Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11/7/2017
04:24 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Burnout, Culture Drive Security Talent Out the Door

Security's efforts to bridge the talent gap mean little when workers don't want to stay in the industry.

We hear a lot about security's struggle to acquire talent but little about its inability to retain employees. The skill shortage is doomed to worsen if security can't improve tenure.

Earlier this year, Dr. Andrea Little Limbago, chief social scientist at Endgame, polled 300 security professionals to learn about their perspective on retention. Three-quarters had been in the industry for at least five years; 35% for over 11 years.

People normally describe the talent gap as a pipeline problem: the issue is getting people in the door. This is a "positive challenge" for the industry, she says. It has driven a strong focus on improving university security programs and introducing security into K-12 classes.

"It feels so much better to inspire kids to go into cybersecurity, but what's harder is looking at the industry itself and the all the parts that might need fixing," Limbago explains. All of these efforts are negated when industry norms force talented employees out the door.

Burnout

Survey results indicate burnout, industry culture, and ill-defined career paths are three key reasons people leave cybersecurity. Limbago says she was expecting the first two. Burnout is commonly mentioned at conferences and from friends in the industry, she notes.

Survey questions asked why respondents had left previous roles, and burnout and stress were common. When she followed up, Limbago learned businesses weren't taking them seriously, despite reports employees were working long hours and weekends without taking time off. More than 70% of respondents report working 41-60 hours each week; 10% work over 60.

"They felt their leadership, or their company, interpreted [burnout] as not being committed to their job, as opposed to taking it seriously as a problem," she explains. "It's something where organizations need to focus."

While stress was common, only one-third of respondents felt they were professionally challenged, followed by 28% who were somewhat challenged. Security can be stimulating but many tasks are redundant and don't leave time for critical thinking and technical skills.

"There's so much in processes that is so mundane to do hours and hours on end, day after day, especially things that could be automated by now," says Limbago. "You could see how that leads to burnout."

Industry Culture

The cultural aspect is a key challenge for both attracting and retaining talent. Nearly all (85% of) non-male respondents had experienced some level of discrimination at professional conferences, and more than half had experienced harassment at those events, Limbago found.

On a corporate environment level, the numbers are lower but still bleak. Nearly 60% of non-male respondents had experienced discrimination at their company, and 44% had experienced harassment within their company or a company events.

Limbago, who has experience working in academia and national security, which also has few women, says she didn't notice the gender dynamics as much as she has in security. While she reports a great community at her own company, she says oftentimes the conference environment can be "dispiriting."

"Little things here and there, you get used to overlooking and ignoring [them], but over the years it builds up a lot," she says. "Company culture becomes so much more important," she adds, and eventually internal corporate culture can affect conference culture as well.

Ill-Defined Career Path

Lack of professional advancement and growth was the main reason respondents left their previous roles, Limbago found, with 53% saying it was a key factor. Almost 20% of respondents cited limited advancement or growth as a factor when deciding to leave security.

"So much is written about the workforce openings, the shortage, and how important tech leadership is, but so often the biggest pushback is a lack of career growth," she says. Good tech leadership is necessary, but companies don't provide the paths to prepare future leaders.

Security isn't necessarily a new industry, but it's evolving quite a bit for many organizations. A lot of new corporations building infosec teams for the first time don't have resources to build big departments or a definite career track for the people they hire. When a team only has one or two members, those employees generally don't stay too long.

What can be done?

Limbago's research suggests acknowledging the need for time off and creating social events can make a tremendous difference in lowering burnout and driving inclusivity. It's important for this type of culture to start internally, with leadership buy-in to foster greater engagement.

She also emphasizes the need for more realistic performance metrics, which "should not be based along the binary of breach or no breach." Metrics for security professionals should be more nuanced and include their successes and failures, and an understanding of the business threat model, while considering the availability of resources.

Retention will be an increasingly critical problem as the need for security professionals continues to grow. Data from CyberSeek, a free workforce and career resource from CompTIA and Burning Glass Technologies, reports US employers posted 285,681 cybersecurity job openings during the 12-month period ending in Sept. 2017.

Across all US jobs, there were 5.6 employed workers for each job opening from Oct. 2016 through Sept. 2017. In security, there are 2.6 employed workers per vacancy. This means the security talent pool would need to more than double overnight to meet the market average.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J@wn
50%
50%
[email protected],
User Rank: Apprentice
11/8/2017 | 3:30:34 PM
The Importance of a Healthy Culture
Too often, ethics get left behind in the name of security. Laziness and greed are the main drivers. To some, psychological aggression directed at new team members, is acceptable, like hazing. Unfortunately not all agree, and either the culture degrades into bullying or the new member becomes toxic themselves. My credential requires me to uphold the highest ethical standards, this industry trend is unacceptable.
SchemaCzar
100%
0%
SchemaCzar,
User Rank: Strategist
11/8/2017 | 9:23:52 AM
Organizations don't take security seriously
"Businesses weren't taking them seriously." To me, this is the money line.  But it's not the professionals, it's the security that the businesses aren't taking seriously.  InfoSec professionals are burning out because companies won't actually accept the risks they face and the organizational will to mitigate those risks.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-5285
PUBLISHED: 2019-11-15
Null pointer dereference vulnerability exists in K11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime in NSS before 3.26, which causes the TLS/SSL server using NSS to crash.
CVE-2009-5047
PUBLISHED: 2019-11-15
Jetty 6.x before 6.1.22 suffers from an escape sequence injection vulnerability from two different vectors: 1) "Cookie Dump Servlet" and 2) Http Content-Length header. 1) A POST request to the form at "/test/cookie/" with the "Age" parameter set to a string throws a &qu...
CVE-2013-4584
PUBLISHED: 2019-11-15
Perdition before 2.2 may have weak security when handling outbound connections, caused by an error in the STARTTLS IMAP and POP server. ssl_outgoing_ciphers not being applied to STARTTLS connections
CVE-2013-7087
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has WWPack corrupt heap memory
CVE-2013-7088
PUBLISHED: 2019-11-15
ClamAV before 0.97.7 has buffer overflow in the libclamav component