliance team does little of substance for the company
When compliance is perceived as a burden on stakeholders without a real benefit to the company, a compliance leader may struggle to feel recognized as serving an important role – leading to burnout. The requirements imposed by the compliance team might be seen as creating busywork, leaving internal stakeholders to document processes and dig up documents come audit time.
How to fix this
By implementing automation that reduces the burden on stakeholders and building compliance-related requests around other departments’ needs and schedules, compliance leaders will get more cooperation and respect from them.
For example, unified control frameworks—which harness data automatically collected via data-oriented compliance—eliminate redundant controls and make it possible to ensure that controls collectively meet their objectives. Reducing the number of controls reduces other departments’ compliance-related tasks, which in turn reduces friction with stakeholders and allows them to see the value compliance creates for the organization.
Finding a way to make controls relevant to a department and reducing the compliance tasks they must perform altogether, make it more likely that they are run properly and less likely that the compliance team is considered intrusive.
Lack of management support
As noted earlier, compliance professionals often feel they have little control over issues they may be blamed for and they aren’t getting adequate funding from management to do their jobs properly.
How to fix this
Having a seat at the table gives compliance leaders greater input and greater control. That seat is earned by showing how compliance creates operational value to the company. One way to do this is to use data from primary sources to address risk quantification. Continuously available data makes putting a dollars-and-cents value on risk easier and more accurate than traditional methods of risk management. This enables management to prioritize risk and have a better sense of where to allocate funds. The compliance leader who contributes operational value will likely receive greater funding and be consulted when decisions affecting compliance arise.
A step toward mitigating compliance leader burnout: Reduce stresses, increase rewards
Burnout is pervasive among cyber security professionals, and that includes security compliance leaders. The stresses of the pandemic and other stresses particular to compliance leaders can take a toll.
One of the key ways to combat this is to reduce the burden compliance imposes on stakeholders and increase the operational value compliance brings to a company by moving to data-oriented compliance. A solid compliance posture is then easier to achieve.
Delivering value to management beyond the fact of a clean audit can give compliance leaders more control, less stress, and a sense of validation which, together, may reduce the risk of burnout moving forward.