Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11/7/2017
04:24 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Burnout, Culture Drive Security Talent Out the Door

Security's efforts to bridge the talent gap mean little when workers don't want to stay in the industry.

We hear a lot about security's struggle to acquire talent but little about its inability to retain employees. The skill shortage is doomed to worsen if security can't improve tenure.

Earlier this year, Dr. Andrea Little Limbago, chief social scientist at Endgame, polled 300 security professionals to learn about their perspective on retention. Three-quarters had been in the industry for at least five years; 35% for over 11 years.

People normally describe the talent gap as a pipeline problem: the issue is getting people in the door. This is a "positive challenge" for the industry, she says. It has driven a strong focus on improving university security programs and introducing security into K-12 classes.

"It feels so much better to inspire kids to go into cybersecurity, but what's harder is looking at the industry itself and the all the parts that might need fixing," Limbago explains. All of these efforts are negated when industry norms force talented employees out the door.

Burnout

Survey results indicate burnout, industry culture, and ill-defined career paths are three key reasons people leave cybersecurity. Limbago says she was expecting the first two. Burnout is commonly mentioned at conferences and from friends in the industry, she notes.

Survey questions asked why respondents had left previous roles, and burnout and stress were common. When she followed up, Limbago learned businesses weren't taking them seriously, despite reports employees were working long hours and weekends without taking time off. More than 70% of respondents report working 41-60 hours each week; 10% work over 60.

"They felt their leadership, or their company, interpreted [burnout] as not being committed to their job, as opposed to taking it seriously as a problem," she explains. "It's something where organizations need to focus."

While stress was common, only one-third of respondents felt they were professionally challenged, followed by 28% who were somewhat challenged. Security can be stimulating but many tasks are redundant and don't leave time for critical thinking and technical skills.

"There's so much in processes that is so mundane to do hours and hours on end, day after day, especially things that could be automated by now," says Limbago. "You could see how that leads to burnout."

Industry Culture

The cultural aspect is a key challenge for both attracting and retaining talent. Nearly all (85% of) non-male respondents had experienced some level of discrimination at professional conferences, and more than half had experienced harassment at those events, Limbago found.

On a corporate environment level, the numbers are lower but still bleak. Nearly 60% of non-male respondents had experienced discrimination at their company, and 44% had experienced harassment within their company or a company events.

Limbago, who has experience working in academia and national security, which also has few women, says she didn't notice the gender dynamics as much as she has in security. While she reports a great community at her own company, she says oftentimes the conference environment can be "dispiriting."

"Little things here and there, you get used to overlooking and ignoring [them], but over the years it builds up a lot," she says. "Company culture becomes so much more important," she adds, and eventually internal corporate culture can affect conference culture as well.

Ill-Defined Career Path

Lack of professional advancement and growth was the main reason respondents left their previous roles, Limbago found, with 53% saying it was a key factor. Almost 20% of respondents cited limited advancement or growth as a factor when deciding to leave security.

"So much is written about the workforce openings, the shortage, and how important tech leadership is, but so often the biggest pushback is a lack of career growth," she says. Good tech leadership is necessary, but companies don't provide the paths to prepare future leaders.

Security isn't necessarily a new industry, but it's evolving quite a bit for many organizations. A lot of new corporations building infosec teams for the first time don't have resources to build big departments or a definite career track for the people they hire. When a team only has one or two members, those employees generally don't stay too long.

What can be done?

Limbago's research suggests acknowledging the need for time off and creating social events can make a tremendous difference in lowering burnout and driving inclusivity. It's important for this type of culture to start internally, with leadership buy-in to foster greater engagement.

She also emphasizes the need for more realistic performance metrics, which "should not be based along the binary of breach or no breach." Metrics for security professionals should be more nuanced and include their successes and failures, and an understanding of the business threat model, while considering the availability of resources.

Retention will be an increasingly critical problem as the need for security professionals continues to grow. Data from CyberSeek, a free workforce and career resource from CompTIA and Burning Glass Technologies, reports US employers posted 285,681 cybersecurity job openings during the 12-month period ending in Sept. 2017.

Across all US jobs, there were 5.6 employed workers for each job opening from Oct. 2016 through Sept. 2017. In security, there are 2.6 employed workers per vacancy. This means the security talent pool would need to more than double overnight to meet the market average.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J@wn
50%
50%
[email protected],
User Rank: Apprentice
11/8/2017 | 3:30:34 PM
The Importance of a Healthy Culture
Too often, ethics get left behind in the name of security. Laziness and greed are the main drivers. To some, psychological aggression directed at new team members, is acceptable, like hazing. Unfortunately not all agree, and either the culture degrades into bullying or the new member becomes toxic themselves. My credential requires me to uphold the highest ethical standards, this industry trend is unacceptable.
SchemaCzar
100%
0%
SchemaCzar,
User Rank: Strategist
11/8/2017 | 9:23:52 AM
Organizations don't take security seriously
"Businesses weren't taking them seriously." To me, this is the money line.  But it's not the professionals, it's the security that the businesses aren't taking seriously.  InfoSec professionals are burning out because companies won't actually accept the risks they face and the organizational will to mitigate those risks.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.