Careers & People
11/7/2017
04:24 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Burnout, Culture Drive Security Talent Out the Door

Security's efforts to bridge the talent gap mean little when workers don't want to stay in the industry.

We hear a lot about security's struggle to acquire talent but little about its inability to retain employees. The skill shortage is doomed to worsen if security can't improve tenure.

Earlier this year, Dr. Andrea Little Limbago, chief social scientist at Endgame, polled 300 security professionals to learn about their perspective on retention. Three-quarters had been in the industry for at least five years; 35% for over 11 years.

People normally describe the talent gap as a pipeline problem: the issue is getting people in the door. This is a "positive challenge" for the industry, she says. It has driven a strong focus on improving university security programs and introducing security into K-12 classes.

"It feels so much better to inspire kids to go into cybersecurity, but what's harder is looking at the industry itself and the all the parts that might need fixing," Limbago explains. All of these efforts are negated when industry norms force talented employees out the door.

Burnout

Survey results indicate burnout, industry culture, and ill-defined career paths are three key reasons people leave cybersecurity. Limbago says she was expecting the first two. Burnout is commonly mentioned at conferences and from friends in the industry, she notes.

Survey questions asked why respondents had left previous roles, and burnout and stress were common. When she followed up, Limbago learned businesses weren't taking them seriously, despite reports employees were working long hours and weekends without taking time off. More than 70% of respondents report working 41-60 hours each week; 10% work over 60.

"They felt their leadership, or their company, interpreted [burnout] as not being committed to their job, as opposed to taking it seriously as a problem," she explains. "It's something where organizations need to focus."

While stress was common, only one-third of respondents felt they were professionally challenged, followed by 28% who were somewhat challenged. Security can be stimulating but many tasks are redundant and don't leave time for critical thinking and technical skills.

"There's so much in processes that is so mundane to do hours and hours on end, day after day, especially things that could be automated by now," says Limbago. "You could see how that leads to burnout."

Industry Culture

The cultural aspect is a key challenge for both attracting and retaining talent. Nearly all (85% of) non-male respondents had experienced some level of discrimination at professional conferences, and more than half had experienced harassment at those events, Limbago found.

On a corporate environment level, the numbers are lower but still bleak. Nearly 60% of non-male respondents had experienced discrimination at their company, and 44% had experienced harassment within their company or a company events.

Limbago, who has experience working in academia and national security, which also has few women, says she didn't notice the gender dynamics as much as she has in security. While she reports a great community at her own company, she says oftentimes the conference environment can be "dispiriting."

"Little things here and there, you get used to overlooking and ignoring [them], but over the years it builds up a lot," she says. "Company culture becomes so much more important," she adds, and eventually internal corporate culture can affect conference culture as well.

Ill-Defined Career Path

Lack of professional advancement and growth was the main reason respondents left their previous roles, Limbago found, with 53% saying it was a key factor. Almost 20% of respondents cited limited advancement or growth as a factor when deciding to leave security.

"So much is written about the workforce openings, the shortage, and how important tech leadership is, but so often the biggest pushback is a lack of career growth," she says. Good tech leadership is necessary, but companies don't provide the paths to prepare future leaders.

Security isn't necessarily a new industry, but it's evolving quite a bit for many organizations. A lot of new corporations building infosec teams for the first time don't have resources to build big departments or a definite career track for the people they hire. When a team only has one or two members, those employees generally don't stay too long.

What can be done?

Limbago's research suggests acknowledging the need for time off and creating social events can make a tremendous difference in lowering burnout and driving inclusivity. It's important for this type of culture to start internally, with leadership buy-in to foster greater engagement.

She also emphasizes the need for more realistic performance metrics, which "should not be based along the binary of breach or no breach." Metrics for security professionals should be more nuanced and include their successes and failures, and an understanding of the business threat model, while considering the availability of resources.

Retention will be an increasingly critical problem as the need for security professionals continues to grow. Data from CyberSeek, a free workforce and career resource from CompTIA and Burning Glass Technologies, reports US employers posted 285,681 cybersecurity job openings during the 12-month period ending in Sept. 2017.

Across all US jobs, there were 5.6 employed workers for each job opening from Oct. 2016 through Sept. 2017. In security, there are 2.6 employed workers per vacancy. This means the security talent pool would need to more than double overnight to meet the market average.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J@wn
50%
50%
[email protected],
User Rank: Apprentice
11/8/2017 | 3:30:34 PM
The Importance of a Healthy Culture
Too often, ethics get left behind in the name of security. Laziness and greed are the main drivers. To some, psychological aggression directed at new team members, is acceptable, like hazing. Unfortunately not all agree, and either the culture degrades into bullying or the new member becomes toxic themselves. My credential requires me to uphold the highest ethical standards, this industry trend is unacceptable.
SchemaCzar
100%
0%
SchemaCzar,
User Rank: Strategist
11/8/2017 | 9:23:52 AM
Organizations don't take security seriously
"Businesses weren't taking them seriously." To me, this is the money line.  But it's not the professionals, it's the security that the businesses aren't taking seriously.  InfoSec professionals are burning out because companies won't actually accept the risks they face and the organizational will to mitigate those risks.
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.