The ever-present threat of cyber attacks is taking its toll on info sec newcomers and veterans alike who are struggling to keep pace and can lead to cyber fatigue, which is a growing concern among both cyber professionals and consumers.
But just WHAT exactly is it? Most resources associate it with users who “just can’t be bothered with using a new password,” prompting users to make poor decisions with regard to their security efforts. In our experience working with government, academic, and commercial enterprises, cyber fatigue affects cyber professionals who are overworked, under-resourced, and lack proper training—leaving professionals throwing up their hands in fatigue and frustration.
Many organizations do not have the right sized cyber teams to alleviate workloads and effectively combat attacks; cybersecurity employees are fatigued from long hours, lots of pressure, and unreasonable workloads. This leads to dissatisfied employees and high attrition rates. This is a serious problem because organizations that are trusting their data security to a fatigued cyber team is ultimately, a threat to us all.
According to a new KPMG report, “How to Bounce Back from Cyber Fatigue,” a new model is needed to transform cybersecurity strategy from one that is draining and reactive to one that is energized and proactive.
A Five-Pronged Approach to Combat Cyber Fatigue
The KPMG report offers a five-pronged approach for organizations to combat the symptoms of cyber fatigue:
- Make measured investments in cyber capabilities based on risk: Quantify the risk by understanding its impact and effect on overall business objectives. How will a threat actor interrupt the achievement of a core business goal? Then look at the risk in terms of monetary cost to the company compared to likelihood of the risk occurring based on current circumstances.
- Regularly measure the effectiveness of your info security investments: Info security costs include the expected physical hardware and software costs in addition to more intangible elements like supply chain services, training, etc. Listing out all current allocations of resources and spending will allow info sec pros to compare the cost of cybersecurity to their overall risk tolerance and make adjustments in investments to best meet the organization’s needs.
- Develop/align the right cyber risk management model: Communicate on an enterprise-wide level the significance of a “protect data first” mentality across the organization and set expectations that breaches are not an “if” but “when” occurrence. Ensure all stakeholders understand what is needed to manage today’s risk and how the cyber team is preparing to protect and defend the company.
- Continually update your model to reflect emerging threats: Continued vigilance is key to managing cyber threats. They’re a moving target and companies need systems or platforms to help prepare cyber teams to combat the latest attacks. Immersive training platforms like our own Project Ares® can help teams and leaders make continued investments in their skills development to keep pace with evolving cyber threats.
- Build and promote a risk-aligned security organization: Cybersecurity isn’t just the responsibility of the info sec department or the CISO. It’s an enterprise-wide responsibility. It needs to be treated as a strategic priority with a top-down focus. A cybersecurity readiness program that includes a skill assessment and skills development component will help keep cyber teams prepared to manage the latest cyber threats and attacks.
Instead of a “spend more, more, more” mentality, organizations would benefit from taking these approaches and starting collaborative, C-suite involved conversations that advance them toward a culture of cyber awareness and proactivity.
Cyber threats are only getting more sophisticated and intelligent and cyber teams need to do the same in their cyber workforce preparedness. By maximizing info security investments and protecting the firm’s assets with robust staff training and skills development, CISOs can sleep a little easier at night—and more readily tackle tomorrow’s cyber threats.