Burnout adds to cyber talent crisis, forcing bosses to get creative with hiring

It's harder to stop ransomware at a hospital when your kids need help logging into Zoom for school.
(Getty Images)

Outdated hiring practices in the cybersecurity sector aren’t as easy to ignore as they once were.

While organizations have sought to fill security-related roles — there are nearly 900,000 open positions in the U.S. alone, by one 2020 count — existing professionals have spent nearly two years adjusting to widespread remote work, fending off hackers while balancing family responsibilities amid a pandemic that killed more than 700,000 Americans. Meanwhile, attackers have tightened their focus on critical infrastructure in the U.S., extorting hospitals and schools at a rate that leads to feelings of exhaustion more often than hope.

The situation is forcing organizations to re-examine their recruiting strategies in a way that aims to expand the talent pool and support existing employees, according to Mari Galloway, CEO and founding board member of Women’s Society of CyberJutsu, a nonprofit dedicated to building awareness about career opportunities

“I have burnout moments probably every quarter where I think ‘I can’t do this anymore. I don’t want to do this anymore,’’” she said during an appearance at CyberWeek, an event produced by Scoop News Group.


“Burnout comes from a sense of your hair always being on fire,” she added. “You’re trying to be reactive to every single thing, rather than being proactive. But it can be dangerous, especially if you have a family or other obligations.”

An unmanageable workload is a leading cause of burnout in corporate America, according to a Gallup poll, along with unreasonable time pressure and a lack of role clarity, all issues that are particularly acute for security personnel. It’s one of the key reasons that more firms need to look past Ivy League graduates and professional conferences as the primary avenues of recruitment, Galloway said.

Talent scouts can extend their networks into areas of rural America where fewer companies are located, engage with local schools to identify possible hires and embrace creative training as a means of grooming young staffers. If a teenager or college student is particularly adept at puzzles or solving problems with their phone, for instance, Galloway suggested that educators or hiring managers try to build on those interests.

“We don’t take the time to explore non-traditional paths into this space,” she said. “We’re missing out on a whole group of folks who don’t have access to those types of access or funding to go and be able to join a conference or have that degree.”

The shift already appears to be underway.


Bank of America’s security team is seeking to fill its talent pipeline by recruiting more staffers who identify as neurodiverse, a category that includes autism, attention deficit hyperactivity disorder and dyslexia. Jobs that require a high level of technical thinking or pattern recognition — such as reverse engineering malicious software, cryptography or data analytics — are especially best served by such candidates, said Craig Froelich, Bank of America’s chief information security officer.

“What’s really important about people who are neurodiverse is that they just think differently,” he said at CyberWeek.

“One of the advantages that you can have when you have people who are thinking differently is that, long before you have a threat at your doorstep, you have a chance to think about that challenge in new and different ways and bring solutions long before you have to take action,” Froelich said.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts