We hear a lot about security's struggle to acquire talent but little about its inability to retain employees. The skill shortage is doomed to worsen if security can't improve tenure.
Earlier this year, Dr. Andrea Little Limbago, chief social scientist at Endgame, polled 300 security professionals to learn about their perspective on retention. Three-quarters had been in the industry for at least five years; 35% for over 11 years.
People normally describe the talent gap as a pipeline problem: the issue is getting people in the door. This is a "positive challenge" for the industry, she says. It has driven a strong focus on improving university security programs and introducing security into K-12 classes.
"It feels so much better to inspire kids to go into cybersecurity, but what's harder is looking at the industry itself and the all the parts that might need fixing," Limbago explains. All of these efforts are negated when industry norms force talented employees out the door.
Survey results indicate burnout, industry culture, and ill-defined career paths are three key reasons people leave cybersecurity. Limbago says she was expecting the first two. Burnout is commonly mentioned at conferences and from friends in the industry, she notes.
Survey questions asked why respondents had left previous roles, and burnout and stress were common. When she followed up, Limbago learned businesses weren't taking them seriously, despite reports employees were working long hours and weekends without taking time off. More than 70% of respondents report working 41-60 hours each week; 10% work over 60.
"They felt their leadership, or their company, interpreted [burnout] as not being committed to their job, as opposed to taking it seriously as a problem," she explains. "It's something where organizations need to focus."
While stress was common, only one-third of respondents felt they were professionally challenged, followed by 28% who were somewhat challenged. Security can be stimulating but many tasks are redundant and don't leave time for critical thinking and technical skills.
"There's so much in processes that is so mundane to do hours and hours on end, day after day, especially things that could be automated by now," says Limbago. "You could see how that leads to burnout."
The cultural aspect is a key challenge for both attracting and retaining talent. Nearly all (85% of) non-male respondents had experienced some level of discrimination at professional conferences, and more than half had experienced harassment at those events, Limbago found.
On a corporate environment level, the numbers are lower but still bleak. Nearly 60% of non-male respondents had experienced discrimination at their company, and 44% had experienced harassment within their company or a company events.
Limbago, who has experience working in academia and national security, which also has few women, says she didn't notice the gender dynamics as much as she has in security. While she reports a great community at her own company, she says oftentimes the conference environment can be "dispiriting."
"Little things here and there, you get used to overlooking and ignoring [them], but over the years it builds up a lot," she says. "Company culture becomes so much more important," she adds, and eventually internal corporate culture can affect conference culture as well.
Ill-Defined Career Path
Lack of professional advancement and growth was the main reason respondents left their previous roles, Limbago found, with 53% saying it was a key factor. Almost 20% of respondents cited limited advancement or growth as a factor when deciding to leave security.
"So much is written about the workforce openings, the shortage, and how important tech leadership is, but so often the biggest pushback is a lack of career growth," she says. Good tech leadership is necessary, but companies don't provide the paths to prepare future leaders.
Security isn't necessarily a new industry, but it's evolving quite a bit for many organizations. A lot of new corporations building infosec teams for the first time don't have resources to build big departments or a definite career track for the people they hire. When a team only has one or two members, those employees generally don't stay too long.
What can be done?
Limbago's research suggests acknowledging the need for time off and creating social events can make a tremendous difference in lowering burnout and driving inclusivity. It's important for this type of culture to start internally, with leadership buy-in to foster greater engagement.
She also emphasizes the need for more realistic performance metrics, which "should not be based along the binary of breach or no breach." Metrics for security professionals should be more nuanced and include their successes and failures, and an understanding of the business threat model, while considering the availability of resources.
Retention will be an increasingly critical problem as the need for security professionals continues to grow. Data from CyberSeek, a free workforce and career resource from CompTIA and Burning Glass Technologies, reports US employers posted 285,681 cybersecurity job openings during the 12-month period ending in Sept. 2017.
Across all US jobs, there were 5.6 employed workers for each job opening from Oct. 2016 through Sept. 2017. In security, there are 2.6 employed workers per vacancy. This means the security talent pool would need to more than double overnight to meet the market average.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.