How can cybersecurity professionals grapple with alert fatigue and how does this impact operations? 

How can cybersecurity professionals grapple with alert fatigue and how does this impact operations? 

Devo Technology, the cloud-native security analytics company, has unveiled the results of a new study examining the ramifications of cybersecurity burnout, finding the vast majority of IT security professionals admit stress has led them and peers to make errors that have caused data breaches. 

Recent estimates put the shortage of cybersecurity professionals at 3.5 million. The survey, conducted by Wakefield Research on behalf of Devo, demonstrates that in addition to the mental and physical toll stress takes on these under-resourced teams, their struggles also directly affect their organisation’s security posture. Burnout isn’t just a people problem; it is a business problem that negatively impacts a company’s ability to safeguard its data, reputation and bottom line. 

Cybersecurity burnout is compounding cyber-risk  

Respondents to the survey reported several concerning trends that, if left unaddressed by CISOs and company leadership, could result in costly turnover, financial damages from regulatory fines and lost consumer trust. More specifically, the survey found that:  

  • 83% of IT security professionals admit they or someone in their department has made errors due to burnout that have led to a security breach. 
  • 85% say they anticipate they will leave their role due to burnout; 24% say they’ll leave cybersecurity entirely. 
  • 77% say stress levels at work directly affect their ability to keep customer data safe. 

“These findings are a harsh wake-up call for enterprise leaders but also provide an opportunity for change,” said Marc van Zadelhoff, CEO, Devo. ”Caring for security teams isn’t just a ‘nice thing’ to do. It’s the right thing for both the individuals working the frontlines and the broader business.” 

Security professionals feel unsupported by leadership 

The survey also uncovered a deep disconnect between security leadership and their teams. Even though over half of the respondents reported that alert fatigue has caused increased anxiety or feelings of depression, they don’t think stress and burnout issues are taken seriously. More specifically: 

  • 76% agree their IT leadership would not last one full day dealing with the number of alerts they manage. 
  • 45% of IT professionals felt their leadership hasn’t responded proactively to employee burnout and wished their leaders would offer additional training, mentorship and development. 
  • 82% say they’ve been told stress and burnout is just a normal part of their job. 

“Burnout is a persistent issue in the cybersecurity world, and unfortunately, too many security practitioners are told that’s just how it is. While CISOs deal with their own stressors, it’s imperative for leaders to always listen to and understand the needs of their teams,” said Kayla Williams, CISO, Devo. ”Organisations that proactively provide staff with training, solutions and mental health resources have healthier and happier security teams and are more secure because of it.” 

Matt Hillary, VP Security & CISO, Drata 

Matt Hillary, VP Security & CISO, Drata 

Alert fatigue is a real thing but is an indication of alerting sources being at the beginning of the alert tuning journey. Getting our alerts tuned is an endless battle for most security teams. Without a clear prioritisation and direction for tuning alerts, security operations teams will continue to be in an alerting-paralysis phase until there’s a clear path out. 

Many security teams focus first on getting all log sources consolidated into a SIEM. From there, they focus on generating events to alert a human when things need additional review to determine if the alert should be investigated further as a security incident. At scale, this journey takes a lot of effort and human power. In many cases, tools exist with out-of-the-box alerts that can be applied to certain log sources to kick-start the alert-tuning process. Even with these capabilities, security teams still need to rigorously evaluate these alerts to alert humans ONLY when necessary and this takes a while. 

A strategy to help here is to start with the most important log sources and alerts first. For example, an account compromise for an administrator user on your identity provider or cloud service provider could have dire, nigh company-ending consequences. Focus on getting those logs and alerts ingested, tuned and sent to your security team first. Endpoint compromise can also have impact – having capable monitoring and alerting on endpoint activities that might indicate compromise is also a critical log source. 

The key takeaway from this is there is no end to tuning, but the long-tail of tuning gets more and more manageable over time as you focus on the most important alerts first. 

Simon Hogg, CISO at Eigen Technologies 

Simon Hogg, CISO at Eigen Technologies 

Alert fatigue is a common issue within the realm of cybersecurity, significantly impacting the operational efficiency of professionals tasked with safeguarding digital landscapes. It emerges as a result of the constant barrage of alerts, a considerable number of which turn out to be false alarms. This inundation causes professionals to become desensitised, potentially leading to the oversight of genuine and critical threats. Effectively grappling with alert fatigue is vital to maintaining the integrity and effectiveness of cybersecurity operations. 

One strategy to combat this challenge is the prioritisation of alerts. All alerts are not created equal and systems should categorise them based on potential impact to ensure that the most critical ones are dealt with promptly. Fine-tuning intrusion detection systems through continuous optimisation and adjustment of parameters is essential to reduce false positives. A valuable component in this process is establishing a User Feedback Loop, allowing analysts to provide feedback on alerts, thus improving the system’s detection capabilities. 

Correlation and aggregation of alerts using Security Information and Event Management (SIEM) solutions are pivotal in tackling alert fatigue. By integrating threat intelligence feeds into these tools, analysts gain valuable context for alerts, enabling them to prioritise and respond effectively. Employing a defence-in-depth approach with multiple layers of monitoring and alerting adds robustness to the security infrastructure, ensuring that even if one system misses an event, another is in place to capture it. 

Rotation of duties among team members and regular training sessions are equally important in mitigating alert fatigue. Performing the same task continuously can reduce alertness and increase the likelihood of missing critical alerts. Training reinforces the importance of vigilance and emphasises the significance of alerts. 

The impact this can have on operations is worrying. It erodes trust and operational efficiency, largely due to repeated false positives. This erosion can lead stakeholders to question the credibility of alerts, compromising the effectiveness of the security measures in place. Moreover, alert fatigue can result in increased costs, as addressing events before they escalate is a more cost-effective strategy. Neglecting genuine alerts and subsequent breaches can have legal and compliance implications, potentially leading to penalties and legal repercussions. 

Through strategic approaches such as prioritisation, correlation, automation, training and a defence-in-depth approach, cybersecurity professionals can grapple with alert fatigue, ensuring that genuine threats are promptly identified and potential breaches are effectively mitigated. 

Matt Cooke, Cybersecurity Strategist at Proofpoint 

Matt Cooke, Cybersecurity Strategist at Proofpoint 

Alert fatigue undoubtedly impacts cyber professionals’ ability to react effectively to real threats and can heavily affect company operations. When inundated and desensitised to alerts, security professionals may become slow to react to real, critical threats, resulting in more extensive damage, longer recovery times and increased costs associated with mitigating actual risks. 

From an employee standpoint, alert fatigue can also create additional workload for those whose responsibility it is to monitor them. As they become overwhelmed with notifications, they may experience added work stress and tension, which may lead to higher burnout, turnover and decreased productivity. The challenge of burnout is already rife, with 74% of UK CISOs admitting to experiencing burnout in the past year.  

There’s also the legal and compliance issue. Security breaches resulting from overlooked threats due to alert fatigue can lead to inadequate compliance with industry regulations, potentially resulting in costly fines and potentially legal action.  

In addition, as cybersecurity systems fail to filter and prioritise real alerts, organisations may need to allocate additional resources to manage the high volume of alerts, leading to increased operational costs. 

Cybersecurity incidents resulting from alert fatigue can also be immensely damaging to an organisation’s reputation. Customers may lose trust in the company’s ability to protect their data, leading to customer attrition and revenue loss. 

Organisations can take steps to minimise alert fatigue and improve the overall efficacy of cybersecurity:  

  • Establish thresholds to prioritise alerts based on severity. By setting priority levels for different types of alerts, security professionals can focus on the most critical threats. AI and automation can be your friend here. Leveraging AI and ML will help with the prioritisation, reducing the noise and keeping focus on what is important. 
  • Professionals must not forget about the incident response plan, that should include a predetermined set of procedures and guidelines for responding to security incidents, such as identifying critical assets and systems, assigning an incident response team, determining incident response procedures and defining communication protocols. By continuously improving and updating the plan, security teams can ensure its relevance and effectiveness. 
  • Organisations should regularly review and fine-tune their cybersecurity systems to minimise the frequency of false positives and ensure only relevant alerts are triggered. 
  • By implementing systems to keep employees well-trained on security best practices, an organisation can reduce the possibility of human errors like falling for phishing scams or overlooking serious alerts. Thus, by promoting security awareness training among employees, companies can minimise alert fatigue. 
Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive